You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@syncope.apache.org by il...@apache.org on 2018/10/25 11:07:24 UTC

[1/3] syncope git commit: Ensuring all XML input processing is safe - disable DTD and external entities

Repository: syncope
Updated Branches:
  refs/heads/2_0_X 7915c896f -> 979c28abf
  refs/heads/2_1_X e55941787 -> a0f35f45f
  refs/heads/master 6d285b201 -> bdb6a180d


Ensuring all XML input processing is safe - disable DTD and external entities


Project: http://git-wip-us.apache.org/repos/asf/syncope/repo
Commit: http://git-wip-us.apache.org/repos/asf/syncope/commit/979c28ab
Tree: http://git-wip-us.apache.org/repos/asf/syncope/tree/979c28ab
Diff: http://git-wip-us.apache.org/repos/asf/syncope/diff/979c28ab

Branch: refs/heads/2_0_X
Commit: 979c28abf2587c73b57d20e4b892410fdd336f06
Parents: 7915c89
Author: Francesco Chicchiriccò <il...@apache.org>
Authored: Thu Oct 25 12:57:02 2018 +0200
Committer: Francesco Chicchiriccò <il...@apache.org>
Committed: Thu Oct 25 12:57:02 2018 +0200

----------------------------------------------------------------------
 .../syncope/client/cli/commands/migrate/MigrateConf.java    | 9 +++++++--
 .../widgets/reconciliation/ReconciliationReportParser.java  | 9 +++++++--
 .../syncope/core/workflow/activiti/ActivitiDeployUtils.java | 9 ++++++++-
 .../activiti/spring/DomainProcessEngineFactoryBean.java     | 1 +
 .../syncope/core/workflow/flowable/FlowableDeployUtils.java | 9 ++++++++-
 .../flowable/spring/DomainProcessEngineFactoryBean.java     | 1 +
 6 files changed, 32 insertions(+), 6 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/syncope/blob/979c28ab/client/cli/src/main/java/org/apache/syncope/client/cli/commands/migrate/MigrateConf.java
----------------------------------------------------------------------
diff --git a/client/cli/src/main/java/org/apache/syncope/client/cli/commands/migrate/MigrateConf.java b/client/cli/src/main/java/org/apache/syncope/client/cli/commands/migrate/MigrateConf.java
index 8b4884d..ec88457 100644
--- a/client/cli/src/main/java/org/apache/syncope/client/cli/commands/migrate/MigrateConf.java
+++ b/client/cli/src/main/java/org/apache/syncope/client/cli/commands/migrate/MigrateConf.java
@@ -53,12 +53,17 @@ public class MigrateConf {
 
     private static final String HELP_MESSAGE = "migrate --conf {SRC} {DST}";
 
-    private static final XMLInputFactory INPUT_FACTORY = XMLInputFactory.newInstance();
+    private static final XMLInputFactory XML_INPUT_FACTORY = XMLInputFactory.newInstance();
 
     private static final XMLOutputFactory OUTPUT_FACTORY = XMLOutputFactory.newInstance();
 
     private static final ObjectMapper OBJECT_MAPPER = new ObjectMapper();
 
+    static {
+        XML_INPUT_FACTORY.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, Boolean.FALSE);
+        XML_INPUT_FACTORY.setProperty(XMLInputFactory.SUPPORT_DTD, Boolean.FALSE);
+    }
+
     private final MigrateResultManager migrateResultManager = new MigrateResultManager();
 
     private final Input input;
@@ -144,7 +149,7 @@ public class MigrateConf {
         reporter.writeStartElement("dataset");
 
