Defensive initialization of AsyncXMLInputFactory

Aalto's InputFactoryImpl already disables loading of external entities by default (property "javax.xml.stream.isSupportingExternalEntities"). This commit goes further by applying the same defensive measures as we do elsewhere for XMLInputFactory, which disables DTD completely. Arguably there is no good reason to enable that by default in WebFlux.

Defensive initialization of AsyncXMLInputFactory
Aalto's InputFactoryImpl already disables loading of external entities by default (property "javax.xml.stream.isSupportingExternalEntities"). This commit goes further by applying the same defensive measures as we do elsewhere for XMLInputFactory, which disables DTD completely. Arguably there is no good reason to enable that by default in WebFlux.
673a20cb · Rossen Stoyanchev · f52f3a2f · 673a20cb · 673a20cb
2 changed file
--- a/spring-core/src/main/java/org/springframework/util/xml/StaxUtils.java
+++ b/spring-core/src/main/java/org/springframework/util/xml/StaxUtils.java
 /*
- * Copyright 2002-2018 the original author or authors.
+ * Copyright 2002-2019 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@@ -17,6 +17,7 @@
 package org.springframework.util.xml;

 import java.util.List;
+import java.util.function.Supplier;
 import javax.xml.stream.XMLEventFactory;
 import javax.xml.stream.XMLEventReader;
 import javax.xml.stream.XMLEventWriter;
@@ -58,11 +59,21 @@ public abstract class StaxUtils {
 	/**
 	 * Create an {@link XMLInputFactory} with Spring's defensive setup,
 	 * i.e. no support for the resolution of DTDs and external entities.
-	 * @return a new input factory to use
+	 * @return a new defensively initialized input factory instance to use
 	 * @since 5.0
 	 */
 	public static XMLInputFactory createDefensiveInputFactory() {
-		XMLInputFactory inputFactory = XMLInputFactory.newInstance();
+		return createDefensiveInputFactory(XMLInputFactory::newFactory);
+	}
+
+	/**
+	 * Variant of {@link #createDefensiveInputFactory()} with a custom instance.
+	 * @param instanceSupplier supplier for the input factory instance
+	 * @return a new defensively initialized input factory instance to use
+	 * @since 5.0.12
+	 */
+	public static <T extends XMLInputFactory> T createDefensiveInputFactory(Supplier<T> instanceSupplier) {
+		T inputFactory = instanceSupplier.get();
 		inputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
 		inputFactory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
 		inputFactory.setXMLResolver(NO_OP_XML_RESOLVER);

--- a/spring-web/src/main/java/org/springframework/http/codec/xml/XmlEventDecoder.java
+++ b/spring-web/src/main/java/org/springframework/http/codec/xml/XmlEventDecoder.java
 /*
- * Copyright 2002-2018 the original author or authors.
+ * Copyright 2002-2019 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@@ -127,13 +127,15 @@ public class XmlEventDecoder extends AbstractDecoder<XMLEvent> {
 	 */
 	private static class AaltoDataBufferToXmlEvent implements Function<DataBuffer, Publisher<? extends XMLEvent>> {

-		private static final AsyncXMLInputFactory inputFactory = new InputFactoryImpl();
+		private static final AsyncXMLInputFactory inputFactory =
+				StaxUtils.createDefensiveInputFactory(InputFactoryImpl::new);

 		private final AsyncXMLStreamReader<AsyncByteBufferFeeder> streamReader =
 				inputFactory.createAsyncForByteBuffer();

 		private final XMLEventAllocator eventAllocator = EventAllocatorImpl.getDefaultInstance();

+
 		@Override
 		public Publisher<? extends XMLEvent> apply(DataBuffer dataBuffer) {
 			try {