[CALCITE-5274] Improve DocumentBuilderFactory in DiffRepository test …

…class by using secure features
apache · Sep 8, 2022 · d20fd09 · d20fd09
1 parent 6302e6f
commit d20fd09
Showing 1 changed file with 24 additions and 8 deletions.
diff --git a/testkit/src/main/java/org/apache/calcite/test/DiffRepository.java b/testkit/src/main/java/org/apache/calcite/test/DiffRepository.java
@@ -44,6 +44,7 @@
 
 import java.io.File;
 import java.io.IOException;
+import java.io.InputStream;
 import java.io.Writer;
 import java.net.URL;
 import java.util.AbstractList;
@@ -52,6 +53,7 @@
 import java.util.Objects;
 import java.util.SortedMap;
 import java.util.TreeMap;
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
@@ -174,6 +176,22 @@ public class DiffRepository {
  private static final LoadingCache<Key, DiffRepository> REPOSITORY_CACHE =
  CacheBuilder.newBuilder().build(CacheLoader.from(Key::toRepo));
 
+ private static final ThreadLocal<@Nullable DocumentBuilderFactory> DOCUMENT_BUILDER_FACTORY =
+ ThreadLocal.withInitial(() -> {
+ final DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
+ documentBuilderFactory.setXIncludeAware(false);
+ documentBuilderFactory.setExpandEntityReferences(false);
+ documentBuilderFactory.setNamespaceAware(true);
+ try {
+ documentBuilderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+ documentBuilderFactory
+ .setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+ } catch (final ParserConfigurationException e) {
+ throw new IllegalStateException("Document Builder configuration failed", e);
+ }
+ return documentBuilderFactory;
+ });
+
  //~ Instance fields --------------------------------------------------------
 
  private final DiffRepository baseRepository;
@@ -207,19 +225,17 @@ private DiffRepository(URL refFile, File logFile,
  this.modCount = 0;
 
  // Load the document.
- DocumentBuilderFactory fac = DocumentBuilderFactory.newInstance();
  try {
- DocumentBuilder docBuilder = fac.newDocumentBuilder();
- try {
+ DocumentBuilder docBuilder =
+ Nullness.castNonNull(DOCUMENT_BUILDER_FACTORY.get()).newDocumentBuilder();
+ try (InputStream inputStream = refFile.openStream()) {
  // Parse the reference file.
- this.doc = docBuilder.parse(refFile.openStream());
- // Don't write a log file yet -- as far as we know, it's still
- // identical.
+ this.doc = docBuilder.parse(inputStream);
+ // Don't write a log file yet -- as far as we know, it's still identical.
  } catch (IOException e) {
  // There's no reference file. Create and write a log file.
  this.doc = docBuilder.newDocument();
- this.doc.appendChild(
- doc.createElement(ROOT_TAG));
+ this.doc.appendChild(doc.createElement(ROOT_TAG));
  flushDoc();
  }
  this.root = doc.getDocumentElement();