From 06f28db213744590c98feed69bda7d5f5c011b38 Mon Sep 17 00:00:00 2001 From: PJ Fanning Date: Tue, 24 Sep 2019 18:33:37 +0000 Subject: [PATCH] Bug 63768: Adjust handling of SchemaFactory git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1867484 13f79535-47bb-0310-9956-ffa450edef68 --- .../poi/xssf/extractor/XSSFExportToXml.java | 16 +- .../xssf/extractor/TestXSSFExportToXML.java | 532 +++++++++--------- test-data/spreadsheet/xxe_in_schema.xlsx | Bin 0 -> 9801 bytes 3 files changed, 286 insertions(+), 262 deletions(-) create mode 100644 test-data/spreadsheet/xxe_in_schema.xlsx diff --git a/src/ooxml/java/org/apache/poi/xssf/extractor/XSSFExportToXml.java b/src/ooxml/java/org/apache/poi/xssf/extractor/XSSFExportToXml.java index 9320a226db..53984fec28 100644 --- a/src/ooxml/java/org/apache/poi/xssf/extractor/XSSFExportToXml.java +++ b/src/ooxml/java/org/apache/poi/xssf/extractor/XSSFExportToXml.java @@ -28,6 +28,7 @@ import java.util.Locale; import java.util.Map; import java.util.Vector; +import javax.xml.XMLConstants; import javax.xml.transform.OutputKeys; import javax.xml.transform.Source; import javax.xml.transform.Transformer; @@ -241,9 +242,10 @@ public class XSSFExportToXml implements Comparator{ * @throws SAXException If validating the document fails */ private boolean isValid(Document xml) throws SAXException{ - try{ + try { String language = "http://www.w3.org/2001/XMLSchema"; SchemaFactory factory = SchemaFactory.newInstance(language); + trySetFeature(factory, XMLConstants.FEATURE_SECURE_PROCESSING, true); Source source = new DOMSource(map.getSchema()); Schema schema = factory.newSchema(source); @@ -313,7 +315,7 @@ public class XSSFExportToXml implements Comparator{ String[] xpathTokens = xpath.split("/"); - Node currentNode =rootNode; + Node currentNode = rootNode; // The first token is empty, the second is the root node for(int i =2; i{ } return complexTypeNode; } + + private static void trySetFeature(SchemaFactory sf, String feature, boolean enabled) { + try { + sf.setFeature(feature, enabled); + } catch (Exception e) { + LOG.log(POILogger.WARN, "SchemaFactory Feature unsupported", feature, e); + } catch (AbstractMethodError ame) { + LOG.log(POILogger.WARN, "Cannot set SchemaFactory feature because outdated XML parser in classpath", feature, ame); + } + } } diff --git a/src/ooxml/testcases/org/apache/poi/xssf/extractor/TestXSSFExportToXML.java b/src/ooxml/testcases/org/apache/poi/xssf/extractor/TestXSSFExportToXML.java index e1c58b00cb..282f02371e 100644 --- a/src/ooxml/testcases/org/apache/poi/xssf/extractor/TestXSSFExportToXML.java +++ b/src/ooxml/testcases/org/apache/poi/xssf/extractor/TestXSSFExportToXML.java @@ -51,6 +51,7 @@ import org.junit.Test; import org.xml.sax.EntityResolver; import org.xml.sax.InputSource; import org.xml.sax.SAXException; +import org.xml.sax.SAXParseException; /** * @author Roberto Manicardi @@ -59,7 +60,7 @@ public final class TestXSSFExportToXML { @Test public void testExportToXML() throws Exception { - try (XSSFWorkbook wb = XSSFTestDataSamples.openSampleWorkbook("CustomXMLMappings.xlsx")) { + try (XSSFWorkbook wb = XSSFTestDataSamples.openSampleWorkbook("CustomXMLMappings.xlsx")) { boolean found = false; for (POIXMLDocumentPart p : wb.getRelations()) { @@ -102,12 +103,12 @@ public final class TestXSSFExportToXML { } assertTrue(found); } - } + } @Test public void testExportToXMLInverseOrder() throws Exception { - try (XSSFWorkbook wb = XSSFTestDataSamples - .openSampleWorkbook("CustomXmlMappings-inverse-order.xlsx")) { + try (XSSFWorkbook wb = XSSFTestDataSamples + .openSampleWorkbook("CustomXmlMappings-inverse-order.xlsx")) { boolean found = false; for (POIXMLDocumentPart p : wb.getRelations()) { @@ -150,12 +151,12 @@ public final class TestXSSFExportToXML { } assertTrue(found); } - } + } @Test public void testXPathOrdering() throws IOException { - try (XSSFWorkbook wb = XSSFTestDataSamples - .openSampleWorkbook("CustomXmlMappings-inverse-order.xlsx")) { + try (XSSFWorkbook wb = XSSFTestDataSamples + .openSampleWorkbook("CustomXmlMappings-inverse-order.xlsx")) { boolean found = false; for (POIXMLDocumentPart p : wb.getRelations()) { @@ -174,12 +175,12 @@ public final class TestXSSFExportToXML { } assertTrue(found); } - } + } @Test public void testMultiTable() throws Exception { - try (XSSFWorkbook wb = XSSFTestDataSamples - .openSampleWorkbook("CustomXMLMappings-complex-type.xlsx")) { + try (XSSFWorkbook wb = XSSFTestDataSamples + .openSampleWorkbook("CustomXMLMappings-complex-type.xlsx")) { boolean found = false; for (POIXMLDocumentPart p : wb.getRelations()) { @@ -218,7 +219,7 @@ public final class TestXSSFExportToXML { } assertTrue(found); } - } + } @Test @Ignore(value="Fails, but I don't know if it is ok or not...") @@ -233,7 +234,7 @@ public final class TestXSSFExportToXML { } } } - + @Test public void test55850ComplexXmlExport() throws Exception { try (XSSFWorkbook wb = XSSFTestDataSamples.openSampleWorkbook("55850.xlsx")) { @@ -351,300 +352,300 @@ public final class TestXSSFExportToXML { assertTrue(found); } } - - @Test - public void testXmlExportIgnoresEmptyCells_Bugzilla_55924() throws Exception { - try (XSSFWorkbook wb = XSSFTestDataSamples.openSampleWorkbook("55924.xlsx")) { - - boolean found = false; - for (POIXMLDocumentPart p : wb.getRelations()) { - - if (!(p instanceof MapInfo)) { - continue; - } - MapInfo mapInfo = (MapInfo) p; - - XSSFMap map = mapInfo.getXSSFMapById(1); - - assertNotNull("XSSFMap is null", map); - - XSSFExportToXml exporter = new XSSFExportToXml(map); - ByteArrayOutputStream os = new ByteArrayOutputStream(); - exporter.exportToXML(os, true); - String xmlData = os.toString("UTF-8"); - assertNotNull(xmlData); - assertFalse(xmlData.isEmpty()); + @Test + public void testXmlExportIgnoresEmptyCells_Bugzilla_55924() throws Exception { + try (XSSFWorkbook wb = XSSFTestDataSamples.openSampleWorkbook("55924.xlsx")) { - String a = xmlData.split("")[1].split("")[0].trim(); - String euro = a.split("")[1].split("")[0].trim(); - assertEquals("1", euro); + boolean found = false; + for (POIXMLDocumentPart p : wb.getRelations()) { - parseXML(xmlData); + if (!