From 4cab56645975c1ebcd3be19cdbfae18ff6fdc36f Mon Sep 17 00:00:00 2001 From: Arun Venmany Date: Thu, 26 Sep 2024 10:36:23 +0530 Subject: [PATCH 1/3] contrast security issue fixes Signed-off-by: Arun Venmany --- .../common/arquillian/util/HttpPortUtil.java | 30 ++++++++-------- .../plugins/config/ServerConfigDocument.java | 19 +++++++--- .../common/plugins/config/XmlDocument.java | 33 +++++++++++++---- .../tools/common/plugins/util/DevUtil.java | 12 +++++-- .../plugins/util/PrepareFeatureUtil.java | 36 +++++++++++++++---- .../plugins/util/ServerFeatureUtil.java | 10 +++++- 6 files changed, 106 insertions(+), 34 deletions(-) diff --git a/src/main/java/io/openliberty/tools/common/arquillian/util/HttpPortUtil.java b/src/main/java/io/openliberty/tools/common/arquillian/util/HttpPortUtil.java index 375f9cd0..984b1fec 100644 --- a/src/main/java/io/openliberty/tools/common/arquillian/util/HttpPortUtil.java +++ b/src/main/java/io/openliberty/tools/common/arquillian/util/HttpPortUtil.java @@ -27,6 +27,7 @@ import java.util.regex.Matcher; import java.util.regex.Pattern; +import javax.xml.XMLConstants; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.ParserConfigurationException; @@ -46,15 +47,22 @@ public class HttpPortUtil { public static final int DEFAULT_PORT = 9080; private static final XPath XPATH = XPathFactory.newInstance().newXPath(); - private static final DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); - private static boolean factoryInitialized = false; + private static DocumentBuilderFactory factory ; - public static void initDocumentBuilderFactory() throws ParserConfigurationException { - if (!factoryInitialized) { + public static DocumentBuilderFactory getBuilderFactory() throws ParserConfigurationException { + if (factory == null) { + factory = DocumentBuilderFactory.newInstance(); factory.setNamespaceAware(true); factory.setFeature("http://apache.org/xml/features/nonvalidating/load-dtd-grammar", false); - factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); + factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); + factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false); + factory.setFeature("http://xml.org/sax/features/external-general-entities", false); + factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); + factory.setXIncludeAware(false); + factory.setExpandEntityReferences(false); } + return factory; } public static Integer getHttpPort(File serverXML, File bootstrapProperties) @@ -89,8 +97,8 @@ public static Integer getHttpPort(File serverXML, File bootstrapProperties, File protected static Integer getHttpPortForServerXML(String serverXML, Properties bootstrapProperties, String configVariableXML) throws ParserConfigurationException, SAXException, IOException, XPathExpressionException, ArquillianConfigurationException { - initDocumentBuilderFactory(); - DocumentBuilder builder = factory.newDocumentBuilder(); + + DocumentBuilder builder = getBuilderFactory().newDocumentBuilder(); Document doc = builder.parse(new ByteArrayInputStream(serverXML.getBytes())); XPathExpression httpEndpointExpr = XPATH.compile("/server/httpEndpoint"); @@ -140,13 +148,7 @@ private static String getHttpPortFromConfigVariableXML(String configVariableXML, return null; } - // get input XML Document - DocumentBuilderFactory inputBuilderFactory = DocumentBuilderFactory.newInstance(); - inputBuilderFactory.setIgnoringComments(true); - inputBuilderFactory.setCoalescing(true); - inputBuilderFactory.setIgnoringElementContentWhitespace(true); - inputBuilderFactory.setValidating(false); - DocumentBuilder inputBuilder = inputBuilderFactory.newDocumentBuilder(); + DocumentBuilder inputBuilder = getBuilderFactory().newDocumentBuilder(); Document inputDoc = inputBuilder.parse(new ByteArrayInputStream(configVariableXML.getBytes())); // parse input XML Document diff --git a/src/main/java/io/openliberty/tools/common/plugins/config/ServerConfigDocument.java b/src/main/java/io/openliberty/tools/common/plugins/config/ServerConfigDocument.java index 1a1a2e4d..f08edf87 100644 --- a/src/main/java/io/openliberty/tools/common/plugins/config/ServerConfigDocument.java +++ b/src/main/java/io/openliberty/tools/common/plugins/config/ServerConfigDocument.java @@ -30,6 +30,7 @@ import java.util.Map; import java.util.Properties; +import javax.xml.XMLConstants; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.ParserConfigurationException; @@ -71,6 +72,7 @@ public class ServerConfigDocument { private static final XPathExpression XPATH_SERVER_ENTERPRISE_APPLICATION; private static final XPathExpression XPATH_SERVER_INCLUDE; private static final XPathExpression XPATH_SERVER_VARIABLE; + private static final XPathExpression XPATH_ALL_SERVER_APPLICATIONS; static { try { @@ -80,6 +82,7 @@ public class ServerConfigDocument { XPATH_SERVER_ENTERPRISE_APPLICATION = xPath.compile("/server/enterpriseApplication"); XPATH_SERVER_INCLUDE = xPath.compile("/server/include"); XPATH_SERVER_VARIABLE = xPath.compile("/server/variable"); + XPATH_ALL_SERVER_APPLICATIONS = xPath.compile("/server/application | /server/webApplication | /server/enterpriseApplication"); } catch (XPathExpressionException ex) { // These XPath expressions should all compile statically. // Compilation failures mean the expressions are not syntactically @@ -141,7 +144,14 @@ private DocumentBuilder getDocumentBuilder() { docBuilderFactory.setValidating(false); try { docBuilderFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-dtd-grammar", false); - docBuilderFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); + docBuilderFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); + docBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + docBuilderFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false); + docBuilderFactory.setFeature("http://xml.org/sax/features/external-general-entities", false); + docBuilderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); + docBuilderFactory.setXIncludeAware(false); + docBuilderFactory.setNamespaceAware(true); + docBuilderFactory.setExpandEntityReferences(false); docBuilder = docBuilderFactory.newDocumentBuilder(); } catch (ParserConfigurationException e) { // fail catastrophically if we can't create a document builder @@ -229,7 +239,7 @@ private void initializeAppsLocation(CommonLoggerI log, File serverXML, File conf parseApplication(doc, XPATH_SERVER_APPLICATION); parseApplication(doc, XPATH_SERVER_WEB_APPLICATION); parseApplication(doc, XPATH_SERVER_ENTERPRISE_APPLICATION); - parseNames(doc, "/server/application | /server/webApplication | /server/enterpriseApplication"); + parseNames(doc, XPATH_ALL_SERVER_APPLICATIONS); parseInclude(doc); parseConfigDropinsDir(); @@ -239,10 +249,9 @@ private void initializeAppsLocation(CommonLoggerI log, File serverXML, File conf } //Checks for application names in the document. Will add locations without names to a Set - private void parseNames(Document doc, String expression) throws XPathExpressionException, IOException, SAXException { + private void parseNames(Document doc, XPathExpression expression) throws XPathExpressionException, IOException, SAXException { // parse input document - XPath xPath = XPathFactory.newInstance().newXPath(); - NodeList nodeList = (NodeList) xPath.compile(expression).evaluate(doc, XPathConstants.NODESET); + NodeList nodeList = (NodeList) expression.evaluate(doc, XPathConstants.NODESET); for (int i = 0; i < nodeList.getLength(); i++) { if (nodeList.item(i).getAttributes().getNamedItem("name") != null) { diff --git a/src/main/java/io/openliberty/tools/common/plugins/config/XmlDocument.java b/src/main/java/io/openliberty/tools/common/plugins/config/XmlDocument.java index f0f45443..bf69861f 100644 --- a/src/main/java/io/openliberty/tools/common/plugins/config/XmlDocument.java +++ b/src/main/java/io/openliberty/tools/common/plugins/config/XmlDocument.java @@ -18,14 +18,18 @@ import java.io.File; import java.io.FileOutputStream; import java.io.IOException; +import java.io.OutputStream; +import java.io.OutputStreamWriter; import java.nio.charset.StandardCharsets; import java.nio.file.Files; +import javax.xml.XMLConstants; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.ParserConfigurationException; import javax.xml.transform.OutputKeys; import