From 9b8c7c16d5f58ed1bcb44bdfd5d5f88d71ad7ec2 Mon Sep 17 00:00:00 2001
From: PJ Fanning <pjfanning@users.noreply.github.com>
Date: Tue, 21 Mar 2023 16:32:30 +0100
Subject: [PATCH] set transformer factory attributes to improve protection
 against XXE

---
 .../fasterxml/jackson/databind/ext/DOMSerializer.java | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/src/main/java/com/fasterxml/jackson/databind/ext/DOMSerializer.java b/src/main/java/com/fasterxml/jackson/databind/ext/DOMSerializer.java
index 343eb0ebc5..5896b5e3f3 100644
--- a/src/main/java/com/fasterxml/jackson/databind/ext/DOMSerializer.java
+++ b/src/main/java/com/fasterxml/jackson/databind/ext/DOMSerializer.java
@@ -28,6 +28,8 @@ public DOMSerializer() {
         try {
             transformerFactory = TransformerFactory.newInstance();
             transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+            setTransformerFactoryAttribute(transformerFactory, XMLConstants.ACCESS_EXTERNAL_DTD, "");
+            setTransformerFactoryAttribute(transformerFactory, XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
         } catch (Exception e) {
             throw new IllegalStateException("Could not instantiate `TransformerFactory`: "+e.getMessage(), e);
         }
@@ -65,4 +67,13 @@ public JsonNode getSchema(SerializerProvider provider, java.lang.reflect.Type ty
     public void acceptJsonFormatVisitor(JsonFormatVisitorWrapper visitor, JavaType typeHint) throws JsonMappingException {
         if (visitor != null) visitor.expectAnyFormat(typeHint);
     }
+
+    private static void setTransformerFactoryAttribute(final TransformerFactory transformerFactory,
+                                                       final String name, final Object value) {
+        try {
+            transformerFactory.setAttribute(name, value);
+        } catch (Exception e) {
+            System.err.println("[DOMSerializer] Failed to set TransformerFactory attribute: " + name);
+        }
+    }
 }