Ensuring all XML input processing is safe - disable DTD and external …

…entities

client/console/src/main/java/org/apache/syncope/client/console/widgets/reconciliation/ReconciliationReportParser.java

@@ -32,10 +32,15 @@
 
 public final class ReconciliationReportParser {
 
-    private static final XMLInputFactory INPUT_FACTORY = XMLInputFactory.newInstance();
+    private static final XMLInputFactory XML_INPUT_FACTORY = XMLInputFactory.newInstance();
+
+    static {
+        XML_INPUT_FACTORY.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, Boolean.FALSE);
+        XML_INPUT_FACTORY.setProperty(XMLInputFactory.SUPPORT_DTD, Boolean.FALSE);
+    }
 
     public static ReconciliationReport parse(final Date run, final InputStream in) throws XMLStreamException {
-        XMLStreamReader streamReader = INPUT_FACTORY.createXMLStreamReader(in);
+        XMLStreamReader streamReader = XML_INPUT_FACTORY.createXMLStreamReader(in);
         streamReader.nextTag(); // root
         streamReader.nextTag(); // report
         streamReader.nextTag(); // reportlet

ext/flowable/flowable-bpmn/src/main/java/org/apache/syncope/core/flowable/impl/FlowableDeployUtils.java

@@ -41,6 +41,13 @@ public final class FlowableDeployUtils {
 
     private static final ObjectMapper OBJECT_MAPPER = new ObjectMapper();
 
+    private static final XMLInputFactory XML_INPUT_FACTORY = XMLInputFactory.newInstance();
+
+    static {
+        XML_INPUT_FACTORY.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, Boolean.FALSE);
+        XML_INPUT_FACTORY.setProperty(XMLInputFactory.SUPPORT_DTD, Boolean.FALSE);
+    }
+
     public static Deployment deployDefinition(
             final ProcessEngine engine, final String resourceName, final byte[] definition) {
 
@@ -58,7 +65,7 @@ public static void deployModel(final ProcessEngine engine, final ProcessDefiniti
                 getResourceAsStream(procDef.getDeploymentId(), procDef.getResourceName());
                 InputStreamReader isr = new InputStreamReader(bpmnStream)) {
 
-            xtr = XMLInputFactory.newInstance().createXMLStreamReader(isr);
+            xtr = XML_INPUT_FACTORY.createXMLStreamReader(isr);
             BpmnModel bpmnModel = new BpmnXMLConverter().convertToBpmnModel(xtr);
 
             Model model = engine.getRepositoryService().newModel();

ext/flowable/flowable-bpmn/src/main/java/org/apache/syncope/core/flowable/support/DomainProcessEngineFactoryBean.java

@@ -18,16 +18,14 @@
  */
 package org.apache.syncope.core.flowable.support;
 
-import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.HashMap;
-import java.util.List;
 import java.util.Map;
 import javax.sql.DataSource;
 import org.apache.commons.lang3.StringUtils;
 import org.flowable.engine.ProcessEngine;
 import org.flowable.common.engine.impl.cfg.SpringBeanFactoryProxyMap;
 import org.flowable.common.engine.impl.interceptor.EngineConfigurationConstants;
-import org.flowable.engine.form.AbstractFormType;
 import org.flowable.engine.impl.util.EngineServiceUtil;
 import org.flowable.idm.spring.SpringIdmEngineConfiguration;
 import org.flowable.spring.SpringExpressionManager;
@@ -84,9 +82,8 @@ public DomainProcessEngine getObject() throws Exception {
                                 EngineConfigurationConstants.KEY_IDM_ENGINE_CONFIG,
                                 ctx.getBean(SpringIdmEngineConfiguration.class));
                     }
-                    List<AbstractFormType> customFormTypes = new ArrayList<>();
-                    customFormTypes.add(new DropdownFormType(null));
-                    conf.setCustomFormTypes(customFormTypes);
+                    conf.setEnableSafeBpmnXml(true);
+                    conf.setCustomFormTypes(Arrays.asList(new DropdownFormType(null)));
 
                     engines.put(domain, conf.buildProcessEngine());
                 }