javax.xml.transform.Transformer; +import javax.xml.transform.TransformerConfigurationException; import javax.xml.transform.TransformerException; import javax.xml.transform.TransformerFactory; import javax.xml.transform.dom.DOMSource; @@ -55,9 +59,16 @@ public void createDocument(File xmlFile) throws ParserConfigurationException, SA builderFactory.setCoalescing(true); builderFactory.setIgnoringElementContentWhitespace(true); builderFactory.setValidating(false); - builderFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-dtd-grammar", false); - builderFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); - DocumentBuilder builder = builderFactory.newDocumentBuilder(); + builderFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-dtd-grammar", false); + builderFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); + builderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + builderFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false); + builderFactory.setFeature("http://xml.org/sax/features/external-general-entities", false); + builderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); + builderFactory.setXIncludeAware(false); + builderFactory.setNamespaceAware(true); + builderFactory.setExpandEntityReferences(false); + DocumentBuilder builder = builderFactory.newDocumentBuilder(); doc = builder.parse(xmlFile); } @@ -70,12 +81,12 @@ public void writeXMLDocument(File f) throws IOException, TransformerException { if (!f.getParentFile().exists()) { f.getParentFile().mkdirs(); } - FileOutputStream outFile = new FileOutputStream(f); + OutputStream outFile = Files.newOutputStream(f.toPath()); DOMSource source = new DOMSource(doc); - StreamResult result = new StreamResult(outFile); + StreamResult result = new StreamResult(new OutputStreamWriter(outFile, StandardCharsets.UTF_8)); - TransformerFactory transformerFactory = TransformerFactory.newInstance(); + TransformerFactory transformerFactory = getTransformerFactory(); Transformer transformer = transformerFactory.newTransformer(); transformer.setOutputProperty(OutputKeys.OMIT_XML_DECLARATION, "no"); transformer.setOutputProperty(OutputKeys.DOCTYPE_PUBLIC, "yes"); @@ -109,4 +120,14 @@ public static void addNewlineBeforeFirstElement(File f) throws IOException { xmlContents = xmlContents.replace("?><", "?>"+System.getProperty("line.separator")+"<"); Files.write(f.toPath(), xmlContents.getBytes()); } + + private static TransformerFactory getTransformerFactory() throws TransformerConfigurationException { + TransformerFactory transformerFactory = TransformerFactory.newInstance(); + transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE); + // XMLConstants.ACCESS_EXTERNAL_DTD uses an empty string to deny all access to external references; + transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + // XMLConstants.ACCESS_EXTERNAL_STYLESHEET uses an empty string to deny all access to external references; + transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + return transformerFactory; + } } diff --git a/src/main/java/io/openliberty/tools/common/plugins/util/DevUtil.java b/src/main/java/io/openliberty/tools/common/plugins/util/DevUtil.java index 059d4ebf..a592bb19 100644 --- a/src/main/java/io/openliberty/tools/common/plugins/util/DevUtil.java +++ b/src/main/java/io/openliberty/tools/common/plugins/util/DevUtil.java @@ -74,6 +74,7 @@ import javax.tools.StandardJavaFileManager; import javax.tools.StandardLocation; import javax.tools.ToolProvider; +import javax.xml.XMLConstants; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.ParserConfigurationException; @@ -3537,7 +3538,14 @@ protected Collection getOmitFilesList(File looseAppFile, String srcDirecto if (looseAppFile != null && looseAppFile.exists()) { DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-dtd-grammar", false); - dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); + dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); + dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false); + dbf.setFeature("http://xml.org/sax/features/external-general-entities", false); + dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); + dbf.setXIncludeAware(false); + dbf.setNamespaceAware(true); + dbf.setExpandEntityReferences(false); DocumentBuilder