Página inicial Explorar Ajuda
Entrar
apache
/
hadoop
mirror de https://github.com/apache/hadoop.git
2
0
Fork 1
Arquivos Issues 0 Wiki
Ver código fonte

YARN-11330. use secure XML parsers (#4981)

Move construction of XML parsers in YARN
modules to using the locked-down parser factory
of HADOOP-18469.

One exception: GpuDeviceInformationParser still supports DTD resolution;
all other features are disabled.

Contributed by P J Fanning
PJ Fanning 2 anos atrás
pai
9439d8e4e4
commit
bfce21ee08
20 arquivos alterados com 99 adições e 74 exclusões
Visão dividida Mostrar estatísticas do Diff
  1. 7 6
      hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/XMLUtils.java
  2. 2 1
      hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/main/java/org/apache/hadoop/yarn/client/cli/SchedConfCLI.java
  3. 18 10
      hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/webapp/dao/gpu/GpuDeviceInformationParser.java
  4. 3 3
      hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/webapp/TestNMWebServices.java
  5. 4 3
      hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/webapp/TestNMWebServicesApps.java
  6. 2 1
      hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/webapp/TestNMWebServicesAuxServices.java
  7. 3 2
      hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/webapp/TestNMWebServicesContainers.java
  8. 18 14
      hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/AllocationFileLoaderService.java
  9. 3 2
      hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestResourceTrackerService.java
  10. 3 3
      hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/placement/TestPlacementRuleFS.java
  11. 4 3
      hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/TestRMWebServices.java
  12. 2 1
      hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/TestRMWebServicesAppAttempts.java
  13. 5 4
      hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/TestRMWebServicesApps.java
  14. 6 5
      hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/TestRMWebServicesAppsModification.java
  15. 3 2
      hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/TestRMWebServicesCapacitySched.java
  16. 2 1
      hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/TestRMWebServicesDelegationTokens.java
  17. 2 1
      hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/TestRMWebServicesForCSWithPartitions.java
  18. 7 8
      hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/TestRMWebServicesNodes.java
  19. 3 3
      hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/helper/XmlCustomResourceTypeTestCase.java
  20. 2 1
      hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/webapp/TestRMWithCSRFFilter.java

+ 7 - 6
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/XMLUtils.java
Ver arquivo 

@@ -41,17 +41,18 @@ import java.io.*;
 
 @InterfaceStability.Unstable
 
 public class XMLUtils {
 
 
-  private static final String DISALLOW_DOCTYPE_DECL =
 
+  public static final String DISALLOW_DOCTYPE_DECL =
 
       "http://apache.org/xml/features/disallow-doctype-decl";
 
-  private static final String LOAD_EXTERNAL_DECL =
 
+  public static final String LOAD_EXTERNAL_DECL =
 
       "http://apache.org/xml/features/nonvalidating/load-external-dtd";
 
-  private static final String EXTERNAL_GENERAL_ENTITIES =
 
+  public static final String EXTERNAL_GENERAL_ENTITIES =
 
       "http://xml.org/sax/features/external-general-entities";
 
-  private static final String EXTERNAL_PARAMETER_ENTITIES =
 
+  public static final String EXTERNAL_PARAMETER_ENTITIES =
 
       "http://xml.org/sax/features/external-parameter-entities";
 
-  private static final String CREATE_ENTITY_REF_NODES =
 
+  public static final String CREATE_ENTITY_REF_NODES =
 
       "http://apache.org/xml/features/dom/create-entity-ref-nodes";
 
-
 
+  public static final String VALIDATION =
 
+      "http://xml.org/sax/features/validation";
 
 
   /**
 
    * Transform input xml given a stylesheet.

+ 2 - 1
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/main/java/org/apache/hadoop/yarn/client/cli/SchedConfCLI.java
Ver arquivo 

@@ -37,6 +37,7 @@ import org.apache.hadoop.security.authentication.client.AuthenticatedURL;
 
 import org.apache.hadoop.security.ssl.SSLFactory;
 
 import org.apache.hadoop.security.UserGroupInformation;
 
 import org.apache.hadoop.util.Tool;
 
+import org.apache.hadoop.util.XMLUtils;
 
 import org.apache.hadoop.yarn.conf.YarnConfiguration;
 
 import org.apache.hadoop.yarn.webapp.dao.ConfInfo;
 
 import org.apache.hadoop.yarn.webapp.dao.QueueConfigInfo;
 
@@ -190,7 +191,7 @@ public class SchedConfCLI extends Configured implements Tool {
 
     Source xmlInput = new StreamSource(new StringReader(input));
 
     StringWriter sw = new StringWriter();
 
     StreamResult xmlOutput = new StreamResult(sw);
 
-    TransformerFactory transformerFactory = TransformerFactory.newInstance();
 
+    TransformerFactory transformerFactory = XMLUtils.newSecureTransformerFactory();
 
     transformerFactory.setAttribute("indent-number", indent);
 
     Transformer transformer = transformerFactory.newTransformer();
 
     transformer.setOutputProperty(OutputKeys.INDENT, "yes");

+ 18 - 10
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/webapp/dao/gpu/GpuDeviceInformationParser.java
Ver arquivo 

