From c4bf157075dd21e2376e1f8dd91b24d5745be7e5 Mon Sep 17 00:00:00 2001
From: Sebastian Sdorra <sebastian.sdorra@cloudogu.com>
Date: Wed, 11 Mar 2020 15:55:25 +0100
Subject: [PATCH] fix sonar qube finding for try with resources and dtd
 external processing

---
 .../annotation/ScmAnnotationProcessor.java    | 51 +++++++------------
 1 file changed, 19 insertions(+), 32 deletions(-)

diff --git a/scm-annotation-processor/src/main/java/sonia/scm/annotation/ScmAnnotationProcessor.java b/scm-annotation-processor/src/main/java/sonia/scm/annotation/ScmAnnotationProcessor.java
index 38961ccaf8..4e705985a1 100644
--- a/scm-annotation-processor/src/main/java/sonia/scm/annotation/ScmAnnotationProcessor.java
+++ b/scm-annotation-processor/src/main/java/sonia/scm/annotation/ScmAnnotationProcessor.java
@@ -50,13 +50,8 @@ import sonia.scm.plugin.PluginAnnotation;
 
 //~--- JDK imports ------------------------------------------------------------
 
-import java.io.Closeable;
 import java.io.File;
-import java.io.FileInputStream;
-import java.io.FileWriter;
 import java.io.IOException;
-import java.io.InputStream;
-import java.io.Writer;
 
 import java.lang.annotation.Annotation;
 
@@ -89,11 +84,13 @@ import javax.tools.StandardLocation;
 import javax.ws.rs.Path;
 import javax.ws.rs.ext.Provider;
 
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.transform.OutputKeys;
 import javax.xml.transform.Transformer;
+import javax.xml.transform.TransformerConfigurationException;
 import javax.xml.transform.TransformerException;
 import javax.xml.transform.TransformerFactory;
 import javax.xml.transform.dom.DOMSource;
@@ -160,18 +157,6 @@ public final class ScmAnnotationProcessor extends AbstractProcessor {
     return false;
   }
 
-
-  private void close(Closeable closeable) {
-    if (closeable != null) {
-      try {
-        closeable.close();
-      } catch (IOException ex) {
-        printException("could not close closeable", ex);
-      }
-    }
-  }
-
-
   private TypeElement findAnnotation(Set<? extends TypeElement> annotations,
                                      Class<? extends Annotation> annotationClass) {
     TypeElement annotation = null;
@@ -205,15 +190,12 @@ public final class ScmAnnotationProcessor extends AbstractProcessor {
 
   private Document parseDocument(File file) {
     Document doc = null;
-    InputStream input = null;
 
     try {
-      DocumentBuilder builder =
-        DocumentBuilderFactory.newInstance().newDocumentBuilder();
+      DocumentBuilder builder = createDocumentBuilder();
 
       if (file.exists()) {
-        input = new FileInputStream(file);
-        doc = builder.parse(input);
+        doc = builder.parse(file);
       } else {
         doc = builder.newDocument();
         doc.appendChild(doc.createElement(EL_MODULE));
@@ -221,13 +203,17 @@ public final class ScmAnnotationProcessor extends AbstractProcessor {
     } catch (ParserConfigurationException | SAXException | IOException
       | DOMException ex) {
       printException("could not parse document", ex);
-    } finally {
-      close(input);
     }
 
     return doc;
   }
 
+  private DocumentBuilder createDocumentBuilder() throws ParserConfigurationException {
+    DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+    factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+    return factory.newDocumentBuilder();
+  }
+
 
   private String prepareArrayElement(Object obj) {
     String v = obj.toString();
@@ -341,24 +327,25 @@ public final class ScmAnnotationProcessor extends AbstractProcessor {
 
 
   private void writeDocument(Document doc, File file) {
-    Writer writer = null;
 
     try {
       file.getParentFile().mkdirs();
-      writer = new FileWriter(file);
 
-      Transformer transformer =
-        TransformerFactory.newInstance().newTransformer();
+      Transformer transformer = createTransformer();
 
       transformer.setOutputProperty(OutputKeys.INDENT, PROPERTY_VALUE);
-      transformer.transform(new DOMSource(doc), new StreamResult(writer));
-    } catch (IOException | IllegalArgumentException | TransformerException ex) {
+      transformer.transform(new DOMSource(doc), new StreamResult(file));
+    } catch (IllegalArgumentException | TransformerException ex) {
       printException("could not write document", ex);
-    } finally {
-      close(writer);
     }
   }
 
+  private Transformer createTransformer() throws TransformerConfigurationException {
+    TransformerFactory factory = TransformerFactory.newInstance();
+    factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+    return factory.newTransformer();
+  }
+
 
   private Map<String, String> getAttributesFromAnnotation(Element el,
                                                           TypeElement annotation) {