From ccc4164d54c5493c6cd9ae753e61f4600ad9cbbd Mon Sep 17 00:00:00 2001
From: Ruffalo Lavoisier <RuffaloLavoisier@gmail.com>
Date: Wed, 15 Apr 2026 03:15:34 +0900
Subject: [PATCH] fix: harden XML parser in FileTypeDetector against XML bomb
 DoS (PR #2851)

---
 jadx-core/src/main/java/jadx/core/deobf/FileTypeDetector.java | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/jadx-core/src/main/java/jadx/core/deobf/FileTypeDetector.java b/jadx-core/src/main/java/jadx/core/deobf/FileTypeDetector.java
index 8bd5bb4ee..4af318534 100644
--- a/jadx-core/src/main/java/jadx/core/deobf/FileTypeDetector.java
+++ b/jadx-core/src/main/java/jadx/core/deobf/FileTypeDetector.java
@@ -83,9 +83,12 @@ public class FileTypeDetector {
 		try {
 			DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
 			factory.setNamespaceAware(true);
+			factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
 			factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
 			factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
 			factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+			factory.setXIncludeAware(false);
+			factory.setExpandEntityReferences(false);
 
 			DocumentBuilder builder = factory.newDocumentBuilder();
 			Document doc = builder.parse(new java.io.ByteArrayInputStream(data));