Refactor XML parsing to use safer document builders in multiple classes (#12129)

YLChen-007 · cyl-auth · web-flow · commit 77cb0827d354 · 2026-01-05T07:58:34.000+01:00
Co-authored-by: chenyoulong20g@ict.ac.cn &lt;chenyoulong20g@ict.ac.cn&gt;
diff --git a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtMigrateVolumeCommandWrapper.java b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtMigrateVolumeCommandWrapper.java
@@ -42,6 +42,7 @@
 import org.apache.cloudstack.storage.datastore.util.ScaleIOUtil;
 import org.apache.cloudstack.storage.to.PrimaryDataStoreTO;
 import org.apache.cloudstack.storage.to.VolumeObjectTO;
+import org.apache.cloudstack.utils.security.ParserUtils;
 import org.apache.commons.lang3.ArrayUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.libvirt.Connect;
@@ -216,7 +217,7 @@ protected MigrateVolumeAnswer checkBlockJobStatus(MigrateVolumeCommand command,
 
     private String generateDestinationDiskLabel(String diskXml) throws ParserConfigurationException, IOException, SAXException {
 
-        DocumentBuilderFactory dbFactory = DocumentBuilderFactory.newInstance();
+        DocumentBuilderFactory dbFactory = ParserUtils.getSaferDocumentBuilderFactory();
         DocumentBuilder dBuilder = dbFactory.newDocumentBuilder();
         Document doc = dBuilder.parse(new ByteArrayInputStream(diskXml.getBytes("UTF-8")));
         doc.getDocumentElement().normalize();
@@ -230,7 +231,7 @@ private String generateDestinationDiskLabel(String diskXml) throws ParserConfigu
     protected String generateDestinationDiskXML(Domain dm, String srcVolumeId, String diskFilePath, String destSecretUUID) throws LibvirtException, ParserConfigurationException, IOException, TransformerException, SAXException {
         final String domXml = dm.getXMLDesc(0);
 
-        DocumentBuilderFactory dbFactory = DocumentBuilderFactory.newInstance();
+        DocumentBuilderFactory dbFactory = ParserUtils.getSaferDocumentBuilderFactory();
         DocumentBuilder dBuilder = dbFactory.newDocumentBuilder();
         Document doc = dBuilder.parse(new ByteArrayInputStream(domXml.getBytes("UTF-8")));
         doc.getDocumentElement().normalize();
diff --git a/server/src/main/java/com/cloud/test/DatabaseConfig.java b/server/src/main/java/com/cloud/test/DatabaseConfig.java
@@ -429,7 +429,7 @@ protected void doConfig() {
         try {
             final File configFile = new File(_configFileName);
 
-            SAXParserFactory spfactory = SAXParserFactory.newInstance();
+            SAXParserFactory spfactory = ParserUtils.getSaferSAXParserFactory();
             final SAXParser saxParser = spfactory.newSAXParser();
             final DbConfigXMLHandler handler = new DbConfigXMLHandler();
             handler.setParent(this);
diff --git a/utils/src/main/java/com/cloud/utils/cisco/n1kv/vsm/VsmCommand.java b/utils/src/main/java/com/cloud/utils/cisco/n1kv/vsm/VsmCommand.java
@@ -26,6 +26,7 @@
 import javax.xml.parsers.ParserConfigurationException;
 
