fix: change to use XMLUtils to process IdP Metadata (#279)

jenkinsci · Oct 23, 2022 · c8ea9f9 · c8ea9f9
1 parent 56110e6
commit c8ea9f9
Showing 1 changed file with 4 additions and 14 deletions.
diff --git a/src/main/java/org/jenkinsci/plugins/saml/IdpMetadataConfiguration.java b/src/main/java/org/jenkinsci/plugins/saml/IdpMetadataConfiguration.java
@@ -11,11 +11,7 @@
 import java.util.logging.Level;
 import java.util.logging.Logger;
 import javax.annotation.Nonnull;
-import javax.xml.XMLConstants;
-import javax.xml.transform.OutputKeys;
-import javax.xml.transform.Transformer;
 import javax.xml.transform.TransformerException;
-import javax.xml.transform.TransformerFactory;
 import javax.xml.transform.stream.StreamResult;
 import javax.xml.transform.stream.StreamSource;
 import edu.umd.cs.findbugs.annotations.NonNull;
@@ -25,6 +21,7 @@
 import org.kohsuke.stapler.DataBoundConstructor;
 import org.kohsuke.stapler.QueryParameter;
 import org.kohsuke.stapler.interceptor.RequirePOST;
+import org.xml.sax.SAXException;
 import hudson.Extension;
 import hudson.ProxyConfiguration;
 import hudson.model.AbstractDescribableImpl;
@@ -137,17 +134,10 @@ public void updateIdPMetadata() throws IOException {
         try {
             URLConnection urlConnection = ProxyConfiguration.open(new URL(url));
             try (InputStream in = urlConnection.getInputStream()) {
-                TransformerFactory tf = TransformerFactory.newInstance();
-                tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
-                tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
-                tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
-                tf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
-                Transformer transformer = tf.newTransformer();
-                transformer.setOutputProperty(OutputKeys.OMIT_XML_DECLARATION, "no");
-                transformer.setOutputProperty(OutputKeys.INDENT, "yes");
                 StringWriter writer = new StringWriter();
-                transformer.transform(new StreamSource(in), new StreamResult(writer));
+                XMLUtils.safeTransform(new StreamSource(in), new StreamResult(writer));
                 String idpXml = writer.toString();
+
                 FormValidation validation = new SamlValidateIdPMetadata(idpXml).get();
                 if (FormValidation.Kind.OK == validation.kind) {
                     FileUtils.writeStringToFile(new File(SamlSecurityRealm.getIDPMetadataFilePath()), idpXml,
@@ -156,7 +146,7 @@ public void updateIdPMetadata() throws IOException {
                     throw new IllegalArgumentException(validation.getMessage());
                 }
             }
-        } catch (IOException | TransformerException e) {
+        } catch (IOException | TransformerException | SAXException e) {
             throw new IOException("Was not possible to update the IdP Metadata from the URL " + url, e);
         }
     }