db = dbf.newDocumentBuilder(); Document document = db.parse(looseAppFile); NodeList archiveList = document.getElementsByTagName("archive"); @@ -4608,7 +4616,7 @@ private void untrackContainerfileDirectoriesAndRestart() throws PluginExecutionE * If container mode, check if any of the files are within a directory specified in one of the Containerfile's * COPY commands. If not container mode, does nothing. * - * @param file The files to check, in the same order. + * @param files The files to check, in the same order. * @return true if container mode and any of the files are within a directory specified in one of the Containerfile's COPY commands. * @throws IOException if there was an error getting canonical paths */ diff --git a/src/main/java/io/openliberty/tools/common/plugins/util/PrepareFeatureUtil.java b/src/main/java/io/openliberty/tools/common/plugins/util/PrepareFeatureUtil.java index 17759d00..831f9a1e 100644 --- a/src/main/java/io/openliberty/tools/common/plugins/util/PrepareFeatureUtil.java +++ b/src/main/java/io/openliberty/tools/common/plugins/util/PrepareFeatureUtil.java @@ -32,6 +32,7 @@ import java.util.List; import java.util.Map; +import javax.xml.XMLConstants; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.ParserConfigurationException; @@ -144,10 +145,7 @@ private Map downloadArtifactsFromBOM(File additionalBOM) throws Pl Map result = new HashMap(); ArrayList missing_tags = new ArrayList<>(); try { - DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); - dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-dtd-grammar", false); - dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); - DocumentBuilder db = dbf.newDocumentBuilder(); + DocumentBuilder db = getDocumentBuilder(); Document doc = db.parse(additionalBOM); doc.getDocumentElement().normalize(); NodeList dependencyList = doc.getElementsByTagName("dependency"); @@ -182,7 +180,7 @@ private Map downloadArtifactsFromBOM(File additionalBOM) throws Pl result.put(artifactFile, groupId); } } - } catch (ParserConfigurationException | SAXException | IOException e) { + } catch (SAXException | IOException e) { throw new PluginExecutionException("Cannot read the features-bom file " + additionalBOM.getAbsolutePath() + ". " + e.getMessage()); } @@ -467,7 +465,33 @@ public void provideJsonFileDependency(File file, String groupId, String version) */ public abstract File downloadArtifact(String groupId, String artifactId, String type, String version) throws PluginExecutionException; - + private DocumentBuilder getDocumentBuilder() throws PluginExecutionException { + DocumentBuilder docBuilder; + + + try { + DocumentBuilderFactory docBuilderFactory = DocumentBuilderFactory.newInstance(); + docBuilderFactory.setIgnoringComments(true); + docBuilderFactory.setCoalescing(true); + docBuilderFactory.setIgnoringElementContentWhitespace(true); + docBuilderFactory.setValidating(false); + docBuilderFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-dtd-grammar", false); + docBuilderFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); + docBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + docBuilderFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false); + docBuilderFactory.setFeature("http://xml.org/sax/features/external-general-entities", false); + docBuilderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); + docBuilderFactory.setXIncludeAware(false); + docBuilderFactory.setNamespaceAware(true); + docBuilderFactory.setExpandEntityReferences(false); + docBuilder = docBuilderFactory.newDocumentBuilder(); + } catch (ParserConfigurationException e) { + // fail catastrophically if we can't create a document builder + throw new PluginExecutionException("Cannot read the features-bom file " + e.getMessage()); + } + + return docBuilder; + } } diff --git a/src/main/java/io/openliberty/tools/common/plugins/util/ServerFeatureUtil.java b/src/main/java/io/openliberty/tools/common/plugins/util/ServerFeatureUtil.java index eb93ed7b..6006d295 100644 --- a/src/main/java/io/openliberty/tools/common/plugins/util/ServerFeatureUtil.java +++ b/src/main/java/io/openliberty/tools/common/plugins/util/ServerFeatureUtil.java @@ -40,6 +40,7 @@ import java.util.Set; import java.util.logging.Level; +import javax.xml.XMLConstants; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.ParserConfigurationException; @@ -366,7 +367,14 @@ public FeaturesPlatforms getServerXmlFeatures(FeaturesPlatforms origResult, File try { DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-dtd-grammar", false); - dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); + dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); + dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false); + dbf.setFeature("http://xml.org/sax/features/external-general-entities", false); + dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); + dbf.setXIncludeAware(false); + dbf.setNamespaceAware(true); + dbf.setExpandEntityReferences(false); DocumentBuilder db = dbf.newDocumentBuilder(); db.setErrorHandler(new ErrorHandler() { @Override From 4e7b50f5d6864abe4b188d362520666c35e3e566 Mon Sep 17 00:00:00 2001 From: Arun Venmany Date: Thu, 26 Sep 2024 10:40:43 +0530 Subject: [PATCH 2/3] contrast security issue fixes Signed-off-by: Arun Venmany --- .../tools/common/plugins/util/PrepareFeatureUtil.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/io/openliberty/tools/common/plugins/util/PrepareFeatureUtil.java b/src/main/java/io/openliberty/tools/common/plugins/util/PrepareFeatureUtil.java index 831f9a1e..950d9553 100644 --- a/src/main/java/io/openliberty/tools/common/plugins/util/PrepareFeatureUtil.java +++ b/src/main/java/io/openliberty/tools/common/plugins/util/PrepareFeatureUtil.java @@ -146,7 +146,7 @@ private Map downloadArtifactsFromBOM(File additionalBOM) throws Pl ArrayList missing_tags = new ArrayList<>(); try { DocumentBuilder db = getDocumentBuilder(); - Document doc = db.parse(additionalBOM); + Document doc = db.parse(additionalBOM); doc.getDocumentElement().normalize(); NodeList dependencyList = doc.getElementsByTagName("dependency"); for (int itr = 0; itr < dependencyList.getLength(); itr++) { From ff746e1a44178703f30713322f6b1ae1e76c9ebc Mon Sep 17 00:00:00 2001 From: Arun Venmany Date: Fri, 27 Sep 2024 11:27:24 +0530 Subject: [PATCH 3/3] removing namespace aware. adding back additional properties to input builder Signed-off-by: Arun Venmany --- .../tools/common/arquillian/util/HttpPortUtil.java | 10 ++++++++-- .../common/plugins/config/ServerConfigDocument.java | 1 - .../tools/common/plugins/config/XmlDocument.java | 1 - .../openliberty/tools/common/plugins/util/DevUtil.java | 1 - .../tools/common/plugins/util/PrepareFeatureUtil.java | 1 - .../tools/common/plugins/util/ServerFeatureUtil.java | 1 - 6 files changed, 8 insertions(+), 7 deletions(-) diff --git a/src/main/java/io/openliberty/tools/common/arquillian/util/HttpPortUtil.java b/src/main/java/io/openliberty/tools/common/arquillian/util/HttpPortUtil.java index 984b1fec..c314a103 100644 --- a/src/main/java/io/openliberty/tools/common/arquillian/util/HttpPortUtil.java +++ b/src/main/java/io/openliberty/tools/common/arquillian/util/HttpPortUtil.java @@ -37,6 +37,7 @@ import javax.xml.xpath.XPathExpressionException; import javax.xml.xpath.XPathFactory; +import com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderFactoryImpl; import org.w3c.dom.Document; import org.w3c.dom.Element; import org.xml.sax.SAXException; @@ -147,8 +148,13 @@ private static String getHttpPortFromConfigVariableXML(String configVariableXML, if (configVariableXML == null || configVariableXML.length() == 0) { return null; } - - DocumentBuilder inputBuilder = getBuilderFactory().newDocumentBuilder(); + DocumentBuilderFactory inputBuilderFactory = getBuilderFactory(); + inputBuilderFactory.setNamespaceAware(false); + inputBuilderFactory.setIgnoringComments(true); + inputBuilderFactory.setCoalescing(true); + inputBuilderFactory.setIgnoringElementContentWhitespace(true); + inputBuilderFactory.setValidating(false); + DocumentBuilder inputBuilder = inputBuilderFactory.newDocumentBuilder(); Document inputDoc = inputBuilder.parse(new ByteArrayInputStream(configVariableXML.getBytes())); // parse