HV-2102 Disable external schema loading

Adjusted/reworked version of https://github.com/hibernate/hibernate-validator/pull/1612/files

Co-authored-by: marko-bekhta <[email protected]>

Author: simei2k

engine/src/main/java/org/hibernate/validator/internal/util/logging/Log.java

@@ -942,4 +942,8 @@ ConstraintDefinitionException getConstraintValidatorDefinitionConstraintMismatch
 	@Message(id = 268, value = "The default group sequence provider %s does not implement neither `getValidationGroups(Class<?> klass, T object)` nor `getValidationGroups(T object)` methods."
 			+ " One of them has to be implemented for the default group sequence provider to be correctly defined.")
 	GroupDefinitionException getDefaultGroupSequenceProviderTypeDoesNotImplementAnyMethodsException(@FormatWith(ClassObjectFormatter.class) Class<?> klass);
+
+	@LogMessage(level = DEBUG)
+	@Message(id = 269, value = "Unable to enable secure XML feature processing when loading %1$s: %2$s")
+	void unableToEnableSecureFeatureProcessingSchemaXml(String fileName, String message);
 }

engine/src/main/java/org/hibernate/validator/internal/xml/XmlParserHelper.java

@@ -29,6 +29,8 @@
 import org.hibernate.validator.internal.util.logging.Log;
 import org.hibernate.validator.internal.util.logging.LoggerFactory;
 
+import org.xml.sax.SAXException;
+
 /**
  * Provides common functionality used within the different XML descriptor
  * parsers.
@@ -140,6 +142,14 @@ private Schema loadSchema(String schemaResource) {
 
 		URL schemaUrl = GetResource.action( loader, schemaResource );
 		SchemaFactory sf = SchemaFactory.newInstance( javax.xml.XMLConstants.W3C_XML_SCHEMA_NS_URI );
+
+		try {
+			sf.setFeature( javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, true );
+		}
+		catch (SAXException e) {
+			LOG.unableToEnableSecureFeatureProcessingSchemaXml( schemaResource, e.getMessage() );
+		}
+
 		Schema schema = null;
 		try {
 			schema = NewSchema.action( sf, schemaUrl );