1 package com.atlassian.plugins.rest.module.xml;
2
3 import java.io.ByteArrayInputStream;
4 import java.io.InputStream;
5
6 import javax.ws.rs.core.Context;
7 import javax.xml.XMLConstants;
8 import javax.xml.stream.XMLInputFactory;
9 import javax.xml.stream.XMLResolver;
10 import javax.xml.stream.XMLStreamException;
11
12 import com.sun.jersey.core.impl.provider.xml.ThreadLocalSingletonContextProvider;
13 import com.sun.jersey.core.util.FeaturesAndProperties;
14
15 public class XMLStreamReaderContextProvider extends ThreadLocalSingletonContextProvider<XMLInputFactory> {
16
17 private static final InputStream EMPTY_INPUT_STREAM = new ByteArrayInputStream(new byte[0]);
18
19 private final boolean disableXmlSecurity;
20
21 public XMLStreamReaderContextProvider(@Context FeaturesAndProperties fps) {
22 super(XMLInputFactory.class);
23 disableXmlSecurity = fps.getFeature(FeaturesAndProperties.FEATURE_DISABLE_XML_SECURITY);
24 }
25
26 @Override
27 protected XMLInputFactory getInstance() {
28 XMLInputFactory f = XMLInputFactory.newInstance();
29 if (!disableXmlSecurity) {
30 f.setProperty(XMLInputFactory.SUPPORT_DTD, Boolean.FALSE);
31 f.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, Boolean.FALSE);
32 f.setXMLResolver(new XMLResolver() {
33 @Override
34 public Object resolveEntity(String publicID, String systemID, String baseURI, String namespace) throws XMLStreamException {
35
36 return EMPTY_INPUT_STREAM;
37 }
38 });
39 }
40 return f;
41 }
42 }