(p instanceof MapInfo)) { + continue; + } + MapInfo mapInfo = (MapInfo) p; - found = true; - } - assertTrue(found); - } - } - - @Test - public void testXmlExportSchemaWithXSAllTag_Bugzilla_56169() throws Exception { - try (XSSFWorkbook wb = XSSFTestDataSamples.openSampleWorkbook("56169.xlsx")) { + XSSFMap map = mapInfo.getXSSFMapById(1); - for (XSSFMap map : wb.getCustomXMLMappings()) { - XSSFExportToXml exporter = new XSSFExportToXml(map); + assertNotNull("XSSFMap is null", map); - ByteArrayOutputStream os = new ByteArrayOutputStream(); - exporter.exportToXML(os, true); - String xmlData = os.toString("UTF-8"); + XSSFExportToXml exporter = new XSSFExportToXml(map); + ByteArrayOutputStream os = new ByteArrayOutputStream(); + exporter.exportToXML(os, true); + String xmlData = os.toString("UTF-8"); - assertNotNull(xmlData); - assertTrue(!xmlData.isEmpty()); + assertNotNull(xmlData); + assertFalse(xmlData.isEmpty()); - String a = xmlData.split("")[1].split("")[0].trim(); - String a_b = a.split("")[1].split("")[0].trim(); - String a_b_c = a_b.split("")[1].split("")[0].trim(); - String a_b_c_e = a_b_c.split("")[1].split("")[0].trim(); - String a_b_c_e_euro = a_b_c_e.split("")[1].split("")[0].trim(); - String a_b_c_e_chf = a_b_c_e.split("")[1].split("")[0].trim(); - - assertEquals("1", a_b_c_e_euro); - assertEquals("2", a_b_c_e_chf); - - String a_b_d = a_b.split("")[1].split("")[0].trim(); - String a_b_d_e = a_b_d.split("")[1].split("")[0].trim(); - - String a_b_d_e_euro = a_b_d_e.split("")[1].split("")[0].trim(); - String a_b_d_e_chf = a_b_d_e.split("")[1].split("")[0].trim(); - - assertEquals("3", a_b_d_e_euro); - assertEquals("4", a_b_d_e_chf); - } - } - } - - @Test - public void testXmlExportCompare_Bug_55923() throws Exception { - try (XSSFWorkbook wb = XSSFTestDataSamples.openSampleWorkbook("55923.xlsx")) { - - boolean found = false; - for (POIXMLDocumentPart p : wb.getRelations()) { - - if (!(p instanceof MapInfo)) { - continue; - } - MapInfo mapInfo = (MapInfo) p; - - XSSFMap map = mapInfo.getXSSFMapById(4); - - assertNotNull("XSSFMap is null", map); - - XSSFExportToXml exporter = new XSSFExportToXml(map); - assertEquals(0, exporter.compare("", "")); - assertEquals(0, exporter.compare("/", "/")); - assertEquals(0, exporter.compare("//", "//")); - assertEquals(0, exporter.compare("/a/", "/b/")); - - assertEquals(-1, exporter.compare("/ns1:Entry/ns1:A/ns1:B/ns1:C/ns1:E/ns1:EUR", - "/ns1:Entry/ns1:A/ns1:B/ns1:C/ns1:E/ns1:CHF")); - - found = true; - } - assertTrue(found); - } - } - - @Test - public void testXmlExportSchemaOrderingBug_Bugzilla_55923() throws Exception { - try (XSSFWorkbook wb = XSSFTestDataSamples.openSampleWorkbook("55923.xlsx")) { + String a = xmlData.split("")[1].split("")[0].trim(); + String euro = a.split("")[1].split("")[0].trim(); + assertEquals("1", euro); - boolean found = false; - for (POIXMLDocumentPart p : wb.getRelations()) { + parseXML(xmlData); - if (!(p instanceof MapInfo)) { - continue; - } - MapInfo mapInfo = (MapInfo) p; - - XSSFMap map = mapInfo.getXSSFMapById(4); - - assertNotNull("XSSFMap is null", map); + found = true; + } + assertTrue(found); + } + } - XSSFExportToXml exporter = new XSSFExportToXml(map); - ByteArrayOutputStream os = new ByteArrayOutputStream(); - exporter.exportToXML(os, true); - String xmlData = os.toString("UTF-8"); - - assertNotNull(xmlData); - assertFalse(xmlData.isEmpty()); - - String a = xmlData.split("")[1].split("")[0].trim(); - String a_b = a.split("")[1].split("")[0].trim(); - String a_b_c = a_b.split("")[1].split("")[0].trim(); - String a_b_c_e = a_b_c.split("")[1].split("")[0].trim(); - String a_b_c_e_euro = a_b_c_e.split("")[1].split("")[0].trim(); - String a_b_c_e_chf = a_b_c_e.split("")[1].split("")[0].trim(); - - assertEquals("1", a_b_c_e_euro); - assertEquals("2", a_b_c_e_chf); - - String a_b_d = a_b.split("")[1].split("")[0].trim(); - String a_b_d_e = a_b_d.split("")[1].split("")[0].trim(); + @Test + public void testXmlExportSchemaWithXSAllTag_Bugzilla_56169() throws Exception { + try (XSSFWorkbook wb = XSSFTestDataSamples.openSampleWorkbook("56169.xlsx")) { - String a_b_d_e_euro = a_b_d_e.split("")[1].split("")[0].trim(); - String a_b_d_e_chf = a_b_d_e.split("")[1].split("")[0].trim(); - - assertEquals("3", a_b_d_e_euro); - assertEquals("4", a_b_d_e_chf); - - found = true; - } - assertTrue(found); - } - } - - private void parseXML(String xmlData) throws IOException, SAXException, ParserConfigurationException { - DocumentBuilderFactory docBuilderFactory = XMLHelper.getDocumentBuilderFactory(); - docBuilderFactory.setNamespaceAware(true); - docBuilderFactory.setValidating(false); - DocumentBuilder docBuilder = docBuilderFactory.newDocumentBuilder(); - docBuilder.setEntityResolver(new DummyEntityResolver()); - - docBuilder.parse(new ByteArrayInputStream(xmlData.getBytes(StandardCharsets.UTF_8))); - } - - private static class DummyEntityResolver implements EntityResolver { - @Override - public InputSource resolveEntity(String publicId, String systemId) { - return null; - } - } - - @Test - public void testExportDataTypes() throws Exception { - try (XSSFWorkbook wb = XSSFTestDataSamples.openSampleWorkbook("55923.xlsx")) { + for (XSSFMap map : wb.getCustomXMLMappings()) { + XSSFExportToXml exporter = new XSSFExportToXml(map); - Sheet sheet = wb.getSheetAt(0); - Row row = sheet.getRow(0); + ByteArrayOutputStream os = new ByteArrayOutputStream(); + exporter.exportToXML(os, true); + String xmlData = os.toString("UTF-8"); - Cell cString = row.createCell(0); - cString.setCellValue("somestring"); + assertNotNull(xmlData); + assertTrue(!xmlData.isEmpty()); - Cell cBoolean = row.createCell(1); - cBoolean.setCellValue(true); + String a = xmlData.split("")[1].split("")[0].trim(); + String a_b = a.split("")[1].split("")[0].trim(); + String a_b_c = a_b.split("")[1].split("")[0].trim(); + String a_b_c_e = a_b_c.split("")[1].split("")[0].trim(); + String a_b_c_e_euro = a_b_c_e.split("")[1].split("")[0].trim(); + String a_b_c_e_chf = a_b_c_e.split("")[1].split("")[0].trim(); - Cell cError = row.createCell(2); - cError.setCellErrorValue(FormulaError.NUM.getCode()); + assertEquals("1", a_b_c_e_euro); + assertEquals("2", a_b_c_e_chf); - Cell cFormulaString = row.createCell(3); - cFormulaString.setCellFormula("A1"); + String a_b_d = a_b.split("")[1].split("")[0].trim(); + String a_b_d_e = a_b_d.split("")[1].split("")[0].trim(); - Cell cFormulaNumeric = row.createCell(4); - cFormulaNumeric.setCellFormula("F1"); + String a_b_d_e_euro = a_b_d_e.split("")[1].split("")[0].trim(); + String a_b_d_e_chf = a_b_d_e.split("")[1].split("")[0].trim(); - Cell cNumeric = row.createCell(5); - cNumeric.setCellValue(1.2); + assertEquals("3", a_b_d_e_euro); + assertEquals("4", a_b_d_e_chf); + } + } + } - Cell cDate = row.createCell(6); - cDate.setCellValue(new Date()); + @Test + public void testXmlExportCompare_Bug_55923() throws Exception { + try (XSSFWorkbook wb = XSSFTestDataSamples.openSampleWorkbook("55923.xlsx")) { - boolean found = false; - for (POIXMLDocumentPart p : wb.getRelations()) { + boolean found = false; + for (POIXMLDocumentPart p : wb.getRelations()) { - if (!