 import org.apache.logging.log4j.Logger;
+import org.apache.cloudstack.utils.security.ParserUtils;
 import org.apache.logging.log4j.LogManager;
 import org.w3c.dom.DOMException;
 import org.w3c.dom.DOMImplementation;
@@ -67,7 +68,7 @@ public enum OperationType {
     public static String getAddPortProfile(String name, PortProfileType type, BindingType binding, SwitchPortMode mode, int vlanid, String vdc, String espName) {
         try {
             // Create the document and root element.
-            DocumentBuilderFactory docFactory = DocumentBuilderFactory.newInstance();
+            DocumentBuilderFactory docFactory = ParserUtils.getSaferDocumentBuilderFactory();
             DocumentBuilder docBuilder = docFactory.newDocumentBuilder();
             DOMImplementation domImpl = docBuilder.getDOMImplementation();
             Document doc = createDocument(domImpl);
@@ -100,7 +101,7 @@ public static String getAddPortProfile(String name, PortProfileType type, Bindin
     public static String getAddPortProfile(String name, PortProfileType type, BindingType binding, SwitchPortMode mode, int vlanid) {
         try {
             // Create the document and root element.
-            DocumentBuilderFactory docFactory = DocumentBuilderFactory.newInstance();
+            DocumentBuilderFactory docFactory = ParserUtils.getSaferDocumentBuilderFactory();
             DocumentBuilder docBuilder = docFactory.newDocumentBuilder();
             DOMImplementation domImpl = docBuilder.getDOMImplementation();
             Document doc = createDocument(domImpl);
@@ -133,7 +134,7 @@ public static String getAddPortProfile(String name, PortProfileType type, Bindin
     public static String getUpdatePortProfile(String name, SwitchPortMode mode, List<Pair<VsmCommand.OperationType, String>> params) {
         try {
             // Create the document and root element.
-            DocumentBuilderFactory docFactory = DocumentBuilderFactory.newInstance();
+            DocumentBuilderFactory docFactory = ParserUtils.getSaferDocumentBuilderFactory();
             DocumentBuilder docBuilder = docFactory.newDocumentBuilder();
             DOMImplementation domImpl = docBuilder.getDOMImplementation();
             Document doc = createDocument(domImpl);
@@ -166,7 +167,7 @@ public static String getUpdatePortProfile(String name, SwitchPortMode mode, List
     public static String getDeletePortProfile(String portName) {
         try {
             // Create the document and root element.
-            DocumentBuilderFactory docFactory = DocumentBuilderFactory.newInstance();
+            DocumentBuilderFactory docFactory = ParserUtils.getSaferDocumentBuilderFactory();
             DocumentBuilder docBuilder = docFactory.newDocumentBuilder();
             DOMImplementation domImpl = docBuilder.getDOMImplementation();
             Document doc = createDocument(domImpl);
@@ -199,7 +200,7 @@ public static String getDeletePortProfile(String portName) {
     public static String getAddPolicyMap(String name, int averageRate, int maxRate, int burstRate) {
         try {
             // Create the document and root element.
-            DocumentBuilderFactory docFactory = DocumentBuilderFactory.newInstance();
+            DocumentBuilderFactory docFactory = ParserUtils.getSaferDocumentBuilderFactory();
             DocumentBuilder docBuilder = docFactory.newDocumentBuilder();
             DOMImplementation domImpl = docBuilder.getDOMImplementation();
             Document doc = createDocument(domImpl);
@@ -232,7 +233,7 @@ public static String getAddPolicyMap(String name, int averageRate, int maxRate,
     public static String getDeletePolicyMap(String name) {
         try {
             // Create the document and root element.
-            DocumentBuilderFactory docFactory = DocumentBuilderFactory.newInstance();
+            DocumentBuilderFactory docFactory = ParserUtils.getSaferDocumentBuilderFactory();
             DocumentBuilder docBuilder = docFactory.newDocumentBuilder();
             DOMImplementation domImpl = docBuilder.getDOMImplementation();
             Document doc = createDocument(domImpl);
@@ -265,7 +266,7 @@ public static String getDeletePolicyMap(String name) {
     public static String getServicePolicy(String policyMap, String portProfile, boolean attach) {
         try {
             // Create the document and root element.
-            DocumentBuilderFactory docFactory = DocumentBuilderFactory.newInstance();
+            DocumentBuilderFactory docFactory = ParserUtils.getSaferDocumentBuilderFactory();
             DocumentBuilder docBuilder = docFactory.newDocumentBuilder();
             DOMImplementation domImpl = docBuilder.getDOMImplementation();
             Document doc = createDocument(domImpl);
@@ -297,7 +298,7 @@ public static String getServicePolicy(String policyMap, String portProfile, bool
 
     public static String getPortProfile(String name) {
         try {
-            DocumentBuilderFactory docFactory = DocumentBuilderFactory.newInstance();
+            DocumentBuilderFactory docFactory = ParserUtils.getSaferDocumentBuilderFactory();
             DocumentBuilder docBuilder = docFactory.newDocumentBuilder();
             DOMImplementation domImpl = docBuilder.getDOMImplementation();
             Document doc = createDocument(domImpl);
@@ -334,7 +335,7 @@ public static String getPortProfile(String name) {
 
     public static String getPolicyMap(String name) {
         try {
-            DocumentBuilderFactory docFactory = DocumentBuilderFactory.newInstance();
+            DocumentBuilderFactory docFactory = ParserUtils.getSaferDocumentBuilderFactory();
             DocumentBuilder docBuilder = docFactory.newDocumentBuilder();
             DOMImplementation domImpl = docBuilder.getDOMImplementation();
             Document doc = createDocument(domImpl);
@@ -367,7 +368,7 @@ public static String getPolicyMap(String name) {
 
     public static String getHello() {
         try {
-            DocumentBuilderFactory docFactory = DocumentBuilderFactory.newInstance();
+            DocumentBuilderFactory docFactory = ParserUtils.getSaferDocumentBuilderFactory();
             DocumentBuilder docBuilder = docFactory.newDocumentBuilder();
             DOMImplementation domImpl = docBuilder.getDOMImplementation();
 
@@ -395,7 +396,7 @@ public static String getHello() {
     public static String getVServiceNode(String vlanId, String ipAddr) {
         try {
             // Create the document and root element.
-            DocumentBuilderFactory docFactory = DocumentBuilderFactory.newInstance();
+            DocumentBuilderFactory docFactory = ParserUtils.getSaferDocumentBuilderFactory();
             DocumentBuilder docBuilder = docFactory.newDocumentBuilder();
             DOMImplementation domImpl = docBuilder.getDOMImplementation();
             Document doc = createDocument(domImpl);