@@ -18,20 +18,27 @@
 
 
 package org.apache.hadoop.yarn.server.nodemanager.webapp.dao.gpu;
 
 
+import java.io.StringReader;
 
+import javax.xml.XMLConstants;
 
+import javax.xml.bind.JAXBContext;
 
+import javax.xml.bind.JAXBException;
 
+import javax.xml.bind.Unmarshaller;
 
+import javax.xml.parsers.SAXParserFactory;
 
+import javax.xml.transform.sax.SAXSource;
 
+
 
 import org.apache.hadoop.classification.InterfaceAudience;
 
 import org.apache.hadoop.classification.InterfaceStability;
 
 import org.apache.hadoop.yarn.exceptions.YarnException;
 
+
 
 import org.slf4j.Logger;
 
 import org.slf4j.LoggerFactory;
 
 import org.xml.sax.InputSource;
 
 import org.xml.sax.XMLReader;
 
 
-import javax.xml.bind.JAXBContext;
 
-import javax.xml.bind.JAXBException;
 
-import javax.xml.bind.Unmarshaller;
 
-import javax.xml.parsers.SAXParserFactory;
 
-import javax.xml.transform.sax.SAXSource;
 
-import java.io.StringReader;
 
+import static org.apache.hadoop.util.XMLUtils.EXTERNAL_GENERAL_ENTITIES;
 
+import static org.apache.hadoop.util.XMLUtils.EXTERNAL_PARAMETER_ENTITIES;
 
+import static org.apache.hadoop.util.XMLUtils.LOAD_EXTERNAL_DECL;
 
+import static org.apache.hadoop.util.XMLUtils.VALIDATION;
 
 
 /**
 
  * Parse XML and get GPU device information
 
@@ -68,10 +75,11 @@ public class GpuDeviceInformationParser {
 
    */
 
   private SAXParserFactory initSaxParserFactory() throws Exception {
 
     SAXParserFactory spf = SAXParserFactory.newInstance();
 
-    spf.setFeature(
 
-        "http://apache.org/xml/features/nonvalidating/load-external-dtd",
 
-        false);
 
-    spf.setFeature("http://xml.org/sax/features/validation", false);
 
+    spf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
 
+    spf.setFeature(LOAD_EXTERNAL_DECL, false);
 
+    spf.setFeature(EXTERNAL_GENERAL_ENTITIES, false);
 
+    spf.setFeature(EXTERNAL_PARAMETER_ENTITIES, false);
 
+    spf.setFeature(VALIDATION, false);
 
     return spf;
 
   }

+ 3 - 3
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/webapp/TestNMWebServices.java
Ver arquivo 

@@ -35,6 +35,7 @@ import org.apache.hadoop.fs.FileUtil;
 
 import org.apache.hadoop.fs.Path;
 
 import org.apache.hadoop.http.JettyUtils;
 
 import org.apache.hadoop.util.VersionInfo;
 
+import org.apache.hadoop.util.XMLUtils;
 
 import org.apache.hadoop.yarn.api.records.ApplicationAttemptId;
 
 import org.apache.hadoop.yarn.api.records.ApplicationId;
 
 import org.apache.hadoop.yarn.api.records.ContainerId;
 
@@ -432,10 +433,9 @@ public class TestNMWebServices extends JerseyTestBase {
 
     assertEquals(MediaType.APPLICATION_XML+ "; " + JettyUtils.UTF_8,
 
         response.getType().toString());
 
     String xml = response.getEntity(String.class);
 
-    DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
 
+    DocumentBuilderFactory dbf = XMLUtils.newSecureDocumentBuilderFactory();
 
     DocumentBuilder db = dbf.newDocumentBuilder();
 
-    InputSource is = new InputSource();
 
-    is.setCharacterStream(new StringReader(xml));
 
+    InputSource is = new InputSource(new StringReader(xml));
 
     Document dom = db.parse(is);
 
     NodeList nodes = dom.getElementsByTagName("nodeInfo");
 
     assertEquals("incorrect number of elements", 1, nodes.getLength());

+ 4 - 3
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/webapp/TestNMWebServicesApps.java
Ver arquivo 

@@ -40,6 +40,7 @@ import javax.xml.parsers.DocumentBuilderFactory;
 
 import org.apache.hadoop.conf.Configuration;
 
 import org.apache.hadoop.fs.FileUtil;
 
 import org.apache.hadoop.http.JettyUtils;
 
+import org.apache.hadoop.util.XMLUtils;
 
 import org.apache.hadoop.yarn.api.records.ApplicationAttemptId;
 
 import org.apache.hadoop.yarn.api.records.NodeId;
 
 import org.apache.hadoop.yarn.conf.YarnConfiguration;
 
@@ -486,7 +487,7 @@ public class TestNMWebServicesApps extends JerseyTestBase {
 
           response.getType().toString());
 
       String msg = response.getEntity(String.class);
 
 
-      DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
 
+      DocumentBuilderFactory dbf = XMLUtils.newSecureDocumentBuilderFactory();
 
       DocumentBuilder db = dbf.newDocumentBuilder();
 
       InputSource is = new InputSource();
 
       is.setCharacterStream(new StringReader(msg));
 
