diff --git a/build.gradle b/build.gradle index c6dff2ce7d..8b27210cf6 100644 --- a/build.gradle +++ b/build.gradle @@ -30,8 +30,10 @@ spotless { } dependencies { - rewrite(platform("org.openrewrite.recipe:rewrite-recipe-bom:3.15.0")) - rewrite("org.openrewrite.recipe:rewrite-migrate-java:3.18.0") + rewrite(platform('org.openrewrite.recipe:rewrite-recipe-bom:3.15.0')) + rewrite('org.openrewrite.recipe:rewrite-migrate-java:3.18.0') + rewrite('org.openrewrite.recipe:rewrite-java-security:3.19.0') + rewrite('org.openrewrite.recipe:rewrite-rewrite:0.13.0') rewrite('org.openrewrite.recipe:rewrite-static-analysis:2.18.0') rewrite('org.openrewrite.recipe:rewrite-third-party:0.27.0') } diff --git a/gradle/rewrite.gradle b/gradle/rewrite.gradle index 258d5df6d5..965ad177fb 100644 --- a/gradle/rewrite.gradle +++ b/gradle/rewrite.gradle @@ -5,6 +5,10 @@ rewrite { 'org.openrewrite.gradle.GradleBestPractices', 'org.openrewrite.java.RemoveUnusedImports', 'org.openrewrite.java.migrate.UpgradeToJava17', + 'org.openrewrite.java.recipes.JavaRecipeBestPractices', + 'org.openrewrite.java.recipes.RecipeTestingBestPractices', + 'org.openrewrite.java.security.JavaSecurityBestPractices', + 'org.openrewrite.staticanalysis.JavaApiBestPractices', 'org.openrewrite.staticanalysis.LowercasePackage', 'org.openrewrite.staticanalysis.MissingOverrideAnnotation', 'org.openrewrite.staticanalysis.ModifierOrder', @@ -29,6 +33,8 @@ rewrite { '**_gradle_node_plugin_example_**', '**gradle/changelog.gradle', '**gradle/java-publish.gradle', + '**idea/full.clean.java', + '**java-setup.gradle', '**lib-extra/build.gradle', '**lib/build.gradle', '**package-info.java', diff --git a/lib/src/main/java/com/diffplug/spotless/FormatterProperties.java b/lib/src/main/java/com/diffplug/spotless/FormatterProperties.java index 486fd470dc..3bd6498f97 100644 --- a/lib/src/main/java/com/diffplug/spotless/FormatterProperties.java +++ b/lib/src/main/java/com/diffplug/spotless/FormatterProperties.java @@ -33,6 +33,7 @@ import java.util.stream.Collectors; import java.util.stream.IntStream; +import javax.xml.XMLConstants; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.ParserConfigurationException; @@ -201,6 +202,21 @@ private Properties executeWithSupplier(Supplier isSupplier) throws private Node getRootNode(final InputStream is) throws IOException, IllegalArgumentException { try { DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); + try { + dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false); + + dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); + + dbf.setFeature("http://xml.org/sax/features/external-general-entities", false); + + dbf.setXIncludeAware(false); + dbf.setExpandEntityReferences(false); + + dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); + + } catch (ParserConfigurationException e) { + throw new IllegalStateException("Some features are not supported by your XML processor.", e); + } /* * It is not required to validate or normalize attribute values for * the XMLs currently supported. Disabling validation is supported by