Merge pull request #931 from terrestris/fix-xml-parser-external-dtd-handling

mholthausen · web-flow · commit b85f1b1856c7 · 2024-10-11T13:30:27.000+02:00
Handle unsupported external DTD and schema properties
diff --git a/shogun-gs-interceptor/src/main/java/de/terrestris/shogun/interceptor/util/OgcXmlUtil.java b/shogun-gs-interceptor/src/main/java/de/terrestris/shogun/interceptor/util/OgcXmlUtil.java
@@ -85,15 +85,21 @@ public static Document getDocumentFromString(String xml) throws IOException {
             InputSource source = new InputSource(new StringReader(xml));
             DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
 
-            // limit resolution of external entities, see https://rules.sonarsource.com/c/type/Vulnerability/RSPEC-2755
-            factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
-            factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
+            try {
+                // limit resolution of external entities, see https://rules.sonarsource.com/c/type/Vulnerability/RSPEC-2755
+                factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+                factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
+            } catch (IllegalArgumentException e) {
+                log.error("External DTD/Schema access properties not supported:"
+                    + e.getMessage());
+            }
 
             DocumentBuilder builder = factory.newDocumentBuilder();
             document = builder.parse(source);
-        } catch (ParserConfigurationException | SAXException | IOException e) {
-            throw new IOException("Could not parse input body " +
-                "as XML: " + e.getMessage());
+        } catch (IllegalArgumentException | ParserConfigurationException
+            | SAXException | IOException e) {
+            throw new IOException("Could not parse input body as XML: "
+                + e.getMessage());
         }
         return document;
     }
