more XXE fixes

StevenArzt · StevenArzt · commit b119180df13d · 2021-07-06T11:53:01.000+02:00
diff --git a/soot-infoflow-summaries/src/soot/jimple/infoflow/methodSummary/xml/MetaDataReader.java b/soot-infoflow-summaries/src/soot/jimple/infoflow/methodSummary/xml/MetaDataReader.java
@@ -39,7 +39,10 @@ public SummaryMetaData read(Reader reader) throws XMLStreamException, SummaryXML
 		SummaryMetaData metaData = new SummaryMetaData();
 		XMLStreamReader xmlreader = null;
 		try {
-			xmlreader = XMLInputFactory.newInstance().createXMLStreamReader(reader);
+			XMLInputFactory factory = XMLInputFactory.newInstance();
+			factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
+			factory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
+			xmlreader = factory.createXMLStreamReader(reader);
 
 			String name = "";
 			String type = "";
diff --git a/soot-infoflow-summaries/src/soot/jimple/infoflow/methodSummary/xml/SummaryReader.java b/soot-infoflow-summaries/src/soot/jimple/infoflow/methodSummary/xml/SummaryReader.java
@@ -58,7 +58,10 @@ public void read(Reader reader, ClassMethodSummaries summaries)
 			throws XMLStreamException, SummaryXMLException, IOException {
 		XMLStreamReader xmlreader = null;
 		try {
-			xmlreader = XMLInputFactory.newInstance().createXMLStreamReader(reader);
+			XMLInputFactory factory = XMLInputFactory.newInstance();
+			factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
+			factory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
+			xmlreader = factory.createXMLStreamReader(reader);
 			final MethodSummaries summary = summaries.getMethodSummaries();
 
 			Map<String, String> sourceAttributes = new HashMap<String, String>();
diff --git a/soot-infoflow/src/soot/jimple/infoflow/results/xml/InfoflowResultsReader.java b/soot-infoflow/src/soot/jimple/infoflow/results/xml/InfoflowResultsReader.java
@@ -40,7 +40,10 @@ public SerializedInfoflowResults readResults(String fileName) throws XMLStreamEx
 
 		XMLStreamReader reader = null;
 		try (InputStream in = new FileInputStream(fileName)) {
-			reader = XMLInputFactory.newInstance().createXMLStreamReader(in);
+			XMLInputFactory factory = XMLInputFactory.newInstance();
+			factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
+			factory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
+			reader = factory.createXMLStreamReader(in);
 
 			String statement = null;
 			String method = null;
