From c965a8d2a6bbdb9bcfc6acfa7bbffd3da81f5395 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Brais=20Gab=C3=ADn?= <braisgabin@gmail.com>
Date: Tue, 18 Jan 2022 18:21:06 +0100
Subject: [PATCH] Parse Baseline in a secure way (#4499)

---
 .../arturbosch/detekt/core/baseline/BaselineFormat.kt      | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/detekt-core/src/main/kotlin/io/gitlab/arturbosch/detekt/core/baseline/BaselineFormat.kt b/detekt-core/src/main/kotlin/io/gitlab/arturbosch/detekt/core/baseline/BaselineFormat.kt
index a34097ac6be..ac8c41e7756 100644
--- a/detekt-core/src/main/kotlin/io/gitlab/arturbosch/detekt/core/baseline/BaselineFormat.kt
+++ b/detekt-core/src/main/kotlin/io/gitlab/arturbosch/detekt/core/baseline/BaselineFormat.kt
@@ -3,6 +3,7 @@ package io.gitlab.arturbosch.detekt.core.baseline
 import org.xml.sax.SAXParseException
 import java.nio.file.Files
 import java.nio.file.Path
+import javax.xml.XMLConstants
 import javax.xml.parsers.SAXParserFactory
 import javax.xml.stream.XMLStreamException
 import javax.xml.stream.XMLStreamWriter
@@ -17,7 +18,11 @@ internal class BaselineFormat {
     fun read(path: Path): Baseline {
         try {
             Files.newInputStream(path).use {
-                val reader = SAXParserFactory.newInstance().newSAXParser()
+                val reader = SAXParserFactory.newInstance()
+                    .apply {
+                        setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)
+                    }
+                    .newSAXParser()
                 val handler = BaselineHandler()
                 reader.parse(it, handler)
                 return handler.createBaseline()