From e5b8f6136fddd5171fd1ad0768c672457cbc9c3d Mon Sep 17 00:00:00 2001
From: "Stein.Codes" <coopaisolutions@gmail.com>
Date: Wed, 18 Oct 2023 05:38:53 +0000
Subject: [PATCH] refactor: Java Security Ultimate Security Repo Scanner 2023

Disclaimer: Automated Commit Alert

Please be aware that this commit, generated through automated processes, may contain false alerts or not be precisely targeted. This automated commit is part of a large-scale effort to enhance software security over time. It is sent to various repositories to improve code quality and security. Exercise caution when reviewing the changes, and ensure that any necessary adjustments are made to maintain the integrity and functionality of the software.

Use this link to re-run the recipe: https://app.moderne.io/recipes/builder/TkgUEiqd7?organizationId=RWNsaXBzZSBGb3VuZGF0aW9u

Co-authored-by: Moderne <team@moderne.io>
---
 .../model/read/LoadTopLinkSessionsTest.java   |  3 ++-
 .../workbench/utility/CollectionTools.java    |  9 +++----
 .../tools/workbench/utility/XMLTools.java     | 24 +++++++++++++++++++
 3 files changed, 31 insertions(+), 5 deletions(-)

diff --git a/scplugin/src/test/java/org/eclipse/persistence/tools/workbench/test/scplugin/model/read/LoadTopLinkSessionsTest.java b/scplugin/src/test/java/org/eclipse/persistence/tools/workbench/test/scplugin/model/read/LoadTopLinkSessionsTest.java
index f5565cb2..40c04440 100644
--- a/scplugin/src/test/java/org/eclipse/persistence/tools/workbench/test/scplugin/model/read/LoadTopLinkSessionsTest.java
+++ b/scplugin/src/test/java/org/eclipse/persistence/tools/workbench/test/scplugin/model/read/LoadTopLinkSessionsTest.java
@@ -21,6 +21,7 @@
 import java.nio.channels.Channels;
 import java.nio.channels.FileChannel;
 import java.nio.channels.ReadableByteChannel;
+import java.nio.file.Files;
 import java.util.Collection;
 import java.util.Enumeration;
 import java.util.Iterator;
@@ -56,7 +57,7 @@ private File prepareSessionsXmlFile(ZipFile zipFile, ZipEntry entry) throws Exce
 
         // Create the Channel for the destination
         String fileName = entry.getName().replace('/', '_');
-        File file = File.createTempFile(fileName, null);
+        File file = Files.createTempFile(fileName, null).toFile();
         FileOutputStream fos = new FileOutputStream(file);
         FileChannel destinationChannel = fos.getChannel();
 
diff --git a/utility/src/main/java/org/eclipse/persistence/tools/workbench/utility/CollectionTools.java b/utility/src/main/java/org/eclipse/persistence/tools/workbench/utility/CollectionTools.java
index 982b7bed..6d5fa965 100644
--- a/utility/src/main/java/org/eclipse/persistence/tools/workbench/utility/CollectionTools.java
+++ b/utility/src/main/java/org/eclipse/persistence/tools/workbench/utility/CollectionTools.java
@@ -15,6 +15,7 @@
 package org.eclipse.persistence.tools.workbench.utility;
 
 import java.lang.reflect.Array;
+import java.security.SecureRandom;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collection;
@@ -1635,7 +1636,7 @@ public static Object[] rotate(Object[] array, int distance) {
         if (distance == 0) {
             return array;
         }
-        for (int cycleStart = 0, nMoved = 0; nMoved != len; cycleStart++) {
+        for (int cycleStart = 0, nMoved = 0; nMoved < len; cycleStart++) {
             Object displaced = array[cycleStart];
             int i = cycleStart;
             do {
@@ -1676,7 +1677,7 @@ public static char[] rotate(char[] array, int distance) {
         if (distance == 0) {
             return array;
         }
-        for (int cycleStart = 0, nMoved = 0; nMoved != len; cycleStart++) {
+        for (int cycleStart = 0, nMoved = 0; nMoved < len; cycleStart++) {
             char displaced = array[cycleStart];
             int i = cycleStart;
             do {
@@ -1717,7 +1718,7 @@ public static int[] rotate(int[] array, int distance) {
         if (distance == 0) {
             return array;
         }
-        for (int cycleStart = 0, nMoved = 0; nMoved != len; cycleStart++) {
+        for (int cycleStart = 0, nMoved = 0; nMoved < len; cycleStart++) {
             int displaced = array[cycleStart];
             int i = cycleStart;
             do {
@@ -1758,7 +1759,7 @@ public static Set set(Object[] array) {
         return set;
     }
 
-    private static final Random RANDOM = new Random();
+    private static final Random RANDOM = new SecureRandom();
 
     /**
      * Return the array after "shuffling" it.
diff --git a/utility/src/main/java/org/eclipse/persistence/tools/workbench/utility/XMLTools.java b/utility/src/main/java/org/eclipse/persistence/tools/workbench/utility/XMLTools.java
index 0cdb5f6c..e1c2827d 100644
--- a/utility/src/main/java/org/eclipse/persistence/tools/workbench/utility/XMLTools.java
+++ b/utility/src/main/java/org/eclipse/persistence/tools/workbench/utility/XMLTools.java
@@ -29,6 +29,7 @@
 import java.util.ArrayList;
 import java.util.List;
 
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
@@ -79,6 +80,26 @@ public final class XMLTools {
     private static synchronized DocumentBuilderFactory documentBuilderFactory() {
         if (documentBuilderFactory == null) {
             documentBuilderFactory = DocumentBuilderFactory.newInstance();
+            String FEATURE = null;
+            try {
+                FEATURE = "http://xml.org/sax/features/external-parameter-entities";
+                documentBuilderFactory.setFeature(FEATURE, false);
+
+                FEATURE = "http://apache.org/xml/features/nonvalidating/load-external-dtd";
+                documentBuilderFactory.setFeature(FEATURE, false);
+
+                FEATURE = "http://xml.org/sax/features/external-general-entities";
+                documentBuilderFactory.setFeature(FEATURE, false);
+
+                documentBuilderFactory.setXIncludeAware(false);
+                documentBuilderFactory.setExpandEntityReferences(false);
+
+                documentBuilderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+
+            } catch (ParserConfigurationException e) {
+                throw new IllegalStateException("The feature '"
+                    + FEATURE + "' is not supported by your XML processor.", e);
+            }
         }
         return documentBuilderFactory;
     }
@@ -452,6 +473,9 @@ public static void addSimpleTextNodes(Node parent, String childrenName, String c
     private static synchronized TransformerFactory transformerFactory() {
         if (transformerFactory == null) {
             transformerFactory = TransformerFactory.newInstance();
+            transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+            transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+            transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
         }
         return transformerFactory;
     }