From 312fb9bb059e5fd7e7a906da15b797f22227090e Mon Sep 17 00:00:00 2001
From: Sebastian Sdorra <sebastian.sdorra@cloudogu.com>
Date: Thu, 28 Nov 2019 10:45:57 +0100
Subject: [PATCH] fix sonarqube warning about xxe processing

---
 scm-dao-xml/src/main/java/sonia/scm/xml/XmlStreams.java | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/scm-dao-xml/src/main/java/sonia/scm/xml/XmlStreams.java b/scm-dao-xml/src/main/java/sonia/scm/xml/XmlStreams.java
index 4b3d9b0f28..c8c5240f88 100644
--- a/scm-dao-xml/src/main/java/sonia/scm/xml/XmlStreams.java
+++ b/scm-dao-xml/src/main/java/sonia/scm/xml/XmlStreams.java
@@ -52,7 +52,9 @@ public final class XmlStreams {
   }
 
   private static XMLStreamReader createReader(Reader reader) throws XMLStreamException {
-    return XMLInputFactory.newInstance().createXMLStreamReader(reader);
+    XMLInputFactory factory = XMLInputFactory.newInstance();
+    factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, Boolean.FALSE);
+    return factory.createXMLStreamReader(reader);
   }