@@ -651,7 +652,7 @@ public class TestNMWebServicesApps extends JerseyTestBase {
 
     assertEquals(MediaType.APPLICATION_XML_TYPE + "; " + JettyUtils.UTF_8,
 
         response.getType().toString());
 
     String xml = response.getEntity(String.class);
 
-    DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
 
+    DocumentBuilderFactory dbf = XMLUtils.newSecureDocumentBuilderFactory();
 
     DocumentBuilder db = dbf.newDocumentBuilder();
 
     InputSource is = new InputSource();
 
     is.setCharacterStream(new StringReader(xml));
 
@@ -676,7 +677,7 @@ public class TestNMWebServicesApps extends JerseyTestBase {
 
     assertEquals(MediaType.APPLICATION_XML_TYPE + "; " + JettyUtils.UTF_8,
 
         response.getType().toString());
 
     String xml = response.getEntity(String.class);
 
-    DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
 
+    DocumentBuilderFactory dbf = XMLUtils.newSecureDocumentBuilderFactory();
 
     DocumentBuilder db = dbf.newDocumentBuilder();
 
     InputSource is = new InputSource();
 
     is.setCharacterStream(new StringReader(xml));

+ 2 - 1
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/webapp/TestNMWebServicesAuxServices.java
Ver arquivo 

@@ -40,6 +40,7 @@ import com.sun.jersey.api.client.filter.LoggingFilter;
 
 import org.apache.hadoop.conf.Configuration;
 
 import org.apache.hadoop.fs.FileUtil;
 
 import org.apache.hadoop.http.JettyUtils;
 
+import org.apache.hadoop.util.XMLUtils;
 
 import org.apache.hadoop.yarn.api.records.NodeId;
 
 import org.apache.hadoop.yarn.conf.YarnConfiguration;
 
 import org.apache.hadoop.yarn.server.nodemanager.Context;
 
@@ -257,7 +258,7 @@ public class TestNMWebServicesAuxServices extends JerseyTestBase {
 
     assertEquals(MediaType.APPLICATION_XML_TYPE + "; " + JettyUtils.UTF_8,
 
         response.getType().toString());
 
     String xml = response.getEntity(String.class);
 
-    DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
 
+    DocumentBuilderFactory dbf = XMLUtils.newSecureDocumentBuilderFactory();
 
     DocumentBuilder db = dbf.newDocumentBuilder();
 
     InputSource is = new InputSource();
 
     is.setCharacterStream(new StringReader(xml));

+ 3 - 2
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/webapp/TestNMWebServicesContainers.java
Ver arquivo 

@@ -39,6 +39,7 @@ import com.sun.jersey.api.client.filter.LoggingFilter;
 
 import org.apache.hadoop.conf.Configuration;
 
 import org.apache.hadoop.fs.FileUtil;
 
 import org.apache.hadoop.http.JettyUtils;
 
+import org.apache.hadoop.util.XMLUtils;
 
 import org.apache.hadoop.yarn.api.records.ApplicationAttemptId;
 
 import org.apache.hadoop.yarn.api.records.ContainerId;
 
 import org.apache.hadoop.yarn.api.records.NodeId;
 
@@ -447,7 +448,7 @@ public class TestNMWebServicesContainers extends JerseyTestBase {
 
       assertEquals(MediaType.APPLICATION_XML_TYPE + "; " + JettyUtils.UTF_8,
 
           response.getType().toString());
 
       String xml = response.getEntity(String.class);
 
-      DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
 
+      DocumentBuilderFactory dbf = XMLUtils.newSecureDocumentBuilderFactory();
 
       DocumentBuilder db = dbf.newDocumentBuilder();
 
       InputSource is = new InputSource();
 
       is.setCharacterStream(new StringReader(xml));
 
@@ -476,7 +477,7 @@ public class TestNMWebServicesContainers extends JerseyTestBase {
 
     assertEquals(MediaType.APPLICATION_XML_TYPE + "; " + JettyUtils.UTF_8,
 
         response.getType().toString());
 
     String xml = response.getEntity(String.class);
 
-    DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
 
+    DocumentBuilderFactory dbf = XMLUtils.newSecureDocumentBuilderFactory();
 
     DocumentBuilder db = dbf.newDocumentBuilder();
 
     InputSource is = new InputSource();
 
     is.setCharacterStream(new StringReader(xml));

+ 18 - 14
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/scheduler/fair/AllocationFileLoaderService.java
Ver arquivo 

@@ -17,17 +17,27 @@
 
 */
 
 package org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair;
 
 
-import org.apache.hadoop.classification.VisibleForTesting;
 
-import org.slf4j.Logger;
 
-import org.slf4j.LoggerFactory;
 
+import java.io.IOException;
 
+import java.net.URL;
 
+import java.util.ArrayList;
 
+import java.util.HashMap;
 
+import java.util.List;
 
+import java.util.Map;
 
+
 
+import javax.xml.parsers.DocumentBuilder;
 
+import javax.xml.parsers.DocumentBuilderFactory;
 
+import javax.xml.parsers.ParserConfigurationException;
 
+
 
 import org.apache.hadoop.classification.InterfaceAudience.Public;
 
 import org.apache.hadoop.classification.InterfaceStability.Unstable;
 
