JIRA-49: Don't access DTDs or Schemas

Author: vmassol

Diff for: jira-macro/jira-macro-default/pom.xml

@@ -103,6 +103,12 @@
       <artifactId>xwiki-rendering-test</artifactId>
       <version>${rendering.version}</version>
       <scope>test</scope>
+      <exclusions>
+        <exclusion>
+          <groupId>xerces</groupId>
+          <artifactId>xercesImpl</artifactId>
+        </exclusion>
+      </exclusions>
     </dependency>
     <dependency>
       <groupId>com.github.tomakehurst</groupId>

Diff for: jira-macro/jira-macro-default/src/main/java/org/xwiki/contrib/jira/macro/internal/source/HTTPJIRAFetcher.java

@@ -23,6 +23,7 @@
 import java.net.URL;
 
 import javax.inject.Singleton;
+import javax.xml.XMLConstants;
 
 import org.apache.commons.lang3.StringUtils;
 import org.apache.http.HttpEntity;
@@ -132,6 +133,10 @@ protected HttpClientBuilder createHttpClientBuilder(JIRAServer jiraServer)
     private SAXBuilder createSAXBuilder()
     {
         // Note: SAXBuilder is not thread-safe which is why we're instantiating a new one every time.
-        return new SAXBuilder();
+        SAXBuilder builder = new SAXBuilder();
+        // Note: Prevent XXE attacks
+        builder.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+        builder.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
+        return builder;
     }
 }