(p instanceof MapInfo)) { - continue; - } - MapInfo mapInfo = (MapInfo) p; + if (!(p instanceof MapInfo)) { + continue; + } + MapInfo mapInfo = (MapInfo) p; - XSSFMap map = mapInfo.getXSSFMapById(4); + XSSFMap map = mapInfo.getXSSFMapById(4); - assertNotNull("XSSFMap is null", map); + assertNotNull("XSSFMap is null", map); - XSSFExportToXml exporter = new XSSFExportToXml(map); - ByteArrayOutputStream os = new ByteArrayOutputStream(); - exporter.exportToXML(os, true); - String xmlData = os.toString("UTF-8"); + XSSFExportToXml exporter = new XSSFExportToXml(map); + assertEquals(0, exporter.compare("", "")); + assertEquals(0, exporter.compare("/", "/")); + assertEquals(0, exporter.compare("//", "//")); + assertEquals(0, exporter.compare("/a/", "/b/")); - assertNotNull(xmlData); - assertFalse(xmlData.isEmpty()); + assertEquals(-1, exporter.compare("/ns1:Entry/ns1:A/ns1:B/ns1:C/ns1:E/ns1:EUR", + "/ns1:Entry/ns1:A/ns1:B/ns1:C/ns1:E/ns1:CHF")); - parseXML(xmlData); + found = true; + } + assertTrue(found); + } + } - found = true; - } - assertTrue(found); - } - } + @Test + public void testXmlExportSchemaOrderingBug_Bugzilla_55923() throws Exception { + try (XSSFWorkbook wb = XSSFTestDataSamples.openSampleWorkbook("55923.xlsx")) { - @Test - public void testValidateFalse() throws Exception { - try (XSSFWorkbook wb = XSSFTestDataSamples.openSampleWorkbook("55923.xlsx")) { - boolean found = false; - for (POIXMLDocumentPart p : wb.getRelations()) { + boolean found = false; + for (POIXMLDocumentPart p : wb.getRelations()) { - if (!(p instanceof MapInfo)) { - continue; - } - MapInfo mapInfo = (MapInfo) p; + if (!(p instanceof MapInfo)) { + continue; + } + MapInfo mapInfo = (MapInfo) p; - XSSFMap map = mapInfo.getXSSFMapById(4); + XSSFMap map = mapInfo.getXSSFMapById(4); - assertNotNull("XSSFMap is null", map); + assertNotNull("XSSFMap is null", map); - XSSFExportToXml exporter = new XSSFExportToXml(map); - ByteArrayOutputStream os = new ByteArrayOutputStream(); - exporter.exportToXML(os, false); - String xmlData = os.toString("UTF-8"); + XSSFExportToXml exporter = new XSSFExportToXml(map); + ByteArrayOutputStream os = new ByteArrayOutputStream(); + exporter.exportToXML(os, true); + String xmlData = os.toString("UTF-8"); - assertNotNull(xmlData); - assertFalse(xmlData.isEmpty()); + assertNotNull(xmlData); + assertFalse(xmlData.isEmpty()); - parseXML(xmlData); + String a = xmlData.split("")[1].split("")[0].trim(); + String a_b = a.split("")[1].split("")[0].trim(); + String a_b_c = a_b.split("")[1].split("")[0].trim(); + String a_b_c_e = a_b_c.split("")[1].split("")[0].trim(); + String a_b_c_e_euro = a_b_c_e.split("")[1].split("")[0].trim(); + String a_b_c_e_chf = a_b_c_e.split("")[1].split("")[0].trim(); - found = true; - } - assertTrue(found); - } - } + assertEquals("1", a_b_c_e_euro); + assertEquals("2", a_b_c_e_chf); - @Test - public void testRefElementsInXmlSchema_Bugzilla_56730() throws Exception { - try (XSSFWorkbook wb = XSSFTestDataSamples.openSampleWorkbook("56730.xlsx")) { + String a_b_d = a_b.split("")[1].split("")[0].trim(); + String a_b_d_e = a_b_d.split("")[1].split("")[0].trim(); - boolean found = false; - for (POIXMLDocumentPart p : wb.getRelations()) { + String a_b_d_e_euro = a_b_d_e.split("")[1].split("")[0].trim(); + String a_b_d_e_chf = a_b_d_e.split("")[1].split("")[0].trim(); - if (!(p instanceof MapInfo)) { - continue; - } - MapInfo mapInfo = (MapInfo) p; + assertEquals("3", a_b_d_e_euro); + assertEquals("4", a_b_d_e_chf); - XSSFMap map = mapInfo.getXSSFMapById(1); + found = true; + } + assertTrue(found); + } + } - assertNotNull("XSSFMap is null", map); + private void parseXML(String xmlData) throws IOException, SAXException, ParserConfigurationException { + DocumentBuilderFactory docBuilderFactory = XMLHelper.getDocumentBuilderFactory(); + docBuilderFactory.setNamespaceAware(true); + docBuilderFactory.setValidating(false); + DocumentBuilder docBuilder = docBuilderFactory.newDocumentBuilder(); + docBuilder.setEntityResolver(new DummyEntityResolver()); - XSSFExportToXml exporter = new XSSFExportToXml(map); - ByteArrayOutputStream os = new ByteArrayOutputStream(); - exporter.exportToXML(os, true); - String xmlData = os.toString("UTF-8"); + docBuilder.parse(new ByteArrayInputStream(xmlData.getBytes(StandardCharsets.UTF_8))); + } - assertNotNull(xmlData); - assertFalse(xmlData.isEmpty()); + private static class DummyEntityResolver implements EntityResolver { + @Override + public InputSource resolveEntity(String publicId, String systemId) { + return null; + } + } - assertEquals("2014-12-31", xmlData.split("")[1].split("")[0].trim()); - assertEquals("12.5", xmlData.split("")[1].split("")[0].trim()); + @Test + public void testExportDataTypes() throws Exception { + try (XSSFWorkbook wb = XSSFTestDataSamples.openSampleWorkbook("55923.xlsx")) { - parseXML(xmlData); + Sheet sheet = wb.getSheetAt(0); + Row row = sheet.getRow(0); - found = true; - } - assertTrue(found); - } - } + Cell cString = row.createCell(0); + cString.setCellValue("somestring"); - @Test - public void testBug59026() throws Exception { + Cell cBoolean = row.createCell(1); + cBoolean.setCellValue(true); + + Cell cError = row.createCell(2); + cError.setCellErrorValue(FormulaError.NUM.getCode()); + + Cell cFormulaString = row.createCell(3); + cFormulaString.setCellFormula("A1"); + + Cell cFormulaNumeric = row.createCell(4); + cFormulaNumeric.setCellFormula("F1"); + + Cell cNumeric = row.createCell(5); + cNumeric.setCellValue(1.2); + + Cell cDate = row.createCell(6); + cDate.setCellValue(new Date()); + + boolean found = false; + for (POIXMLDocumentPart p : wb.getRelations()) { + + if (!