+import org.apache.hadoop.classification.VisibleForTesting;
 
 import org.apache.hadoop.conf.Configuration;
 
 import org.apache.hadoop.fs.FileSystem;
 
 import org.apache.hadoop.fs.Path;
 
 import org.apache.hadoop.fs.UnsupportedFileSystemException;
 
 import org.apache.hadoop.security.authorize.AccessControlList;
 
 import org.apache.hadoop.service.AbstractService;
 
+import org.apache.hadoop.util.XMLUtils;
 
 import org.apache.hadoop.yarn.api.records.QueueACL;
 
 import org.apache.hadoop.yarn.security.AccessType;
 
 import org.apache.hadoop.yarn.security.Permission;
 
@@ -39,19 +49,14 @@ import org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair.allocation.A
 
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair.allocation.QueueProperties;
 
 import org.apache.hadoop.yarn.util.Clock;
 
 import org.apache.hadoop.yarn.util.SystemClock;
 
+
 
+import org.slf4j.Logger;
 
+import org.slf4j.LoggerFactory;
 
 import org.w3c.dom.Document;
 
 import org.w3c.dom.Element;
 
 import org.w3c.dom.NodeList;
 
 import org.xml.sax.SAXException;
 
-import javax.xml.parsers.DocumentBuilder;
 
-import javax.xml.parsers.DocumentBuilderFactory;
 
-import javax.xml.parsers.ParserConfigurationException;
 
-import java.io.IOException;
 
-import java.net.URL;
 
-import java.util.ArrayList;
 
-import java.util.HashMap;
 
-import java.util.List;
 
-import java.util.Map;
 
+
 
 import static org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair.allocation.AllocationFileQueueParser.EVERYBODY_ACL;
 
 import static org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair.allocation.AllocationFileQueueParser.ROOT;
 
 
@@ -236,8 +241,7 @@ public class AllocationFileLoaderService extends AbstractService {
 
     LOG.info("Loading allocation file " + allocFile);
 
 
     // Read and parse the allocations file.
 
-    DocumentBuilderFactory docBuilderFactory =
 
-        DocumentBuilderFactory.newInstance();
 
+    DocumentBuilderFactory docBuilderFactory = XMLUtils.newSecureDocumentBuilderFactory();
 
     docBuilderFactory.setIgnoringComments(true);
 
     DocumentBuilder builder = docBuilderFactory.newDocumentBuilder();
 
     Document doc = builder.parse(fs.open(allocFile));

+ 3 - 2
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestResourceTrackerService.java
Ver arquivo 

@@ -26,6 +26,7 @@ import org.apache.hadoop.security.Credentials;
 
 import org.apache.hadoop.security.token.Token;
 
 import org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier;
 
 import org.apache.hadoop.util.Sets;
 
+import org.apache.hadoop.util.XMLUtils;
 
 import org.apache.hadoop.yarn.nodelabels.NodeAttributeStore;
 
 import org.apache.hadoop.yarn.nodelabels.NodeLabelUtil;
 
 import org.apache.hadoop.yarn.server.api.ResourceTracker;
 
@@ -2662,7 +2663,7 @@ public class TestResourceTrackerService extends NodeLabelTestBase {
 
   private void writeToHostsXmlFile(
 
       File file, Pair<String, Integer>... hostsAndTimeouts) throws Exception {
 
     ensureFileExists(file);
 
-    DocumentBuilderFactory dbFactory = DocumentBuilderFactory.newInstance();
 
+    DocumentBuilderFactory dbFactory = XMLUtils.newSecureDocumentBuilderFactory();
 
     Document doc = dbFactory.newDocumentBuilder().newDocument();
 
     Element hosts = doc.createElement("hosts");
 
     doc.appendChild(hosts);
 
@@ -2680,7 +2681,7 @@ public class TestResourceTrackerService extends NodeLabelTestBase {
 
         );
 
       }
 
     }
 
-    TransformerFactory transformerFactory = TransformerFactory.newInstance();
 
+    TransformerFactory transformerFactory = XMLUtils.newSecureTransformerFactory();
 
     Transformer transformer = transformerFactory.newTransformer();
 
     transformer.setOutputProperty(OutputKeys.INDENT, "yes");
 
     transformer.transform(new DOMSource(doc), new StreamResult(file));

+ 3 - 3
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/placement/TestPlacementRuleFS.java
Ver arquivo 

@@ -19,6 +19,7 @@
 
 package org.apache.hadoop.yarn.server.resourcemanager.placement;
 
 
 import org.apache.commons.io.IOUtils;
 
+import org.apache.hadoop.util.XMLUtils;
 
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair.FairScheduler;
 
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair.FairSchedulerConfiguration;
 
 import org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair.QueueManager;
 
@@ -188,11 +189,10 @@ public class TestPlacementRuleFS {
 
 
   private Element createConf(String str) {
 
     // Create a simple rule element to use in the rule create
 
-    DocumentBuilderFactory docBuilderFactory =
 
-        DocumentBuilderFactory.newInstance();
 
-    docBuilderFactory.setIgnoringComments(true);
 
     Document doc = null;
 
     try {
 
+      DocumentBuilderFactory docBuilderFactory = XMLUtils.newSecureDocumentBuilderFactory();
 
+      docBuilderFactory.setIgnoringComments(true);
 
