[#1713] isSecureXml

118ec1d2 · George Novikov · 3db07299 · 118ec1d2 · 118ec1d2 · 118ec1d2
Commit 118ec1d2 authored Nov 14, 2025 by George Novikov
3 changed files
--- a/src/main/java/kz/arta/nca_iiscon/controller/NcaIISConController.java
+++ b/src/main/java/kz/arta/nca_iiscon/controller/NcaIISConController.java
@@ -7,6 +7,7 @@ import kz.arta.nca_iiscon.service.NcaIISConService;
 import kz.arta.nca_iiscon.util.XmlToJsonUtil;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.http.MediaType;
 import org.springframework.web.bind.annotation.*;
@@ -17,6 +18,9 @@ import org.springframework.web.bind.annotation.*;
 @RequestMapping(value = "/service/nca")
 public class NcaIISConController {
+    @Value("${secure_xml}")
+    private boolean isSecureXml;
    private final NcaIISConService service;
    private final ForwardApplicationNcaService forwardService;
@@ -25,6 +29,8 @@ public class NcaIISConController {
    public @ResponseBody Object getSearchOrderByReferenceNumber(@RequestBody SearchOrderByReferenceNumberRequest request
    ) throws Exception {
+        XmlToJsonUtil.setSecureXml(isSecureXml);
        log.info("Received request with referenceNumber: {}", request.getReferenceNumber());
        // Отправляем запрос и получаем ответ
@@ -43,6 +49,8 @@ public class NcaIISConController {
            @RequestBody ForwardApplication request
    ) throws Exception {
+        XmlToJsonUtil.setSecureXml(isSecureXml);
        // Отправляем запрос и получаем ответ
        Object response = forwardService.sendRequest(request);

--- a/src/main/java/kz/arta/nca_iiscon/util/XmlToJsonUtil.java
+++ b/src/main/java/kz/arta/nca_iiscon/util/XmlToJsonUtil.java
@@ -8,6 +8,7 @@ import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 import org.w3c.dom.Node;
 import org.w3c.dom.NodeList;
+import org.xml.sax.SAXException;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
@@ -17,6 +18,16 @@ import java.nio.charset.StandardCharsets;
 @Slf4j
 public class XmlToJsonUtil {
+    private static boolean secureXml = false;
+    public static boolean isSecureXml() {
+        return secureXml;
+    }
+    public static void setSecureXml(boolean value) {
+        secureXml = value;
+    }
    private static final ObjectMapper objectMapper = new ObjectMapper();
    /**
@@ -57,6 +68,19 @@ public class XmlToJsonUtil {
            factory.setNamespaceAware(true);
            DocumentBuilder builder = factory.newDocumentBuilder();
+            if (XmlToJsonUtil.isSecureXml()){
+                factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+                factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+                factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+                factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+                factory.setXIncludeAware(false);
+                factory.setExpandEntityReferences(false);
+                builder.setEntityResolver((publicId, systemId) -> {
+                    throw new SAXException("External entities are not allowed");
+                });
+            }
            ByteArrayInputStream input = new ByteArrayInputStream(
                    xmlString.getBytes(StandardCharsets.UTF_8)
            );

--- a/src/main/resources/application.properties
+++ b/src/main/resources/application.properties
@@ -9,4 +9,5 @@ service_url=http://192.168.14.19:9580/ws/SyncChannelService.wsdl
 login=EISDS
 password=8zDV~U4OUo
 server.port=13010
\ No newline at end of file
+secure_xml=false
\ No newline at end of file