(p instanceof MapInfo)) { + continue; + } + MapInfo mapInfo = (MapInfo) p; + + XSSFMap map = mapInfo.getXSSFMapById(4); + + assertNotNull("XSSFMap is null", map); + + XSSFExportToXml exporter = new XSSFExportToXml(map); + ByteArrayOutputStream os = new ByteArrayOutputStream(); + exporter.exportToXML(os, true); + String xmlData = os.toString("UTF-8"); + + assertNotNull(xmlData); + assertFalse(xmlData.isEmpty()); + + parseXML(xmlData); + + found = true; + } + assertTrue(found); + } + } + + @Test + public void testValidateFalse() throws Exception { + try (XSSFWorkbook wb = XSSFTestDataSamples.openSampleWorkbook("55923.xlsx")) { + boolean found = false; + for (POIXMLDocumentPart p : wb.getRelations()) { + + if (!(p instanceof MapInfo)) { + continue; + } + MapInfo mapInfo = (MapInfo) p; + + XSSFMap map = mapInfo.getXSSFMapById(4); + + assertNotNull("XSSFMap is null", map); + + XSSFExportToXml exporter = new XSSFExportToXml(map); + ByteArrayOutputStream os = new ByteArrayOutputStream(); + exporter.exportToXML(os, false); + String xmlData = os.toString("UTF-8"); + + assertNotNull(xmlData); + assertFalse(xmlData.isEmpty()); + + parseXML(xmlData); + + found = true; + } + assertTrue(found); + } + } + + @Test + public void testRefElementsInXmlSchema_Bugzilla_56730() throws Exception { + try (XSSFWorkbook wb = XSSFTestDataSamples.openSampleWorkbook("56730.xlsx")) { + + boolean found = false; + for (POIXMLDocumentPart p : wb.getRelations()) { + + if (!(p instanceof MapInfo)) { + continue; + } + MapInfo mapInfo = (MapInfo) p; + + XSSFMap map = mapInfo.getXSSFMapById(1); + + assertNotNull("XSSFMap is null", map); + + XSSFExportToXml exporter = new XSSFExportToXml(map); + ByteArrayOutputStream os = new ByteArrayOutputStream(); + exporter.exportToXML(os, true); + String xmlData = os.toString("UTF-8"); + + assertNotNull(xmlData); + assertFalse(xmlData.isEmpty()); + + assertEquals("2014-12-31", xmlData.split("")[1].split("")[0].trim()); + assertEquals("12.5", xmlData.split("")[1].split("")[0].trim()); + + parseXML(xmlData); + + found = true; + } + assertTrue(found); + } + } + + @Test + public void testBug59026() throws Exception { try (XSSFWorkbook wb = XSSFTestDataSamples.openSampleWorkbook("59026.xlsx")) { Collection mappings = wb.getCustomXMLMappings(); assertTrue(mappings.size() > 0); @@ -657,7 +658,7 @@ public final class TestXSSFExportToXML { } } } - + @Test public void testExportTableWithNonMappedColumn_Bugzilla_61281() throws Exception { try (XSSFWorkbook wb = XSSFTestDataSamples.openSampleWorkbook("61281.xlsx")) { @@ -671,4 +672,15 @@ public final class TestXSSFExportToXML { } } } + + @Test(expected = SAXParseException.class) + public void testXXEInSchema() throws Exception { + try (XSSFWorkbook wb = XSSFTestDataSamples.openSampleWorkbook("xxe_in_schema.xlsx")) { + for (XSSFMap map : wb.getCustomXMLMappings()) { + XSSFExportToXml exporter = new XSSFExportToXml(map); + ByteArrayOutputStream bos = new ByteArrayOutputStream(); + exporter.exportToXML(bos, true); + } + } + } } diff --git a/test-data/spreadsheet/xxe_in_schema.xlsx b/test-data/spreadsheet/xxe_in_schema.xlsx new file mode 100644 index 0000000000000000000000000000000000000000..aef99cc5040037fabfe9b839949c27d19f43a068 GIT binary patch literal 9801 zcmb7JWmweP*BwCV7+OL~8l+o5xS$gqbJz{_42X$}Vf_+JMAZ~>$MZE98Q9>1}8Q*5X=)|*gUK{Hz_#=SV2PxFR>(c4V(W@@UtRdWkfQCX!_uBLNl>Wnc5 zS)F*L+EztpNFh4OQ1ps!9{e2YWd!=L>wx>9SwDj;HY6%5^Z>z5bmduxK5-3{Cp_$$ zHzE))`NVUDmf(VF?