       DocumentBuilder builder = docBuilderFactory.newDocumentBuilder();
 
       doc = builder.parse(IOUtils.toInputStream(str, StandardCharsets.UTF_8));
 
     } catch (Exception ex) {

+ 4 - 3
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/TestRMWebServices.java
Ver arquivo 

@@ -57,6 +57,7 @@ import org.apache.hadoop.security.UserGroupInformation;
 
 import org.apache.hadoop.security.authorize.AuthorizationException;
 
 import org.apache.hadoop.service.Service.STATE;
 
 import org.apache.hadoop.util.VersionInfo;
 
+import org.apache.hadoop.util.XMLUtils;
 
 import org.apache.hadoop.yarn.api.protocolrecords.GetApplicationsRequest;
 
 import org.apache.hadoop.yarn.api.protocolrecords.GetApplicationsResponse;
 
 import org.apache.hadoop.yarn.api.records.ApplicationId;
 
@@ -310,7 +311,7 @@ public class TestRMWebServices extends JerseyTestBase {
 
   }
 
 
   public void verifyClusterInfoXML(String xml) throws JSONException, Exception {
 
-    DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
 
+    DocumentBuilderFactory dbf = XMLUtils.newSecureDocumentBuilderFactory();
 
     DocumentBuilder db = dbf.newDocumentBuilder();
 
     InputSource is = new InputSource();
 
     is.setCharacterStream(new StringReader(xml));
 
@@ -436,7 +437,7 @@ public class TestRMWebServices extends JerseyTestBase {
 
 
   public void verifyClusterMetricsXML(String xml) throws JSONException,
 
       Exception {
 
-    DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
 
+    DocumentBuilderFactory dbf = XMLUtils.newSecureDocumentBuilderFactory();
 
     DocumentBuilder db = dbf.newDocumentBuilder();
 
     InputSource is = new InputSource();
 
     is.setCharacterStream(new StringReader(xml));
 
@@ -607,7 +608,7 @@ public class TestRMWebServices extends JerseyTestBase {
 
 
   public void verifySchedulerFifoXML(String xml) throws JSONException,
 
       Exception {
 
-    DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
 
+    DocumentBuilderFactory dbf = XMLUtils.newSecureDocumentBuilderFactory();
 
     DocumentBuilder db = dbf.newDocumentBuilder();
 
     InputSource is = new InputSource();
 
     is.setCharacterStream(new StringReader(xml));

+ 2 - 1
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/TestRMWebServicesAppAttempts.java
Ver arquivo 

@@ -25,6 +25,7 @@ import com.sun.jersey.guice.spi.container.servlet.GuiceContainer;
 
 import com.sun.jersey.test.framework.WebAppDescriptor;
 
 import org.apache.hadoop.conf.Configuration;
 
 import org.apache.hadoop.http.JettyUtils;
 
+import org.apache.hadoop.util.XMLUtils;
 
 import org.apache.hadoop.yarn.api.records.ContainerState;
 
 import org.apache.hadoop.yarn.conf.YarnConfiguration;
 
 import org.apache.hadoop.yarn.server.resourcemanager.MockAM;
 
@@ -395,7 +396,7 @@ public class TestRMWebServicesAppAttempts extends JerseyTestBase {
 
             response.getType().toString());
 
     String xml = response.getEntity(String.class);
 
 
-    DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
 
+    DocumentBuilderFactory dbf = XMLUtils.newSecureDocumentBuilderFactory();
 
     DocumentBuilder db = dbf.newDocumentBuilder();
 
     InputSource is = new InputSource();
 
     is.setCharacterStream(new StringReader(xml));

+ 5 - 4
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/TestRMWebServicesApps.java
Ver arquivo 

@@ -31,6 +31,7 @@ import org.apache.hadoop.conf.Configuration;
 
 import org.apache.hadoop.http.JettyUtils;
 
 import org.apache.hadoop.security.UserGroupInformation;
 
 import org.apache.hadoop.util.Sets;
 
+import org.apache.hadoop.util.XMLUtils;
 
 import org.apache.hadoop.yarn.api.records.ContainerState;
 
 import org.apache.hadoop.yarn.api.records.FinalApplicationStatus;
 
 import org.apache.hadoop.yarn.api.records.ResourceRequest;
 
@@ -189,7 +190,7 @@ public class TestRMWebServicesApps extends JerseyTestBase {
 
     assertEquals(MediaType.APPLICATION_XML_TYPE + "; " + JettyUtils.UTF_8,
 
         response.getType().toString());
 
     String xml = response.getEntity(String.class);
 
-    DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
 
+    DocumentBuilderFactory dbf = XMLUtils.newSecureDocumentBuilderFactory();
 
     DocumentBuilder db = dbf.newDocumentBuilder();
 
     InputSource is = new InputSource();
 
     is.setCharacterStream(new StringReader(xml));
 
@@ -223,7 +224,7 @@ public class TestRMWebServicesApps extends JerseyTestBase {
 
     assertEquals(MediaType.APPLICATION_XML_TYPE + "; " + JettyUtils.UTF_8,
 
         response.getType().toString());
 
     String xml = response.getEntity(String.class);
 
