Add SecuredDocumentBuilder method

components/notification-sender-config/org.wso2.carbon.identity.notification.sender.tenant.config/src/main/java/org/wso2/carbon/identity/notification/sender/tenant/config/utils/NotificationSenderUtils.java

@@ -19,6 +19,8 @@
 package org.wso2.carbon.identity.notification.sender.tenant.config.utils;
 
 import org.apache.commons.lang.StringUtils;
+import org.apache.xerces.impl.Constants;
+import org.apache.xerces.util.SecurityManager;
 import org.w3c.dom.Attr;
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
@@ -37,6 +39,8 @@
 import java.util.HashMap;
 import java.util.Locale;
 import java.util.Map;
+import java.util.logging.Level;
+import java.util.logging.Logger;
 import java.util.stream.Collectors;
 import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilder;
@@ -104,6 +108,10 @@
  */
 public class NotificationSenderUtils {
 
+    private static final Logger logger = Logger.getLogger(NotificationSenderUtils.class.getName());
+
+    private static final int ENTITY_EXPANSION_LIMIT = 0;
+
     /**
      * Generate EmailPublisher.xml input stream.
      *
@@ -116,7 +124,7 @@ public static InputStream generateEmailPublisher(EmailSenderDTO emailSender)
             throws ParserConfigurationException, TransformerException {
 
         Map<String, String> properties = emailSender.getProperties();
-        DocumentBuilderFactory documentFactory = DocumentBuilderFactory.newInstance();
+        DocumentBuilderFactory documentFactory = getSecuredDocumentBuilder();
         DocumentBuilder documentBuilder = documentFactory.newDocumentBuilder();
         Document document = documentBuilder.newDocument();
         // Root element (eventPublisher).
@@ -152,7 +160,7 @@ public static InputStream generateSMSPublisher(SMSSenderDTO smsSender)
             throws ParserConfigurationException, TransformerException {
 
         Map<String, String> properties = smsSender.getProperties();
-        DocumentBuilderFactory documentFactory = DocumentBuilderFactory.newInstance();
+        DocumentBuilderFactory documentFactory = getSecuredDocumentBuilder();
         DocumentBuilder documentBuilder = documentFactory.newDocumentBuilder();
         Document document = documentBuilder.newDocument();
         // Root element (eventPublisher).
@@ -436,4 +444,27 @@ public static int getPrimaryTenantId(String tenantDomain) throws OrganizationMan
         String primaryTenantDomain = organizationManager.resolveTenantDomain(primaryOrgId);
         return IdentityTenantUtil.getTenantId(primaryTenantDomain);
     }
+
+    private static DocumentBuilderFactory getSecuredDocumentBuilder() {
+
+        DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+        dbf.setNamespaceAware(true);
+        dbf.setXIncludeAware(false);
+        dbf.setExpandEntityReferences(false);
+        try {
+            dbf.setFeature(Constants.SAX_FEATURE_PREFIX + Constants.EXTERNAL_GENERAL_ENTITIES_FEATURE, false);
+            dbf.setFeature(Constants.SAX_FEATURE_PREFIX + Constants.EXTERNAL_PARAMETER_ENTITIES_FEATURE, false);
+            dbf.setFeature(Constants.XERCES_FEATURE_PREFIX + Constants.LOAD_EXTERNAL_DTD_FEATURE, false);
+        } catch (ParserConfigurationException e) {
+            logger.log(Level.SEVERE, "Failed to load XML Processor Feature " +
+                    Constants.EXTERNAL_GENERAL_ENTITIES_FEATURE + " or " +
+                    Constants.EXTERNAL_PARAMETER_ENTITIES_FEATURE + " or " + Constants.LOAD_EXTERNAL_DTD_FEATURE);
+        }
+
+        org.apache.xerces.util.SecurityManager securityManager = new SecurityManager();
+        securityManager.setEntityExpansionLimit(ENTITY_EXPANSION_LIMIT);
+        dbf.setAttribute(Constants.XERCES_PROPERTY_PREFIX + Constants.SECURITY_MANAGER_PROPERTY, securityManager);
+
+        return dbf;
+    }
 }