From 8dd245981f3d6971fee2ccb29301420d650cd9dd Mon Sep 17 00:00:00 2001
From: Lahiru Madushanka <gdlmadushanka@gmail.com>
Date: Fri, 8 Dec 2023 10:05:19 +0530
Subject: [PATCH] Disable external entity support in javax.xml

Disable external entity support in javax.xml
refer https://security.docs.wso2.com/en/latest/security-guidelines/secure-engineering-guidelines/secure-coding-guidlines/general-recommendations-for-secure-coding/#xmlinputfactory-stax-parser
---
 .../synapse/mediators/transform/pfutils/TemplateProcessor.java   | 1 +
 1 file changed, 1 insertion(+)

diff --git a/modules/core/src/main/java/org/apache/synapse/mediators/transform/pfutils/TemplateProcessor.java b/modules/core/src/main/java/org/apache/synapse/mediators/transform/pfutils/TemplateProcessor.java
index d7d5f65e5e..097063a4f1 100644
--- a/modules/core/src/main/java/org/apache/synapse/mediators/transform/pfutils/TemplateProcessor.java
+++ b/modules/core/src/main/java/org/apache/synapse/mediators/transform/pfutils/TemplateProcessor.java
@@ -533,6 +533,7 @@ protected void handleException(String msg) {
     public void readInputFactoryProperties() {
         //ignore DTDs for XML Input
         inputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, Boolean.FALSE);
+        inputFactory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, Boolean.FALSE);
         inputFactory.setProperty(XMLInputFactory.IS_COALESCING, true);
         Map props = StAXUtils.loadFactoryProperties("XMLInputFactory.properties");
         if (props != null) {