-    DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
 
+    DocumentBuilderFactory dbf = XMLUtils.newSecureDocumentBuilderFactory();
 
     DocumentBuilder db = dbf.newDocumentBuilder();
 
     InputSource is = new InputSource();
 
     is.setCharacterStream(new StringReader(xml));
 
@@ -264,7 +265,7 @@ public class TestRMWebServicesApps extends JerseyTestBase {
 
     assertEquals(MediaType.APPLICATION_XML_TYPE + "; " + JettyUtils.UTF_8,
 
         response.getType().toString());
 
     String xml = response.getEntity(String.class);
 
-    DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
 
+    DocumentBuilderFactory dbf = XMLUtils.newSecureDocumentBuilderFactory();
 
     DocumentBuilder db = dbf.newDocumentBuilder();
 
     InputSource is = new InputSource();
 
     is.setCharacterStream(new StringReader(xml));
 
@@ -1724,7 +1725,7 @@ public class TestRMWebServicesApps extends JerseyTestBase {
 
         response.getType().toString());
 
     String xml = response.getEntity(String.class);
 
 
-    DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
 
+    DocumentBuilderFactory dbf = XMLUtils.newSecureDocumentBuilderFactory();
 
     DocumentBuilder db = dbf.newDocumentBuilder();
 
     InputSource is = new InputSource();
 
     is.setCharacterStream(new StringReader(xml));

+ 6 - 5
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/TestRMWebServicesAppsModification.java
Ver arquivo 

@@ -56,6 +56,7 @@ import org.apache.hadoop.io.Text;
 
 import org.apache.hadoop.security.Credentials;
 
 import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
 
 import org.apache.hadoop.security.authentication.server.PseudoAuthenticationHandler;
 
+import org.apache.hadoop.util.XMLUtils;
 
 import org.apache.hadoop.yarn.api.records.ApplicationAccessType;
 
 import org.apache.hadoop.yarn.api.records.ApplicationId;
 
 import org.apache.hadoop.yarn.api.records.ApplicationSubmissionContext;
 
@@ -532,7 +533,7 @@ public class TestRMWebServicesAppsModification extends JerseyTestBase {
 
     assertEquals(MediaType.APPLICATION_XML_TYPE + "; " + JettyUtils.UTF_8,
 
         response.getType().toString());
 
     String xml = response.getEntity(String.class);
 
-    DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
 
+    DocumentBuilderFactory dbf = XMLUtils.newSecureDocumentBuilderFactory();
 
     DocumentBuilder db = dbf.newDocumentBuilder();
 
     InputSource is = new InputSource();
 
     is.setCharacterStream(new StringReader(xml));
 
@@ -733,7 +734,7 @@ public class TestRMWebServicesAppsModification extends JerseyTestBase {
 
 
   protected String validateGetNewApplicationXMLResponse(String response)
 
       throws ParserConfigurationException, IOException, SAXException {
 
-    DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
 
+    DocumentBuilderFactory dbf = XMLUtils.newSecureDocumentBuilderFactory();
 
     DocumentBuilder db = dbf.newDocumentBuilder();
 
     InputSource is = new InputSource();
 
     is.setCharacterStream(new StringReader(response));
 
@@ -1299,7 +1300,7 @@ public class TestRMWebServicesAppsModification extends JerseyTestBase {
 
     assertEquals(MediaType.APPLICATION_XML_TYPE + "; " + JettyUtils.UTF_8,
 
         response.getType().toString());
 
     String xml = response.getEntity(String.class);
 
-    DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
 
+    DocumentBuilderFactory dbf = XMLUtils.newSecureDocumentBuilderFactory();
 
     DocumentBuilder db = dbf.newDocumentBuilder();
 
     InputSource is = new InputSource();
 
     is.setCharacterStream(new StringReader(xml));
 
@@ -1329,7 +1330,7 @@ public class TestRMWebServicesAppsModification extends JerseyTestBase {
 
     assertEquals(MediaType.APPLICATION_XML_TYPE + "; " + JettyUtils.UTF_8,
 
         response.getType().toString());
 
     String xml = response.getEntity(String.class);
 
-    DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
 
+    DocumentBuilderFactory dbf = XMLUtils.newSecureDocumentBuilderFactory();
 
     DocumentBuilder db = dbf.newDocumentBuilder();
 
     InputSource is = new InputSource();
 
     is.setCharacterStream(new StringReader(xml));
 
@@ -1466,7 +1467,7 @@ public class TestRMWebServicesAppsModification extends JerseyTestBase {
 
     assertEquals(MediaType.APPLICATION_XML_TYPE + "; " + JettyUtils.UTF_8,
 
         response.getType().toString());
 
     String xml = response.getEntity(String.class);
 
-    DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
 
+    DocumentBuilderFactory dbf = XMLUtils.newSecureDocumentBuilderFactory();
 
     DocumentBuilder db = dbf.newDocumentBuilder();
 
     InputSource is = new InputSource();
 
     is.setCharacterStream(new StringReader(xml));

+ 3 - 2
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/TestRMWebServicesCapacitySched.java
Ver arquivo 

@@ -50,6 +50,7 @@ import javax.xml.transform.stream.StreamResult;
 
 
 import org.apache.hadoop.conf.Configuration;
 
 import org.apache.hadoop.http.JettyUtils;
 