         InputStream inputStream = Files.newInputStream(Paths.get(src));
-        XMLStreamReader reader = INPUT_FACTORY.createXMLStreamReader(inputStream);
+        XMLStreamReader reader = XML_INPUT_FACTORY.createXMLStreamReader(inputStream);
         reader.nextTag(); // root
         reader.nextTag(); // dataset
 

http://git-wip-us.apache.org/repos/asf/syncope/blob/979c28ab/client/console/src/main/java/org/apache/syncope/client/console/widgets/reconciliation/ReconciliationReportParser.java
----------------------------------------------------------------------
diff --git a/client/console/src/main/java/org/apache/syncope/client/console/widgets/reconciliation/ReconciliationReportParser.java b/client/console/src/main/java/org/apache/syncope/client/console/widgets/reconciliation/ReconciliationReportParser.java
index b73b4ba..812e5c1 100644
--- a/client/console/src/main/java/org/apache/syncope/client/console/widgets/reconciliation/ReconciliationReportParser.java
+++ b/client/console/src/main/java/org/apache/syncope/client/console/widgets/reconciliation/ReconciliationReportParser.java
@@ -33,10 +33,15 @@ import org.apache.syncope.common.lib.types.AnyTypeKind;
 
 public final class ReconciliationReportParser {
 
-    private static final XMLInputFactory INPUT_FACTORY = XMLInputFactory.newInstance();
+    private static final XMLInputFactory XML_INPUT_FACTORY = XMLInputFactory.newInstance();
+
+    static {
+        XML_INPUT_FACTORY.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, Boolean.FALSE);
+        XML_INPUT_FACTORY.setProperty(XMLInputFactory.SUPPORT_DTD, Boolean.FALSE);
+    }
 
     public static ReconciliationReport parse(final Date run, final InputStream in) throws XMLStreamException {
-        XMLStreamReader streamReader = INPUT_FACTORY.createXMLStreamReader(in);
+        XMLStreamReader streamReader = XML_INPUT_FACTORY.createXMLStreamReader(in);
         streamReader.nextTag(); // root
         streamReader.nextTag(); // report
         streamReader.nextTag(); // reportlet

http://git-wip-us.apache.org/repos/asf/syncope/blob/979c28ab/core/workflow-activiti/src/main/java/org/apache/syncope/core/workflow/activiti/ActivitiDeployUtils.java
----------------------------------------------------------------------
diff --git a/core/workflow-activiti/src/main/java/org/apache/syncope/core/workflow/activiti/ActivitiDeployUtils.java b/core/workflow-activiti/src/main/java/org/apache/syncope/core/workflow/activiti/ActivitiDeployUtils.java
index 6022f85..ef542d7 100644
--- a/core/workflow-activiti/src/main/java/org/apache/syncope/core/workflow/activiti/ActivitiDeployUtils.java
+++ b/core/workflow-activiti/src/main/java/org/apache/syncope/core/workflow/activiti/ActivitiDeployUtils.java
@@ -41,6 +41,13 @@ public final class ActivitiDeployUtils {
 
     private static final ObjectMapper OBJECT_MAPPER = new ObjectMapper();
 
+    private static final XMLInputFactory XML_INPUT_FACTORY = XMLInputFactory.newInstance();
+
+    static {
+        XML_INPUT_FACTORY.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, Boolean.FALSE);
+        XML_INPUT_FACTORY.setProperty(XMLInputFactory.SUPPORT_DTD, Boolean.FALSE);
+    }
+
     public static Deployment deployDefinition(
             final ProcessEngine engine, final String resourceName, final byte[] definition) {
 
@@ -58,7 +65,7 @@ public final class ActivitiDeployUtils {
                 getResourceAsStream(procDef.getDeploymentId(), procDef.getResourceName());
                 InputStreamReader isr = new InputStreamReader(bpmnStream)) {
 
-            xtr = XMLInputFactory.newInstance().createXMLStreamReader(isr);
+            xtr = XML_INPUT_FACTORY.createXMLStreamReader(isr);
             BpmnModel bpmnModel = new BpmnXMLConverter().convertToBpmnModel(xtr);
 
