muse-dev[bot] commented on a change in pull request #1972:
URL: https://github.com/apache/lucene-solr/pull/1972#discussion_r502873537
##########
File path:
solr/contrib/prometheus-exporter/src/java/org/apache/solr/prometheus/exporter/MetricsConfiguration.java
##########
@@ -66,13 +76,27 @@ public PrometheusExporterSettings getSettings() {
return searchConfiguration;
}
- public static MetricsConfiguration from(XmlConfigFile config) throws
Exception {
- Node settings = config.getNode("/config/settings", false);
+ public static MetricsConfiguration from(Path file) throws Exception {
+ // See solr-core XmlConfigFile
+ final DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+ try {
+ dbf.setXIncludeAware(true);
+ dbf.setNamespaceAware(true);
+ } catch (UnsupportedOperationException e) {
+ log.warn("{} XML parser doesn't support XInclude option", file);
+ }
+
+ final Document document = dbf.newDocumentBuilder().parse(file.toFile());
Review comment:
*XXE_DOCUMENT:* The use of DocumentBuilder.parse(...) (DocumentBuilder)
is vulnerable to XML External Entity attacks
[(details)](https://find-sec-bugs.github.io/bugs.htm#XXE_DOCUMENT)
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org
