ICU-22888 Enhance XML Processor Configuration for Tools Directory in ICU4J Package

See #3243
2025-04-05 21:45:37 +00:00 · 2024-10-17 12:12:56 +00:00 · 2024-10-17 12:12:56 +00:00 · 38c046b60c
commit 38c046b60c
parent 06a23f8d37
2 changed files with 28 additions and 2 deletions
--- a/icu4j/tools/build/src/main/java/com/ibm/icu/dev/tool/coverage/JacocoReportCheck.java
+++ b/icu4j/tools/build/src/main/java/com/ibm/icu/dev/tool/coverage/JacocoReportCheck.java
@ -23,6 +23,7 @@ import java.util.TreeSet;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
+import javax.xml.XMLConstants;

 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
@ -142,7 +143,16 @@ public class JacocoReportCheck {
    private static Map<String, ReportEntry> parseReport(File reportXmlFile) {
        try {
            Map<String, ReportEntry> entries = new TreeMap<String, ReportEntry>();
-            DocumentBuilder docBuilder = DocumentBuilderFactory.newInstance().newDocumentBuilder();
+            // Securely configure DocumentBuilderFactory
+            DocumentBuilderFactory docFactory = DocumentBuilderFactory.newInstance();
+            docFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+            docFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+            docFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+            docFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+            docFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+            docFactory.setNamespaceAware(true);
+
+            DocumentBuilder docBuilder = docFactory.newDocumentBuilder();
            docBuilder.setEntityResolver(new EntityResolver() {
                // Ignores JaCoCo report DTD
                public InputSource resolveEntity(String publicId, String systemId) {
--- a/icu4j/tools/misc/src/main/java/com/ibm/icu/dev/tool/localeconverter/XLIFF2ICUConverter.java
+++ b/icu4j/tools/misc/src/main/java/com/ibm/icu/dev/tool/localeconverter/XLIFF2ICUConverter.java
@ -20,6 +20,7 @@ import java.util.Date;
 import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.validation.Schema;
 import javax.xml.validation.SchemaFactory;

@ -407,7 +408,22 @@ public final class XLIFF2ICUConverter {

        String urls = filenameToURL(xmlfileName);
        DocumentBuilderFactory dfactory = DocumentBuilderFactory.newInstance();
-        dfactory.setNamespaceAware(true);
+
+        try {
+            // Set secure processing features to avoid XXE attacks
+            dfactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+            dfactory.setNamespaceAware(true);
+
+            // Disable access to external DTDs and entities to mitigate XXE attacks
+            dfactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+            dfactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+            dfactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+            dfactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+        } catch (ParserConfigurationException e) {
+            System.err.println("ERROR: Parser configuration error: " + e.getMessage());
+            System.exit(-1);
+        }
+
        Document doc = null;

        if (xliff10) {