             Model model = engine.getRepositoryService().newModel();

http://git-wip-us.apache.org/repos/asf/syncope/blob/979c28ab/core/workflow-activiti/src/main/java/org/apache/syncope/core/workflow/activiti/spring/DomainProcessEngineFactoryBean.java
----------------------------------------------------------------------
diff --git a/core/workflow-activiti/src/main/java/org/apache/syncope/core/workflow/activiti/spring/DomainProcessEngineFactoryBean.java b/core/workflow-activiti/src/main/java/org/apache/syncope/core/workflow/activiti/spring/DomainProcessEngineFactoryBean.java
index cf112bd..bc71ac0 100644
--- a/core/workflow-activiti/src/main/java/org/apache/syncope/core/workflow/activiti/spring/DomainProcessEngineFactoryBean.java
+++ b/core/workflow-activiti/src/main/java/org/apache/syncope/core/workflow/activiti/spring/DomainProcessEngineFactoryBean.java
@@ -73,6 +73,7 @@ public class DomainProcessEngineFactoryBean
                     if (conf.getExpressionManager() == null) {
                         conf.setExpressionManager(new SpringExpressionManager(ctx, conf.getBeans()));
                     }
+                    conf.setEnableSafeBpmnXml(true);
 
                     engines.put(domain, conf.buildProcessEngine());
                 }

http://git-wip-us.apache.org/repos/asf/syncope/blob/979c28ab/core/workflow-flowable/src/main/java/org/apache/syncope/core/workflow/flowable/FlowableDeployUtils.java
----------------------------------------------------------------------
diff --git a/core/workflow-flowable/src/main/java/org/apache/syncope/core/workflow/flowable/FlowableDeployUtils.java b/core/workflow-flowable/src/main/java/org/apache/syncope/core/workflow/flowable/FlowableDeployUtils.java
index 080332e..7013e31 100644
--- a/core/workflow-flowable/src/main/java/org/apache/syncope/core/workflow/flowable/FlowableDeployUtils.java
+++ b/core/workflow-flowable/src/main/java/org/apache/syncope/core/workflow/flowable/FlowableDeployUtils.java
@@ -41,6 +41,13 @@ public final class FlowableDeployUtils {
 
     private static final ObjectMapper OBJECT_MAPPER = new ObjectMapper();
 
+    private static final XMLInputFactory XML_INPUT_FACTORY = XMLInputFactory.newInstance();
+
+    static {
+        XML_INPUT_FACTORY.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, Boolean.FALSE);
+        XML_INPUT_FACTORY.setProperty(XMLInputFactory.SUPPORT_DTD, Boolean.FALSE);
+    }
+
     public static Deployment deployDefinition(
             final ProcessEngine engine, final String resourceName, final byte[] definition) {
 
@@ -58,7 +65,7 @@ public final class FlowableDeployUtils {
                 getResourceAsStream(procDef.getDeploymentId(), procDef.getResourceName());
                 InputStreamReader isr = new InputStreamReader(bpmnStream)) {
 
-            xtr = XMLInputFactory.newInstance().createXMLStreamReader(isr);
+            xtr = XML_INPUT_FACTORY.createXMLStreamReader(isr);
             BpmnModel bpmnModel = new BpmnXMLConverter().convertToBpmnModel(xtr);
 
             Model model = engine.getRepositoryService().newModel();

http://git-wip-us.apache.org/repos/asf/syncope/blob/979c28ab/core/workflow-flowable/src/main/java/org/apache/syncope/core/workflow/flowable/spring/DomainProcessEngineFactoryBean.java
----------------------------------------------------------------------
diff --git a/core/workflow-flowable/src/main/java/org/apache/syncope/core/workflow/flowable/spring/DomainProcessEngineFactoryBean.java b/core/workflow-flowable/src/main/java/org/apache/syncope/core/workflow/flowable/spring/DomainProcessEngineFactoryBean.java
index 620d6b9..4ab1dd8 100644
--- a/core/workflow-flowable/src/main/java/org/apache/syncope/core/workflow/flowable/spring/DomainProcessEngineFactoryBean.java
+++ b/core/workflow-flowable/src/main/java/org/apache/syncope/core/workflow/flowable/spring/DomainProcessEngineFactoryBean.java
@@ -73,6 +73,7 @@ public class DomainProcessEngineFactoryBean
                     if (conf.getExpressionManager() == null) {
                         conf.setExpressionManager(new SpringExpressionManager(ctx, conf.getBeans()));
                     }
+                    conf.setEnableSafeBpmnXml(true);
 
