External Formats XML: Prevent XXE vulnerability in XMLReader (finos#3188

)

* External Formats XML: Prevent XXE vulnerability in XMLReader

* Fix

legend-engine-xts-xml/legend-engine-xt-xml-shared/src/main/java/org/finos/legend/engine/external/format/xml/shared/XmlReader.java

@@ -47,7 +47,7 @@ public class XmlReader
     private static final int EVENT_BUFFER_SIZE = 4096;
     private static final int DEFAULT_CAPTURE_CAPACITY = 4096;
 
-    private static final XMLInputFactory XML_INPUT_FACTORY = XMLInputFactory.newFactory();
+    private static final XMLInputFactory XML_INPUT_FACTORY = createInputFactory();
     private static final XMLOutputFactory XML_OUTPUT_FACTORY = XMLOutputFactory.newFactory();
 
     private final XMLEventReader reader;
@@ -57,6 +57,14 @@ public class XmlReader
     private EventBuffer eventBuffer;
     private ReadState currentState;
 
+    private static XMLInputFactory createInputFactory()
+    {
+        XMLInputFactory factory = XMLInputFactory.newFactory();
+        factory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
+        return factory;
+    }
+
+
     private XmlReader(XMLEventReader reader, Function<XMLStreamException, ? extends RuntimeException> exceptionHandler)
     {
         this(reader, exceptionHandler, DEFAULT_CAPTURE_CAPACITY);