public PomFile(InputStream is) throws ParserConfigurationException, SAXException, IOException {
DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
- // documentBuilderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
- // documentBuilderFactory.setFeature(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
- // documentBuilderFactory.setFeature(XMLInputFactory.SUPPORT_DTD, false);
-
+ // Remediate XML external entity vulnerabilty - prohibit the use of all protocols by external entities:
+ documentBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
DocumentBuilder documentBuilder = documentBuilderFactory.newDocumentBuilder();
this.xmlDoc = documentBuilder.parse(is);
}