                     engines.put(domain, conf.buildProcessEngine());
                 }

[3/3] syncope git commit: Ensuring all XML input processing is safe - disable DTD and external entities

Posted by il...@apache.org.

Ensuring all XML input processing is safe - disable DTD and external entities


Project: http://git-wip-us.apache.org/repos/asf/syncope/repo
Commit: http://git-wip-us.apache.org/repos/asf/syncope/commit/bdb6a180
Tree: http://git-wip-us.apache.org/repos/asf/syncope/tree/bdb6a180
Diff: http://git-wip-us.apache.org/repos/asf/syncope/diff/bdb6a180

Branch: refs/heads/master
Commit: bdb6a180dcae6f1baaff16619cb906b7292da0d1
Parents: 6d285b2
Author: Francesco Chicchiriccò <il...@apache.org>
Authored: Thu Oct 25 12:57:02 2018 +0200
Committer: Francesco Chicchiriccò <il...@apache.org>
Committed: Thu Oct 25 13:07:03 2018 +0200

----------------------------------------------------------------------
 .../widgets/reconciliation/ReconciliationReportParser.java  | 9 +++++++--
 .../syncope/core/flowable/impl/FlowableDeployUtils.java     | 9 ++++++++-
 .../flowable/support/DomainProcessEngineFactoryBean.java    | 9 +++------
 3 files changed, 18 insertions(+), 9 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/syncope/blob/bdb6a180/client/console/src/main/java/org/apache/syncope/client/console/widgets/reconciliation/ReconciliationReportParser.java
----------------------------------------------------------------------
diff --git a/client/console/src/main/java/org/apache/syncope/client/console/widgets/reconciliation/ReconciliationReportParser.java b/client/console/src/main/java/org/apache/syncope/client/console/widgets/reconciliation/ReconciliationReportParser.java
index da5e76d..95e6fd8 100644
--- a/client/console/src/main/java/org/apache/syncope/client/console/widgets/reconciliation/ReconciliationReportParser.java
+++ b/client/console/src/main/java/org/apache/syncope/client/console/widgets/reconciliation/ReconciliationReportParser.java
@@ -32,10 +32,15 @@ import org.apache.syncope.common.lib.types.AnyTypeKind;
 
 public final class ReconciliationReportParser {
 
-    private static final XMLInputFactory INPUT_FACTORY = XMLInputFactory.newInstance();
+    private static final XMLInputFactory XML_INPUT_FACTORY = XMLInputFactory.newInstance();
+
+    static {
+        XML_INPUT_FACTORY.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, Boolean.FALSE);
+        XML_INPUT_FACTORY.setProperty(XMLInputFactory.SUPPORT_DTD, Boolean.FALSE);
+    }
 
     public static ReconciliationReport parse(final Date run, final InputStream in) throws XMLStreamException {
-        XMLStreamReader streamReader = INPUT_FACTORY.createXMLStreamReader(in);
+        XMLStreamReader streamReader = XML_INPUT_FACTORY.createXMLStreamReader(in);
         streamReader.nextTag(); // root
         streamReader.nextTag(); // report
         streamReader.nextTag(); // reportlet

