Set Load external DTD feature to be enabled

[liutikas]

I realize this is a somewhat odd request, but here it goes. In our project (Android OS) we use ENTITY in our config to allow composing our config files from many different files as some subprojects of Android OS have different style requirements. This normally works great with Checkstyle, however our default java installation has load-external-dtd feature disabled (due to security reasons). This is a request to add
final SAXParserFactory factory = SAXParserFactory.newInstance(); factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", true);

to com.puppycrawl.tools.checkstyle.api.AbstractLoader.

This would not affect anyone, except to allow us to keep using Checkstyle without any downstream modifications.

both features load-external-dtd and external-general-entities are normally default set to true. Our company has set their java defaults to false as it can lead to cross scripting attacks if not handled correctly. load-external-dtd feature allows to load external DTD into a an XML document and external-general-entities feature allows to these these external DTDs in elements. Using these two we are able to compose configuration files from multiple XML files. Since both of these features are enabled by default in default java set ups it should be a no-op for most checkstyle users.

https://xerces.apache.org/xerces2-j/features.html#nonvalidating.load-external-dtd

Execution is done by CLI - https://android.googlesource.com/platform/prebuilts/checkstyle/+/7de5d4001767b7929fae914e088a724af9597c1a/checkstyle.py#164

---

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

[romani]

https://docs.oracle.com/javase/tutorial/jaxp/properties/scope.html

https://xerces.apache.org/xerces2-j/features.html#nonvalidating.load-external-dtd , default is "true"... but in issue specified as disabled in java installation due to security reason.

Should be fine to do such update as we actually enforce default value.

[romani]

@liutikas , please provide PR with update.

[romani]

fix is merged.

[romani]

@liutikas , can you share an example on how different projects override path to ENTITY ?

[liutikas]

https://android.googlesource.com/platform/prebuilts/checkstyle/+/master/android-style.xml is the use we have in Android project.

[romani]

@liutikas , yes, I got this from issue description.

to allow composing our config files from many different files as some subprojects of Android OS have different style requirements.

Please share a link to project that override default.

[romani]

@liutikas , we are planning to disable(set to "false") such features by default and provide CLI parameter to enable them. Please let me know if this might be problem by you.

[liutikas]

Sure, disable it.

[romani]

@liutikas , changed at scope of #6474 , released as 8.18.