From 5d072f440338345195c8c9786750292df9c62ad9 Mon Sep 17 00:00:00 2001
From: Hugi Thordarson <hugi@karlmenn.is>
Date: Wed, 9 Dec 2020 13:54:25 +0000
Subject: [PATCH] Close XXE vulnerability in ERRest's XML parser

---
 .../ERRest/Sources/er/rest/format/ERXXmlRestParser.java  | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/Frameworks/EOF/ERRest/Sources/er/rest/format/ERXXmlRestParser.java b/Frameworks/EOF/ERRest/Sources/er/rest/format/ERXXmlRestParser.java
index b2bd4e3d035..ce531351efb 100644
--- a/Frameworks/EOF/ERRest/Sources/er/rest/format/ERXXmlRestParser.java
+++ b/Frameworks/EOF/ERRest/Sources/er/rest/format/ERXXmlRestParser.java
@@ -132,7 +132,14 @@ public ERXRestRequestNode parseRestRequest(IERXRestRequest request, ERXRestForma
 
 			Document document;
 			try {
-				document = DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(new InputSource(new StringReader(contentString)));
+				DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+				dbf.setExpandEntityReferences(false);
+				dbf.setXIncludeAware(false);
+				dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+				dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
+				dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+				dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+				document = dbf.newDocumentBuilder().parse(new InputSource(new StringReader(contentString)));
 				document.normalize();
 				Element rootElement = document.getDocumentElement();
 				rootRequestNode = createRequestNodeForElement(rootElement, true, delegate, context);