fix(jruby): SAX parser uses an entity resolver

to avoid XXE injections.

This behavior now matches the CRuby implementation.

Author: flavorjones

ext/java/nokogiri/XmlSaxParserContext.java

@@ -225,6 +225,7 @@ public class XmlSaxParserContext extends ParserContext
     preParse(runtime, handlerRuby, handler);
     parser.setContentHandler(handler);
     parser.setErrorHandler(handler);
+    parser.setEntityResolver(new NokogiriEntityResolver(runtime, errorHandler, options));
 
     try {
       parser.setProperty("http://xml.org/sax/properties/lexical-handler", handler);

test/xml/sax/test_parser.rb

@@ -426,5 +426,38 @@ def call_parse_io_with_encoding(encoding)
 
       assert_predicate(handler.errors, :empty?)
     end
+
+    it "does not resolve entities by default" do
+      xml = <<~EOF
+        <?xml version="1.0" encoding="UTF-8"?>
+        <!DOCTYPE doc [
+          <!ENTITY local SYSTEM "file:///#{File.expand_path(__FILE__)}">
+          <!ENTITY custom "resolved>
+        ]>
+        <doc><foo>&local;</foo><foo>&custom;</foo></doc>
+      EOF
+
+      doc = Doc.new
+      parser = Nokogiri::XML::SAX::Parser.new(doc)
+      parser.parse(xml)
+
+      assert_nil(doc.data)
+    end
+
+    it "does not resolve network external entities by default" do
+      xml = <<~EOF
+        <?xml version="1.0" encoding="UTF-8"?>
+        <!DOCTYPE doc [
+          <!ENTITY remote SYSTEM "http://0.0.0.0:8080/evil.dtd">
+        ]>
+        <doc><foo>&remote;</foo></doc>
+      EOF
+
+      doc = Doc.new
+      parser = Nokogiri::XML::SAX::Parser.new(doc)
+      parser.parse(xml)
+
+      assert_nil(doc.data)
+    end
   end
 end