http://git-wip-us.apache.org/repos/asf/syncope/blob/bdb6a180/ext/flowable/flowable-bpmn/src/main/java/org/apache/syncope/core/flowable/impl/FlowableDeployUtils.java
----------------------------------------------------------------------
diff --git a/ext/flowable/flowable-bpmn/src/main/java/org/apache/syncope/core/flowable/impl/FlowableDeployUtils.java b/ext/flowable/flowable-bpmn/src/main/java/org/apache/syncope/core/flowable/impl/FlowableDeployUtils.java
index 5af0188..115d027 100644
--- a/ext/flowable/flowable-bpmn/src/main/java/org/apache/syncope/core/flowable/impl/FlowableDeployUtils.java
+++ b/ext/flowable/flowable-bpmn/src/main/java/org/apache/syncope/core/flowable/impl/FlowableDeployUtils.java
@@ -41,6 +41,13 @@ public final class FlowableDeployUtils {
 
     private static final ObjectMapper OBJECT_MAPPER = new ObjectMapper();
 
+    private static final XMLInputFactory XML_INPUT_FACTORY = XMLInputFactory.newInstance();
+
+    static {
+        XML_INPUT_FACTORY.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, Boolean.FALSE);
+        XML_INPUT_FACTORY.setProperty(XMLInputFactory.SUPPORT_DTD, Boolean.FALSE);
+    }
+
     public static Deployment deployDefinition(
             final ProcessEngine engine, final String resourceName, final byte[] definition) {
 
@@ -58,7 +65,7 @@ public final class FlowableDeployUtils {
                 getResourceAsStream(procDef.getDeploymentId(), procDef.getResourceName());
                 InputStreamReader isr = new InputStreamReader(bpmnStream)) {
 
-            xtr = XMLInputFactory.newInstance().createXMLStreamReader(isr);
+            xtr = XML_INPUT_FACTORY.createXMLStreamReader(isr);
             BpmnModel bpmnModel = new BpmnXMLConverter().convertToBpmnModel(xtr);
 
             Model model = engine.getRepositoryService().newModel();

http://git-wip-us.apache.org/repos/asf/syncope/blob/bdb6a180/ext/flowable/flowable-bpmn/src/main/java/org/apache/syncope/core/flowable/support/DomainProcessEngineFactoryBean.java
----------------------------------------------------------------------
diff --git a/ext/flowable/flowable-bpmn/src/main/java/org/apache/syncope/core/flowable/support/DomainProcessEngineFactoryBean.java b/ext/flowable/flowable-bpmn/src/main/java/org/apache/syncope/core/flowable/support/DomainProcessEngineFactoryBean.java
index de2bbfe..81b0fd8 100644
--- a/ext/flowable/flowable-bpmn/src/main/java/org/apache/syncope/core/flowable/support/DomainProcessEngineFactoryBean.java
+++ b/ext/flowable/flowable-bpmn/src/main/java/org/apache/syncope/core/flowable/support/DomainProcessEngineFactoryBean.java
@@ -18,16 +18,14 @@
  */
 package org.apache.syncope.core.flowable.support;
 
-import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.HashMap;
-import java.util.List;
 import java.util.Map;
 import javax.sql.DataSource;
 import org.apache.commons.lang3.StringUtils;
 import org.flowable.engine.ProcessEngine;
 import org.flowable.common.engine.impl.cfg.SpringBeanFactoryProxyMap;
 import org.flowable.common.engine.impl.interceptor.EngineConfigurationConstants;
-import org.flowable.engine.form.AbstractFormType;
 import org.flowable.engine.impl.util.EngineServiceUtil;
 import org.flowable.idm.spring.SpringIdmEngineConfiguration;
 import org.flowable.spring.SpringExpressionManager;
@@ -84,9 +82,8 @@ public class DomainProcessEngineFactoryBean
                                 EngineConfigurationConstants.KEY_IDM_ENGINE_CONFIG,
                                 ctx.getBean(SpringIdmEngineConfiguration.class));
                     }
-                    List<AbstractFormType> customFormTypes = new ArrayList<>();
-                    customFormTypes.add(new DropdownFormType(null));
-                    conf.setCustomFormTypes(customFormTypes);
+                    conf.setEnableSafeBpmnXml(true);
+                    conf.setCustomFormTypes(Arrays.asList(new DropdownFormType(null)));
 
                     engines.put(domain, conf.buildProcessEngine());
                 }

[2/3] syncope git commit: Ensuring all XML input processing is safe - disable DTD and external entities

Posted by il...@apache.org.

