Merge pull request #1205 from kermitt2/alert-autofix-41

Fix code scanning alert no. 41: Resolving XML external entity in user-controlled data

grobid-core/src/main/java/org/grobid/core/document/OPSService.java

@@ -118,8 +118,11 @@ public String descriptionRetrieval(String patentNumber) throws IOException,
 			spf.setFeature("http://xml.org/sax/features/validation", false);
 			spf.setFeature("http://xml.org/sax/features/external-general-entities", false);
 			spf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+			spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
 			//get a new instance of parser
 			XMLReader reader = spf.newSAXParser().getXMLReader();
+			reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
+			reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
 			reader.setEntityResolver(new EntityResolver() {
 				public InputSource resolveEntity(String publicId, String systemId) {
 					return new InputSource(

grobid-service/src/main/java/org/grobid/service/process/GrobidRestProcessTraining.java

@@ -359,6 +359,11 @@ public void run() {
     public Response resultTraining(String token) {
         Response response = null;
         try {
+            // Validate the token to prevent directory traversal
+            if (token.contains("..") || token.contains("/") || token.contains("\\")) {
+                throw new GrobidServiceException("Invalid token", Status.BAD_REQUEST);
+            }
+
             // access report file under token subdirectory
             File home = GrobidProperties.getInstance().getGrobidHomePath();
             String tokenPath = home.getAbsolutePath() + "/training-history/" + token;