input XML Document diff --git a/src/main/java/io/openliberty/tools/common/plugins/config/ServerConfigDocument.java b/src/main/java/io/openliberty/tools/common/plugins/config/ServerConfigDocument.java index f08edf87..d8054270 100644 --- a/src/main/java/io/openliberty/tools/common/plugins/config/ServerConfigDocument.java +++ b/src/main/java/io/openliberty/tools/common/plugins/config/ServerConfigDocument.java @@ -150,7 +150,6 @@ private DocumentBuilder getDocumentBuilder() { docBuilderFactory.setFeature("http://xml.org/sax/features/external-general-entities", false); docBuilderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); docBuilderFactory.setXIncludeAware(false); - docBuilderFactory.setNamespaceAware(true); docBuilderFactory.setExpandEntityReferences(false); docBuilder = docBuilderFactory.newDocumentBuilder(); } catch (ParserConfigurationException e) { diff --git a/src/main/java/io/openliberty/tools/common/plugins/config/XmlDocument.java b/src/main/java/io/openliberty/tools/common/plugins/config/XmlDocument.java index bf69861f..559acfa2 100644 --- a/src/main/java/io/openliberty/tools/common/plugins/config/XmlDocument.java +++ b/src/main/java/io/openliberty/tools/common/plugins/config/XmlDocument.java @@ -66,7 +66,6 @@ public void createDocument(File xmlFile) throws ParserConfigurationException, SA builderFactory.setFeature("http://xml.org/sax/features/external-general-entities", false); builderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); builderFactory.setXIncludeAware(false); - builderFactory.setNamespaceAware(true); builderFactory.setExpandEntityReferences(false); DocumentBuilder builder = builderFactory.newDocumentBuilder(); doc = builder.parse(xmlFile); diff --git a/src/main/java/io/openliberty/tools/common/plugins/util/DevUtil.java b/src/main/java/io/openliberty/tools/common/plugins/util/DevUtil.java index a592bb19..ce635e0b 100644 --- a/src/main/java/io/openliberty/tools/common/plugins/util/DevUtil.java +++ b/src/main/java/io/openliberty/tools/common/plugins/util/DevUtil.java @@ -3544,7 +3544,6 @@ protected Collection getOmitFilesList(File looseAppFile, String srcDirecto dbf.setFeature("http://xml.org/sax/features/external-general-entities", false); dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); dbf.setXIncludeAware(false); - dbf.setNamespaceAware(true); dbf.setExpandEntityReferences(false); DocumentBuilder db = dbf.newDocumentBuilder(); Document document = db.parse(looseAppFile); diff --git a/src/main/java/io/openliberty/tools/common/plugins/util/PrepareFeatureUtil.java b/src/main/java/io/openliberty/tools/common/plugins/util/PrepareFeatureUtil.java index 950d9553..15072a3b 100644 --- a/src/main/java/io/openliberty/tools/common/plugins/util/PrepareFeatureUtil.java +++ b/src/main/java/io/openliberty/tools/common/plugins/util/PrepareFeatureUtil.java @@ -483,7 +483,6 @@ private DocumentBuilder getDocumentBuilder() throws PluginExecutionException { docBuilderFactory.setFeature("http://xml.org/sax/features/external-general-entities", false); docBuilderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); docBuilderFactory.setXIncludeAware(false); - docBuilderFactory.setNamespaceAware(true); docBuilderFactory.setExpandEntityReferences(false); docBuilder = docBuilderFactory.newDocumentBuilder(); } catch (ParserConfigurationException e) { diff --git a/src/main/java/io/openliberty/tools/common/plugins/util/ServerFeatureUtil.java b/src/main/java/io/openliberty/tools/common/plugins/util/ServerFeatureUtil.java index 6006d295..fc0d23ad 100644 --- a/src/main/java/io/openliberty/tools/common/plugins/util/ServerFeatureUtil.java +++ b/src/main/java/io/openliberty/tools/common/plugins/util/ServerFeatureUtil.java @@ -373,7 +373,6 @@ public FeaturesPlatforms getServerXmlFeatures(FeaturesPlatforms origResult, File dbf.setFeature("http://xml.org/sax/features/external-general-entities", false); dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); dbf.setXIncludeAware(false); - dbf.setNamespaceAware(true); dbf.setExpandEntityReferences(false); DocumentBuilder db = dbf.newDocumentBuilder(); db.setErrorHandler(new ErrorHandler() {