Ensuring all XML input processing is safe - disable DTD and external entities


Project: http://git-wip-us.apache.org/repos/asf/syncope/repo
Commit: http://git-wip-us.apache.org/repos/asf/syncope/commit/a0f35f45
Tree: http://git-wip-us.apache.org/repos/asf/syncope/tree/a0f35f45
Diff: http://git-wip-us.apache.org/repos/asf/syncope/diff/a0f35f45

Branch: refs/heads/2_1_X
Commit: a0f35f45f8ca5c98853ae8477fb2db81a84709a1
Parents: e559417
Author: Francesco Chicchiriccò <il...@apache.org>
Authored: Thu Oct 25 12:57:02 2018 +0200
Committer: Francesco Chicchiriccò <il...@apache.org>
Committed: Thu Oct 25 13:06:42 2018 +0200

----------------------------------------------------------------------
 .../widgets/reconciliation/ReconciliationReportParser.java  | 9 +++++++--
 .../syncope/core/flowable/impl/FlowableDeployUtils.java     | 9 ++++++++-
 .../flowable/support/DomainProcessEngineFactoryBean.java    | 9 +++------
 3 files changed, 18 insertions(+), 9 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/syncope/blob/a0f35f45/client/console/src/main/java/org/apache/syncope/client/console/widgets/reconciliation/ReconciliationReportParser.java
----------------------------------------------------------------------
diff --git a/client/console/src/main/java/org/apache/syncope/client/console/widgets/reconciliation/ReconciliationReportParser.java b/client/console/src/main/java/org/apache/syncope/client/console/widgets/reconciliation/ReconciliationReportParser.java
index da5e76d..95e6fd8 100644
--- a/client/console/src/main/java/org/apache/syncope/client/console/widgets/reconciliation/ReconciliationReportParser.java
+++ b/client/console/src/main/java/org/apache/syncope/client/console/widgets/reconciliation/ReconciliationReportParser.java
@@ -32,10 +32,15 @@ import org.apache.syncope.common.lib.types.AnyTypeKind;
 
 public final class ReconciliationReportParser {
 
-    private static final XMLInputFactory INPUT_FACTORY = XMLInputFactory.newInstance();
+    private static final XMLInputFactory XML_INPUT_FACTORY = XMLInputFactory.newInstance();
+
+    static {
+        XML_INPUT_FACTORY.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, Boolean.FALSE);
+        XML_INPUT_FACTORY.setProperty(XMLInputFactory.SUPPORT_DTD, Boolean.FALSE);
+    }
 
     public static ReconciliationReport parse(final Date run, final InputStream in) throws XMLStreamException {
-        XMLStreamReader streamReader = INPUT_FACTORY.createXMLStreamReader(in);
+        XMLStreamReader streamReader = XML_INPUT_FACTORY.createXMLStreamReader(in);
         streamReader.nextTag(); // root
         streamReader.nextTag(); // report
         streamReader.nextTag(); // reportlet

http://git-wip-us.apache.org/repos/asf/syncope/blob/a0f35f45/ext/flowable/flowable-bpmn/src/main/java/org/apache/syncope/core/flowable/impl/FlowableDeployUtils.java
----------------------------------------------------------------------
diff --git a/ext/flowable/flowable-bpmn/src/main/java/org/apache/syncope/core/flowable/impl/FlowableDeployUtils.java b/ext/flowable/flowable-bpmn/src/main/java/org/apache/syncope/core/flowable/impl/FlowableDeployUtils.java
index 5af0188..115d027 100644
--- a/ext/flowable/flowable-bpmn/src/main/java/org/apache/syncope/core/flowable/impl/FlowableDeployUtils.java
+++ b/ext/flowable/flowable-bpmn/src/main/java/org/apache/syncope/core/flowable/impl/FlowableDeployUtils.java
@@ -41,6 +41,13 @@ public final class FlowableDeployUtils {
 
     private static final ObjectMapper OBJECT_MAPPER = new ObjectMapper();
 