+import org.apache.hadoop.util.XMLUtils;
 
 import org.apache.hadoop.yarn.api.records.Resource;
 
 import org.apache.hadoop.yarn.conf.YarnConfiguration;
 
 import org.apache.hadoop.yarn.server.resourcemanager.MockRM;
 
@@ -315,7 +316,7 @@ public class TestRMWebServicesCapacitySched extends JerseyTestBase {
 
     DOMSource domSource = new DOMSource(document);
 
     StringWriter writer = new StringWriter();
 
     StreamResult result = new StreamResult(writer);
 
-    TransformerFactory tf = TransformerFactory.newInstance();
 
+    TransformerFactory tf = XMLUtils.newSecureTransformerFactory();
 
     Transformer transformer = tf.newTransformer();
 
     transformer.setOutputProperty(OutputKeys.INDENT, "yes");
 
     transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "2");
 
@@ -324,7 +325,7 @@ public class TestRMWebServicesCapacitySched extends JerseyTestBase {
 
   }
 
 
   public static Document loadDocument(String xml) throws Exception {
 
-    DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
 
+    DocumentBuilderFactory factory = XMLUtils.newSecureDocumentBuilderFactory();
 
     DocumentBuilder builder = factory.newDocumentBuilder();
 
     InputSource is = new InputSource(new StringReader(xml));
 
     return builder.parse(is);

+ 2 - 1
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/TestRMWebServicesDelegationTokens.java
Ver arquivo 

@@ -48,6 +48,7 @@ import org.apache.hadoop.security.authentication.server.PseudoAuthenticationHand
 
 import org.apache.hadoop.security.token.SecretManager.InvalidToken;
 
 import org.apache.hadoop.security.token.Token;
 
 import org.apache.hadoop.util.Time;
 
+import org.apache.hadoop.util.XMLUtils;
 
 import org.apache.hadoop.yarn.conf.YarnConfiguration;
 
 import org.apache.hadoop.yarn.security.client.RMDelegationTokenIdentifier;
 
 import org.apache.hadoop.yarn.server.resourcemanager.MockRM;
 
@@ -697,7 +698,7 @@ public class TestRMWebServicesDelegationTokens extends JerseyTestBase {
 
 
   public static DelegationToken getDelegationTokenFromXML(String tokenXML)
 
       throws IOException, ParserConfigurationException, SAXException {
 
-    DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
 
+    DocumentBuilderFactory dbf = XMLUtils.newSecureDocumentBuilderFactory();
 
     DocumentBuilder db = dbf.newDocumentBuilder();
 
     InputSource is = new InputSource();
 
     is.setCharacterStream(new StringReader(tokenXML));

+ 2 - 1
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/TestRMWebServicesForCSWithPartitions.java
Ver arquivo 

@@ -42,6 +42,7 @@ import javax.xml.parsers.DocumentBuilderFactory;
 
 import org.apache.hadoop.thirdparty.com.google.common.collect.ImmutableMap;
 
 import org.apache.hadoop.http.JettyUtils;
 
 import org.apache.hadoop.util.Sets;
 
+import org.apache.hadoop.util.XMLUtils;
 
 import org.apache.hadoop.yarn.api.records.NodeId;
 
 import org.apache.hadoop.yarn.api.records.NodeLabel;
 
 import org.apache.hadoop.yarn.api.records.Priority;
 
@@ -258,7 +259,7 @@ public class TestRMWebServicesForCSWithPartitions extends JerseyTestBase {
 
     assertEquals(MediaType.APPLICATION_XML_TYPE + "; " + JettyUtils.UTF_8,
 
         response.getType().toString());
 
     String xml = response.getEntity(String.class);
 
-    DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
 
+    DocumentBuilderFactory dbf = XMLUtils.newSecureDocumentBuilderFactory();
 
     DocumentBuilder db = dbf.newDocumentBuilder();
 
     InputSource is = new InputSource();
 
     is.setCharacterStream(new StringReader(xml));

+ 7 - 8
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/TestRMWebServicesNodes.java
Ver arquivo 

@@ -49,6 +49,7 @@ import org.apache.hadoop.http.JettyUtils;
 
 import org.apache.hadoop.security.UserGroupInformation;
 
 import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
 
 import org.apache.hadoop.security.authentication.server.PseudoAuthenticationHandler;
 
+import org.apache.hadoop.util.XMLUtils;
 
 import org.apache.hadoop.yarn.api.records.ContainerStatus;
 
 import org.apache.hadoop.yarn.api.records.NodeAttribute;
 
 import org.apache.hadoop.yarn.api.records.NodeAttributeType;
 
@@ -578,10 +579,9 @@ public class TestRMWebServicesNodes extends JerseyTestBase {
 
           response.getType().toString());
 
       String msg = response.getEntity(String.class);
 
       System.out.println(msg);
 
-      DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
 
+      DocumentBuilderFactory dbf = XMLUtils.newSecureDocumentBuilderFactory();
 
       DocumentBuilder db = dbf.newDocumentBuilder();
 
-      InputSource is = new InputSource();
 
-      is.setCharacterStream(new StringReader(msg));
 
+      InputSource is = new InputSource(new StringReader(msg));
 
