From d657e8ade2d47f48fd929d659fbc812db6795a48 Mon Sep 17 00:00:00 2001
From: JAck <samymyhero@gmail.com>
Date: Wed, 6 Nov 2024 20:41:24 +0800
Subject: [PATCH] Set FEATURE_SECURE_PROCESSING for DocumentBuilderFactory to
 remediate XXE vulnerabilities

---
 .../main/java/org/atmosphere/util/AtmosphereConfigReader.java  | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/modules/cpr/src/main/java/org/atmosphere/util/AtmosphereConfigReader.java b/modules/cpr/src/main/java/org/atmosphere/util/AtmosphereConfigReader.java
index 9f5fce18d3..431c24bd83 100644
--- a/modules/cpr/src/main/java/org/atmosphere/util/AtmosphereConfigReader.java
+++ b/modules/cpr/src/main/java/org/atmosphere/util/AtmosphereConfigReader.java
@@ -29,6 +29,7 @@
 import org.w3c.dom.NodeList;
 import org.xml.sax.SAXException;
 
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
 import java.io.FileNotFoundException;
@@ -54,6 +55,7 @@ public AtmosphereConfig parse(AtmosphereConfig config, String filename) throws F
 
         DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
         try {
+            factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
             return parse(config, factory.newDocumentBuilder().parse(filename));
         } catch (SAXException | IOException | ParserConfigurationException e) {
             logger.error(e.getMessage(), e);
@@ -66,6 +68,7 @@ public AtmosphereConfig parse(AtmosphereConfig config, InputStream stream) throw
 
         DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
         try {
+            factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
             return parse(config, factory.newDocumentBuilder().parse(stream));
         } catch (SAXException | IOException | ParserConfigurationException e) {
             logger.error(e.getMessage(), e);