+    private static final XMLInputFactory XML_INPUT_FACTORY = XMLInputFactory.newInstance();
+
+    static {
+        XML_INPUT_FACTORY.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, Boolean.FALSE);
+        XML_INPUT_FACTORY.setProperty(XMLInputFactory.SUPPORT_DTD, Boolean.FALSE);
+    }
+
     public static Deployment deployDefinition(
             final ProcessEngine engine, final String resourceName, final byte[] definition) {
 
@@ -58,7 +65,7 @@ public final class FlowableDeployUtils {
                 getResourceAsStream(procDef.getDeploymentId(), procDef.getResourceName());
                 InputStreamReader isr = new InputStreamReader(bpmnStream)) {
 
-            xtr = XMLInputFactory.newInstance().createXMLStreamReader(isr);
+            xtr = XML_INPUT_FACTORY.createXMLStreamReader(isr);
             BpmnModel bpmnModel = new BpmnXMLConverter().convertToBpmnModel(xtr);
 
             Model model = engine.getRepositoryService().newModel();

http://git-wip-us.apache.org/repos/asf/syncope/blob/a0f35f45/ext/flowable/flowable-bpmn/src/main/java/org/apache/syncope/core/flowable/support/DomainProcessEngineFactoryBean.java
----------------------------------------------------------------------
diff --git a/ext/flowable/flowable-bpmn/src/main/java/org/apache/syncope/core/flowable/support/DomainProcessEngineFactoryBean.java b/ext/flowable/flowable-bpmn/src/main/java/org/apache/syncope/core/flowable/support/DomainProcessEngineFactoryBean.java
index de2bbfe..81b0fd8 100644
--- a/ext/flowable/flowable-bpmn/src/main/java/org/apache/syncope/core/flowable/support/DomainProcessEngineFactoryBean.java
+++ b/ext/flowable/flowable-bpmn/src/main/java/org/apache/syncope/core/flowable/support/DomainProcessEngineFactoryBean.java
@@ -18,16 +18,14 @@
  */
 package org.apache.syncope.core.flowable.support;
 
-import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.HashMap;
-import java.util.List;
 import java.util.Map;
 import javax.sql.DataSource;
 import org.apache.commons.lang3.StringUtils;
 import org.flowable.engine.ProcessEngine;
 import org.flowable.common.engine.impl.cfg.SpringBeanFactoryProxyMap;
 import org.flowable.common.engine.impl.interceptor.EngineConfigurationConstants;
-import org.flowable.engine.form.AbstractFormType;
 import org.flowable.engine.impl.util.EngineServiceUtil;
 import org.flowable.idm.spring.SpringIdmEngineConfiguration;
 import org.flowable.spring.SpringExpressionManager;
@@ -84,9 +82,8 @@ public class DomainProcessEngineFactoryBean
                                 EngineConfigurationConstants.KEY_IDM_ENGINE_CONFIG,
                                 ctx.getBean(SpringIdmEngineConfiguration.class));
                     }
-                    List<AbstractFormType> customFormTypes = new ArrayList<>();
-                    customFormTypes.add(new DropdownFormType(null));
-                    conf.setCustomFormTypes(customFormTypes);
+                    conf.setEnableSafeBpmnXml(true);
+                    conf.setCustomFormTypes(Arrays.asList(new DropdownFormType(null)));
 
                     engines.put(domain, conf.buildProcessEngine());
                 }