       Document dom = db.parse(is);
 
       NodeList nodes = dom.getElementsByTagName("RemoteException");
 
       Element element = (Element) nodes.item(0);
 
@@ -646,10 +646,9 @@ public class TestRMWebServicesNodes extends JerseyTestBase {
 
     assertEquals(MediaType.APPLICATION_XML_TYPE + "; " + JettyUtils.UTF_8,
 
         response.getType().toString());
 
     String xml = response.getEntity(String.class);
 
-    DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
 
+    DocumentBuilderFactory dbf = XMLUtils.newSecureDocumentBuilderFactory();
 
     DocumentBuilder db = dbf.newDocumentBuilder();
 
-    InputSource is = new InputSource();
 
-    is.setCharacterStream(new StringReader(xml));
 
+    InputSource is = new InputSource(new StringReader(xml));
 
     Document dom = db.parse(is);
 
     NodeList nodesApps = dom.getElementsByTagName("nodes");
 
     assertEquals("incorrect number of elements", 1, nodesApps.getLength());
 
@@ -672,7 +671,7 @@ public class TestRMWebServicesNodes extends JerseyTestBase {
 
         response.getType().toString());
 
     String xml = response.getEntity(String.class);
 
 
-    DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
 
+    DocumentBuilderFactory dbf = XMLUtils.newSecureDocumentBuilderFactory();
 
     DocumentBuilder db = dbf.newDocumentBuilder();
 
     InputSource is = new InputSource();
 
     is.setCharacterStream(new StringReader(xml));
 
@@ -694,7 +693,7 @@ public class TestRMWebServicesNodes extends JerseyTestBase {
 
         response.getType().toString());
 
     String xml = response.getEntity(String.class);
 
 
-    DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
 
+    DocumentBuilderFactory dbf = XMLUtils.newSecureDocumentBuilderFactory();
 
     DocumentBuilder db = dbf.newDocumentBuilder();
 
     InputSource is = new InputSource();
 
     is.setCharacterStream(new StringReader(xml));

+ 3 - 3
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/helper/XmlCustomResourceTypeTestCase.java
Ver arquivo 

@@ -20,6 +20,7 @@ package org.apache.hadoop.yarn.server.resourcemanager.webapp.helper;
 
 
 import com.sun.jersey.api.client.WebResource;
 
 import org.apache.hadoop.http.JettyUtils;
 
+import org.apache.hadoop.util.XMLUtils;
 
 import org.codehaus.jettison.json.JSONObject;
 
 import org.slf4j.Logger;
 
 import org.slf4j.LoggerFactory;
 
@@ -29,7 +30,6 @@ import org.xml.sax.InputSource;
 
 
 import javax.ws.rs.core.MediaType;
 
 import javax.xml.parsers.DocumentBuilder;
 
-import javax.xml.parsers.DocumentBuilderFactory;
 
 import javax.xml.transform.*;
 
 import javax.xml.transform.dom.DOMSource;
 
 import javax.xml.transform.stream.StreamResult;
 
@@ -84,7 +84,7 @@ public class XmlCustomResourceTypeTestCase {
 
     try {
 
       String xml = response.getEntity(String.class);
 
       DocumentBuilder db =
 
-          DocumentBuilderFactory.newInstance().newDocumentBuilder();
 
+          XMLUtils.newSecureDocumentBuilderFactory().newDocumentBuilder();
 
       InputSource is = new InputSource();
 
       is.setCharacterStream(new StringReader(xml));
 
 
@@ -105,7 +105,7 @@ public class XmlCustomResourceTypeTestCase {
 
   public static String toXml(Node node) {
 
     StringWriter writer;
 
     try {
 
-      TransformerFactory tf = TransformerFactory.newInstance();
 
+      TransformerFactory tf = XMLUtils.newSecureTransformerFactory();
 
       Transformer transformer = tf.newTransformer();
 
       transformer.setOutputProperty(OutputKeys.INDENT, "yes");
 
       transformer.setOutputProperty(

+ 2 - 1
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/test/java/org/apache/hadoop/yarn/webapp/TestRMWithCSRFFilter.java
Ver arquivo 

@@ -30,6 +30,7 @@ import org.apache.hadoop.http.JettyUtils;
 
 import org.apache.hadoop.security.http.RestCsrfPreventionFilter;
 
 import org.apache.hadoop.service.Service.STATE;
 
 import org.apache.hadoop.util.VersionInfo;
 
+import org.apache.hadoop.util.XMLUtils;
 
 import org.apache.hadoop.yarn.conf.YarnConfiguration;
 
 import org.apache.hadoop.yarn.server.resourcemanager.MockRM;
 
 import org.apache.hadoop.yarn.server.resourcemanager.ResourceManager;
 
@@ -153,7 +154,7 @@ public class TestRMWithCSRFFilter extends JerseyTestBase {
 
   }
 
 
   public void verifyClusterInfoXML(String xml) throws Exception {
 
-    DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
 
+    DocumentBuilderFactory dbf = XMLUtils.newSecureDocumentBuilderFactory();
 
     DocumentBuilder db = dbf.newDocumentBuilder();
 
     InputSource is = new InputSource();
 
     is.setCharacterStream(new StringReader(xml));