Add parameter "setTotalEntitySizeLimit" to XmlDecoder (#554)

- add tests

Author: dr0i

metafacture-xml/src/main/java/org/metafacture/xml/XmlDecoder.java

@@ -48,18 +48,34 @@
 public final class XmlDecoder extends DefaultObjectPipe<Reader, XmlReceiver> {
 
     private static final String SAX_PROPERTY_LEXICAL_HANDLER = "http://xml.org/sax/properties/lexical-handler";
-
-    private final XMLReader saxReader;
+    private XMLReader saxReader;
+    private final SAXParserFactory parserFactory = SAXParserFactory.newInstance();
 
     /**
-     * Constructs an XmlDecoder by obtaining a new instance of an
+     * Creates an instance of {@link XmlDecoder} by obtaining a new instance of an
      * {@link org.xml.sax.XMLReader}.
      */
     public XmlDecoder() {
         try {
-            final SAXParserFactory parserFactory = SAXParserFactory.newInstance();
             parserFactory.setNamespaceAware(true);
+            saxReader = parserFactory.newSAXParser().getXMLReader();
+        }
+        catch (final ParserConfigurationException | SAXException e) {
+            throw new MetafactureException(e);
+        }
+    }
 
+    /**
+     * Sets the total entity size limit for the XML parser.
+     * See <a href="https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-82F8C206-F2DF-4204-9544-F96155B1D258__TABLE_RQ1_3PY_HHB">java-api-xml-processing-jaxp-security-guide.html</a>
+     *
+     * Defaults to "50,000,000". Set to "0" to allow unlimited entities.
+     *
+     * @param size the size of the allowed entities. Set to "0" if entities should be unlimited.
+     */
+    public void setTotalEntitySizeLimit(final String size) {
+        try {
+            System.setProperty("jdk.xml.totalEntitySizeLimit", size);
             saxReader = parserFactory.newSAXParser().getXMLReader();
         }
         catch (final ParserConfigurationException | SAXException e) {

metafacture-xml/src/test/java/org/metafacture/xml/XmlDecoderTest.java

@@ -0,0 +1,69 @@
+/*
+ * Copyright 2024 Pascal Christoph (hbz)
+ *
+ * Licensed under the Apache License, Version 2.0 the "License";
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.metafacture.xml;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.metafacture.framework.MetafactureException;
+
+import java.io.IOException;
+import java.io.Reader;
+import java.io.StringReader;
+
+/**
+ * Tests for class {@link XmlDecoder}.
+ *
+ * @author Pascal Christoph (dr0i)
+ */
+public final class XmlDecoderTest {
+
+    private final String TEST_XML_WITH_TWO_ENTITIES = "<record>&gt;&gt;</record>";
+    private XmlDecoder xmlDecoder;
+    private final Reader reader = new StringReader(TEST_XML_WITH_TWO_ENTITIES);
+
+    @Before
+    public void initSystemUnderTest() {
+        xmlDecoder = new XmlDecoder();
+    }
+
+    @Test
+    public void issue554_default() {
+        process(xmlDecoder);
+    }
+
+    @Test(expected = MetafactureException.class)
+    public void issue554_shouldFail() {
+        xmlDecoder.setTotalEntitySizeLimit("1");
+        process(xmlDecoder);
+    }
+
+    @Test
+    public void issue554_unlimitedEntities() {
+        xmlDecoder.setTotalEntitySizeLimit("0");
+        process(xmlDecoder);
+    }
+
+    private void process(XmlDecoder xmlDecoder) {
+        try {
+            xmlDecoder.process(reader);
+            reader.close();
+        }
+        catch (IOException e) {
+            throw new RuntimeException(e);
+        }
+    }
+}