[openrewrite] add JavaSecurityBestPractices (#2649)

nedtwigg · web-flow · commit fe722f806b2b · 2025-09-26T08:44:26.000-07:00
diff --git a/build.gradle b/build.gradle
@@ -30,8 +30,10 @@ spotless {
 }
 
 dependencies {
-	rewrite(platform("org.openrewrite.recipe:rewrite-recipe-bom:3.15.0"))
-	rewrite("org.openrewrite.recipe:rewrite-migrate-java:3.18.0")
+	rewrite(platform('org.openrewrite.recipe:rewrite-recipe-bom:3.15.0'))
+	rewrite('org.openrewrite.recipe:rewrite-migrate-java:3.18.0')
+	rewrite('org.openrewrite.recipe:rewrite-java-security:3.19.0')
+	rewrite('org.openrewrite.recipe:rewrite-rewrite:0.13.0')
 	rewrite('org.openrewrite.recipe:rewrite-static-analysis:2.18.0')
 	rewrite('org.openrewrite.recipe:rewrite-third-party:0.27.0')
 }
diff --git a/gradle/rewrite.gradle b/gradle/rewrite.gradle
@@ -5,6 +5,10 @@ rewrite {
 			'org.openrewrite.gradle.GradleBestPractices',
 			'org.openrewrite.java.RemoveUnusedImports',
 			'org.openrewrite.java.migrate.UpgradeToJava17',
+			'org.openrewrite.java.recipes.JavaRecipeBestPractices',
+			'org.openrewrite.java.recipes.RecipeTestingBestPractices',
+			'org.openrewrite.java.security.JavaSecurityBestPractices',
+			'org.openrewrite.staticanalysis.JavaApiBestPractices',
 			'org.openrewrite.staticanalysis.LowercasePackage',
 			'org.openrewrite.staticanalysis.MissingOverrideAnnotation',
 			'org.openrewrite.staticanalysis.ModifierOrder',
@@ -29,6 +33,8 @@ rewrite {
 			'**_gradle_node_plugin_example_**',
 			'**gradle/changelog.gradle',
 			'**gradle/java-publish.gradle',
+			'**idea/full.clean.java',
+			'**java-setup.gradle',
 			'**lib-extra/build.gradle',
 			'**lib/build.gradle',
 			'**package-info.java',
diff --git a/lib/src/main/java/com/diffplug/spotless/FormatterProperties.java b/lib/src/main/java/com/diffplug/spotless/FormatterProperties.java
@@ -33,6 +33,7 @@
 import java.util.stream.Collectors;
 import java.util.stream.IntStream;
 
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
@@ -201,6 +202,21 @@ private Properties executeWithSupplier(Supplier<InputStream> isSupplier) throws
 			private Node getRootNode(final InputStream is) throws IOException, IllegalArgumentException {
 				try {
 					DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+					try {
+						dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+
+						dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+
+						dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
+
+						dbf.setXIncludeAware(false);
+						dbf.setExpandEntityReferences(false);
+
+						dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+
+					} catch (ParserConfigurationException e) {
+						throw new IllegalStateException("Some features are not supported by your XML processor.", e);
+					}
 					/*
 					 * It is not required to validate or normalize attribute values for
 					 * the XMLs currently supported. Disabling validation is supported by

Original file line number	Diff line number	Diff line change
`@@ -30,8 +30,10 @@ spotless {`
`30`	`30`	`}`
`31`	`31`
`32`	`32`	`dependencies {`
`33`		`- rewrite(platform("org.openrewrite.recipe:rewrite-recipe-bom:3.15.0"))`
`34`		`- rewrite("org.openrewrite.recipe:rewrite-migrate-java:3.18.0")`
	`33`	`+ rewrite(platform('org.openrewrite.recipe:rewrite-recipe-bom:3.15.0'))`
	`34`	`+ rewrite('org.openrewrite.recipe:rewrite-migrate-java:3.18.0')`
	`35`	`+ rewrite('org.openrewrite.recipe:rewrite-java-security:3.19.0')`
	`36`	`+ rewrite('org.openrewrite.recipe:rewrite-rewrite:0.13.0')`
`35`	`37`	`rewrite('org.openrewrite.recipe:rewrite-static-analysis:2.18.0')`
`36`	`38`	`rewrite('org.openrewrite.recipe:rewrite-third-party:0.27.0')`
`37`	`39`	`}`