From db002c47f46162691e0684058291bc1c7a3c4cb0 Mon Sep 17 00:00:00 2001
From: Shinsuke Sugaya <shinsuke@apache.org>
Date: Sat, 3 Apr 2021 08:40:13 +0900
Subject: [PATCH] fix issues from sonarcloud

---
 src/main/java/org/codelibs/fess/helper/PluginHelper.java   | 3 +++
 src/main/java/org/codelibs/fess/helper/ThemeHelper.java    | 4 +++-
 src/main/java/org/codelibs/fess/helper/UserInfoHelper.java | 2 +-
 src/main/java/org/codelibs/fess/util/GsaConfigParser.java  | 3 +++
 4 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/src/main/java/org/codelibs/fess/helper/PluginHelper.java b/src/main/java/org/codelibs/fess/helper/PluginHelper.java
index 0e2aeec22..02329e45e 100644
--- a/src/main/java/org/codelibs/fess/helper/PluginHelper.java
+++ b/src/main/java/org/codelibs/fess/helper/PluginHelper.java
@@ -35,6 +35,7 @@ import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 import java.util.stream.Collectors;
 
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 
@@ -123,6 +124,8 @@ public class PluginHelper {
             try (final InputStream is = new ByteArrayInputStream(pluginMetaContent.getBytes(Constants.UTF_8_CHARSET))) {
                 final DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
                 factory.setFeature(Constants.FEATURE_SECURE_PROCESSING, true);
+                factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, StringUtil.EMPTY);
+                factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, StringUtil.EMPTY);
                 final DocumentBuilder builder = factory.newDocumentBuilder();
                 final Document document = builder.parse(is);
                 final NodeList nodeList = document.getElementsByTagName("version");
diff --git a/src/main/java/org/codelibs/fess/helper/ThemeHelper.java b/src/main/java/org/codelibs/fess/helper/ThemeHelper.java
index 05e031860..f5efdc845 100644
--- a/src/main/java/org/codelibs/fess/helper/ThemeHelper.java
+++ b/src/main/java/org/codelibs/fess/helper/ThemeHelper.java
@@ -28,6 +28,7 @@ import java.util.zip.ZipInputStream;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.codelibs.core.lang.StringUtil;
+import org.codelibs.core.stream.StreamUtil;
 import org.codelibs.fess.exception.ThemeException;
 import org.codelibs.fess.helper.PluginHelper.Artifact;
 import org.codelibs.fess.helper.PluginHelper.ArtifactType;
@@ -46,7 +47,8 @@ public class ThemeHelper {
             ZipEntry entry;
             while ((entry = zis.getNextEntry()) != null) {
                 if (!entry.isDirectory()) {
-                    final String[] names = entry.getName().split("/");
+                    final String[] names = StreamUtil.split(entry.getName(), "/")
+                            .get(stream -> stream.filter(s -> !"..".equals(s)).toArray(n -> new String[n]));
                     if (names.length < 2) {
                         continue;
                     }
diff --git a/src/main/java/org/codelibs/fess/helper/UserInfoHelper.java b/src/main/java/org/codelibs/fess/helper/UserInfoHelper.java
index b16ed7fe2..003df0959 100644
--- a/src/main/java/org/codelibs/fess/helper/UserInfoHelper.java
+++ b/src/main/java/org/codelibs/fess/helper/UserInfoHelper.java
@@ -101,7 +101,7 @@ public class UserInfoHelper {
     public void deleteUserCodeFromCookie(final HttpServletRequest request) {
         final String cookieValue = getUserCodeFromCookie(request);
         if (cookieValue != null) {
-            updateCookie(cookieValue, 0);
+            updateCookie(StringUtil.EMPTY, 0);
         }
     }
 
diff --git a/src/main/java/org/codelibs/fess/util/GsaConfigParser.java b/src/main/java/org/codelibs/fess/util/GsaConfigParser.java
index 641a991f3..40e0477e5 100644
--- a/src/main/java/org/codelibs/fess/util/GsaConfigParser.java
+++ b/src/main/java/org/codelibs/fess/util/GsaConfigParser.java
@@ -26,6 +26,7 @@ import java.util.Map;
 import java.util.regex.Pattern;
 import java.util.stream.Collectors;
 
+import javax.xml.XMLConstants;
 import javax.xml.parsers.SAXParser;
 import javax.xml.parsers.SAXParserFactory;
 
@@ -92,6 +93,8 @@ public class GsaConfigParser extends DefaultHandler {
             final SAXParserFactory factory = SAXParserFactory.newInstance();
             factory.setFeature(org.codelibs.fess.crawler.Constants.FEATURE_SECURE_PROCESSING, true);
             final SAXParser parser = factory.newSAXParser();
+            parser.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, StringUtil.EMPTY);
+            parser.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, StringUtil.EMPTY);
             parser.parse(is, this);
         } catch (final Exception e) {
             throw new GsaConfigException("Failed to parse XML file.", e);
-- 
GitLab