eclipse-ee4j · caytec · Oct 18, 2023
diff --git a/...eclipse/persistence/tools/workbench/test/scplugin/model/read/LoadTopLinkSessionsTest.java b/...eclipse/persistence/tools/workbench/test/scplugin/model/read/LoadTopLinkSessionsTest.java
@@ -21,6 +21,7 @@
 import java.nio.channels.Channels;
 import java.nio.channels.FileChannel;
 import java.nio.channels.ReadableByteChannel;
+import java.nio.file.Files;
 import java.util.Collection;
 import java.util.Enumeration;
 import java.util.Iterator;
@@ -56,7 +57,7 @@ private File prepareSessionsXmlFile(ZipFile zipFile, ZipEntry entry) throws Exce
 
         // Create the Channel for the destination
         String fileName = entry.getName().replace('/', '_');
-        File file = File.createTempFile(fileName, null);
+        File file = Files.createTempFile(fileName, null).toFile();
         FileOutputStream fos = new FileOutputStream(file);
         FileChannel destinationChannel = fos.getChannel();
 

diff --git a/utility/src/main/java/org/eclipse/persistence/tools/workbench/utility/CollectionTools.java b/utility/src/main/java/org/eclipse/persistence/tools/workbench/utility/CollectionTools.java
@@ -15,6 +15,7 @@
 package org.eclipse.persistence.tools.workbench.utility;
 
 import java.lang.reflect.Array;
+import java.security.SecureRandom;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collection;
@@ -1635,7 +1636,7 @@ public static Object[] rotate(Object[] array, int distance) {
         if (distance == 0) {
             return array;
         }
-        for (int cycleStart = 0, nMoved = 0; nMoved != len; cycleStart++) {
+        for (int cycleStart = 0, nMoved = 0; nMoved < len; cycleStart++) {
             Object displaced = array[cycleStart];
             int i = cycleStart;
             do {
@@ -1676,7 +1677,7 @@ public static char[] rotate(char[] array, int distance) {
         if (distance == 0) {
             return array;
         }
-        for (int cycleStart = 0, nMoved = 0; nMoved != len; cycleStart++) {
+        for (int cycleStart = 0, nMoved = 0; nMoved < len; cycleStart++) {
             char displaced = array[cycleStart];
             int i = cycleStart;
             do {
@@ -1717,7 +1718,7 @@ public static int[] rotate(int[] array, int distance) {
         if (distance == 0) {
             return array;
         }
-        for (int cycleStart = 0, nMoved = 0; nMoved != len; cycleStart++) {
+        for (int cycleStart = 0, nMoved = 0; nMoved < len; cycleStart++) {
             int displaced = array[cycleStart];
             int i = cycleStart;
             do {
@@ -1758,7 +1759,7 @@ public static Set set(Object[] array) {
         return set;
     }
 
-    private static final Random RANDOM = new Random();
+    private static final Random RANDOM = new SecureRandom();
 
     /**
      * Return the array after "shuffling" it.

diff --git a/utility/src/main/java/org/eclipse/persistence/tools/workbench/utility/XMLTools.java b/utility/src/main/java/org/eclipse/persistence/tools/workbench/utility/XMLTools.java
@@ -29,6 +29,7 @@
 import java.util.ArrayList;
 import java.util.List;
 
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
@@ -79,6 +80,26 @@ public final class XMLTools {
     private static synchronized DocumentBuilderFactory documentBuilderFactory() {
         if (documentBuilderFactory == null) {
             documentBuilderFactory = DocumentBuilderFactory.newInstance();
+            String FEATURE = null;
+            try {
+                FEATURE = "http://xml.org/sax/features/external-parameter-entities";
+                documentBuilderFactory.setFeature(FEATURE, false);
+
+                FEATURE = "http://apache.org/xml/features/nonvalidating/load-external-dtd";
+                documentBuilderFactory.setFeature(FEATURE, false);
+
+                FEATURE = "http://xml.org/sax/features/external-general-entities";
+                documentBuilderFactory.setFeature(FEATURE, false);
+
+                documentBuilderFactory.setXIncludeAware(false);
+                documentBuilderFactory.setExpandEntityReferences(false);
+
+                documentBuilderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+
+            } catch (ParserConfigurationException e) {
+                throw new IllegalStateException("The feature '"
+                    + FEATURE + "' is not supported by your XML processor.", e);
+            }
         }
         return documentBuilderFactory;
     }
@@ -452,6 +473,9 @@ public static void addSimpleTextNodes(Node parent, String childrenName, String c
     private static synchronized TransformerFactory transformerFactory() {
         if (transformerFactory == null) {
             transformerFactory = TransformerFactory.newInstance();
+            transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+            transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+            transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
         }
         return transformerFactory;
     }