CVE-2019-16549

@@ -252,6 +252,12 @@
 				</exclusion>
 			</exclusions>
 		</dependency>
+		<dependency>
+			<!--  TODO remove when baseline > 2.179 -->
+			<groupId>org.kohsuke</groupId>
+			<artifactId>access-modifier-suppressions</artifactId>
+			<version>${access-modifier-annotation.version}</version>
+		</dependency>
 	</dependencies>
 
 	<build>

@@ -62,6 +62,7 @@
 import org.kohsuke.stapler.DataBoundConstructor;
 import org.kohsuke.stapler.QueryParameter;
 import org.kohsuke.stapler.StaplerRequest;
+import org.kohsuke.stapler.verb.POST;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -475,6 +476,7 @@ public boolean isNexusSupport() {
 		/**
 		 * Checks if the Nexus URL exists and we can authenticate against it.
 		 */
+		@POST
 		public FormValidation doUrlCheck(@QueryParameter String urlValue, 
 		                                 final @QueryParameter String usernameValue,
 		                                 final @QueryParameter Secret passwordValue) {

@@ -23,36 +23,33 @@
  */
 package org.jvnet.hudson.plugins.m2release.nexus;
 
-import hudson.util.IOUtils;
-
 import java.io.IOException;
+import java.io.InputStream;
+import java.io.InputStreamReader;
 import java.io.OutputStream;
 import java.io.UnsupportedEncodingException;
 import java.net.HttpURLConnection;
 import java.net.MalformedURLException;
 import java.net.URL;
 import java.net.URLConnection;
+import java.nio.charset.StandardCharsets;
 import java.util.ArrayList;
 import java.util.List;
-
 import javax.xml.namespace.QName;
-import javax.xml.parsers.DocumentBuilder;
-import javax.xml.parsers.DocumentBuilderFactory;
-import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.xpath.XPath;
 import javax.xml.xpath.XPathConstants;
-import javax.xml.xpath.XPathException;
 import javax.xml.xpath.XPathExpressionException;
 import javax.xml.xpath.XPathFactory;
-
 import org.apache.commons.codec.binary.Base64;
+import org.kohsuke.accmod.restrictions.suppressions.SuppressRestrictedWarnings;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.w3c.dom.Document;
 import org.w3c.dom.Node;
 import org.w3c.dom.NodeList;
 import org.xml.sax.SAXException;
-
+import hudson.util.IOUtils;
+import jenkins.util.xml.XMLUtils;
 /**
  * The Stage client acts as the interface to Nexus Pro staging via the Nexus REST APIs. A single StageClient
  * is not thread safe.
@@ -466,17 +463,19 @@ else if (response == HttpURLConnection.HTTP_NOT_FOUND) {
 	 * @return the parsed Document.
 	 * @throws StageException if there was an issue obtaining or parsing the document.
 	 */
+	@SuppressRestrictedWarnings(XMLUtils.class) // TODO remove when baseline > 2.179
 	protected Document getDocument(URL url) throws StageException {
 		try {
 			HttpURLConnection conn = (HttpURLConnection) url.openConnection();
 			addAuthHeader(conn);
 			conn.setRequestProperty("Accept", "application/xml");
 			int status = conn.getResponseCode();
 			if (status == HttpURLConnection.HTTP_OK) {
-				DocumentBuilder builder = DocumentBuilderFactory.newInstance().newDocumentBuilder();
-				Document doc = builder.parse(conn.getInputStream());
-				conn.disconnect();
-				return doc;
+				try (InputStream is = conn.getInputStream(); InputStreamReader isr = new InputStreamReader(is, StandardCharsets.UTF_8)) {
+					Document doc = XMLUtils.parse(isr);
+					conn.disconnect();
+					return doc;
+				}
 			}
 			else {
 				drainOutput(conn);
@@ -494,9 +493,6 @@ else if (status == HttpURLConnection.HTTP_NOT_FOUND) {
 		catch (IOException ex) {
 			throw createStageExceptionForIOException(nexusURL, ex);
 		}
-		catch (ParserConfigurationException ex) {
-			throw new StageException(ex);
-		}
 		catch (SAXException ex) {
 			throw new StageException(ex);
 		}