@fm5b4hUGFN@zNrE$tSaWtp{TO~arsCMKEQ)C3Kr9!8!Wmvq+ zT@njFy6FH+VK-@b71!4R21M@D=ua70OVo4(pr$V2eHI@-u0QYJAgUy9TV1B^6#m6#;mbR+N;S=^bAkch3X*3PwVK=kmv4dn&zASlClLxrUr0C?lT zd++<3zg|#aygjxyQns_Uv1k3xmKThvU$FHJ;)43(Wl%>TjCuwH004Ly!obGn-*`__ zRkR*wL$AXc^Z=yoG7^oBY@YctYlr@U*@{Nk|TZda; zcj+CRmLKuxQ&Q!h1_zhQxMPwQE zOdj5C`-a#kh0vRQjA0%LT$GNDc@Q_Egf`+@ti>$x_d7iA@5%|X9TBfWJqhsWTK5{y znY55Nk1}#TkJ1ShaUa>mjn!mn20AOF{)5zKm^lyZQ zMctD}UPv1DM46I&I-v})I$l?NwO$oKCa5$CovI~L zRpfos}P8-PM6* z5*$7#8W|3da0Aj7VlFI6yBE|fMI(aQ10^r#W}zj3IR8%u7?JX1{F89@yuf}qhE{Lz z-THMnRecjtzYw@V-`Qwh-;o(J@sdRT%BR{$8b#8!HrBqx5S& z+rpU^Y{#MXp8e<2a@F*XbrFnek3RHe&68titT?A@20w}OB1XZ@Izhkf%7IV`ftJ;_ zZ$aUPeDn4nh>wonQQqtP!fj!iFu4`|qPc}7$<#-X&M|hqE9eoqYD$g@cR*}3BGV#G z(57cfV9>Lil{~4XfUmcrTG1OBo zlyBSds`4Sg^5tytL-X1igLOJ!&rc`R#fN{E&2PsY?87#8rmz#wP7MSGn_4~j6XxJY zaBKu&%zc7AbiW4s37nn9(A4U8tQzU3qO+B;l~2G8^q!N95)ttc8QVf_GTGQTwm2o& z*xA|OWQ|h`Z~37F?5B=~NN~cHqCeXvNA4Sf16-)Vw=@}4qaH@W)ZiFaR+vA6gPrAy z1~&G8OTo8{eS3b&Sb*xd(i|Jm12M$wsHk8*eSWOI9s1^2PYD)DrqnbwEU=SHq*AbweO$( zMsL2I{IC-KQ^|RTQq+44E807-lb`r9gp;+MxuLbS`L`1JFAAj8%m(z|l&STrbehdP zK~58>qsSzCE#eGdnrug_6#kZY=)&b|EjhIO`-^cJH0*lCgdw z8g7Ht51QonY;4h}A|0g;CewVeaV@&Ol<(p0Cpa^FWT9?iVPSYFF{9L_u1yN=au;dW zBPK^u6l{BdsIv(UwR^tA%b_HcD!7BEok3yMLlbO<{*~N%ic2T#px*OlUw;U4yvf=j zeELACr0UBQ&V4u+0nf_Eg4--)0}btUn(x^05{oTru;5iGjO-q3aa zV6a1R_bqATPJDQ%Xm@!r~RJ(9mMOe}K{g&_B zs(}Tzz2#UY2P;mt-eqaBwba5>6PstWgEbl>!MFWQN^j5GJd=ehY8t3o74!7+eEsG* zRg{(dgg#n;yC40gG5K8uryIJ47$UwXmduY8=k2r7^O{!pM6hm~GomZuh8h&5W2JV_ z&l7WZmEG$y9q&qh79@W|^Zsxnd{3LGyb!fWM#z_l%Drt7`$e3@!5Pq83A(`h;OCai zbu_tnz4H;P1b({Qj}BIC3VVE#{5fmOY4uy4B0|RLTy?)lDB?vM4-VK}*BO`e&VTkr z*7NSW%ml^gZ7j4JXFGyS4SADBV2mIg!<(}bpq{|OEj5Y{`;3g&aGD9#9W1ZF-TK=U#AFE4et(NXCBIA+brZ6$~128V;3H~lI(e11m6 zrtoo#kr1^sX^Z`P0&dYCz6d`P$eUQ@b{{gZ9H%GF#W^d-OCvWBz&!$g76@&b5R~Dz zX7X2>ow*+j2CBc;fw!#P8WYzXn|dYyX|ls!!DY^D7ZKH-b*^5hLyrIvV>?XsM`Pjz zG$}%9UF?pnCJ6Vedf#sAaUTDsxxo8>h4`mxBiis)zaOSHU9i*W)<2+K6!*W&PGqT4 z3mbZ%6ZItJj?%!SH}K6afj^ju6l+?3f+yV}eUxHj9mUrt*-Br(!t3x0omy5@>sslbcS}Z!8QHK$Yak>PR)n^Lqp?P=&SkY$nPD*bj z(4H#Bzor#uL^HeHz047)LE34VusHmD3Vr#3Liwgpj7I~UJs;=@?GA=G`tGy0<6?z` z5BOT=6!3#V)O-5tPD^wqme+l2*80zKq*)@LcX8$oi+6V|Gv6uEc7vSItUMrJ7XIlL z&l2dpngh$$A?*1p_x2_RcA&>x5iBl1D`qm5J7b zy9_6GXH0}MFDY+%z33^jFBEIjL)cw=Qq{cpgZ#TSeRkGHphk7LyQ7WZ+7lACbf48e zV_GC99QsqRq2vdMHUUzY*(=GI{4~7B$#-T;`4@z*-z>eG0Tv3-BBoNj%@S%D#vp;H zw%{|=g!-;=o1<@|c~Wlo!Rgy{*U)>;p*mJUEnd4j8go7pdfS#ZwHxIBd@cLyOaq&M zEJ1(J&4&6~X|BPB7~#Y}1{ttp@dw2B*MHT`^@rM_B)oW@th;xEU7Qw$tKyvfgsP%> zYGgaCRCnkjKoN#L9gz76Zc62-cCj?B+a3(NMOayu6h8Ht4aVa!JOL*GW?c0q7K$uA zh^oXSYyJIB;lfGw;LLb_uNi8}X=D)kUT)Qo-*|W$1&}Jau@1LCu zdWX%)vgY}<$>nvkQ49seu38m>w$!^ra68vS>Xv6o8EP?4>#=)qIwUzspv~xHXf-J8 zH@i{aU7P&?U{LV?Sdf7o4&-~MNL(X7Cq(6`+G{5&QRXKTo@*wvW@EVIWzj1Z<#S6$ zEAYk>nFy?Y6kdQ2Bs4tMpfkc?Bbir2&R=7h(bePd;qq;~KwRn1pt&Zw{x9yVCM9ck z0!}R-l}w_!HgzRmYoy2FtbFy-Gw0*V5n3TUBMWy`&0ev2+}2YMC$y>kFV-lV#oLnv z^;1|Q!s;TeStZ-D6DV~!lX`Q0x7{bqoa$UrSVh^JRvx2S9{P~5JgM=8&{t;$@OqT! zIT37ecd3^Z^xbp0Ure*b({lt*;fKbr1ebEJA6W{XP|O#J2+_@%G_(c!Him<;inPGG zdY1Rxbw|$i+6G0g31ND$Wr&@ywe_P-Jo)Rq z&UYu@6SvB<-7I+ezW#i6)B5gpFQKE2kA5Y)&e^kG=PTt?o~No<^Nd?7BUtCoCtEAL zDd&gH2pF|VO+Ki1TTl$AQ3Vi3OsN*Li2xX7BZGVpN*2>bO$zQtvIzM`CVLt1YfQ#F zo5r+H{V|BgA2(8p?R-Yfn+Ofn7m@+ zP({fqqohtYDVl_l;9wro3_ROs2mL5w#Fg4N;!fT~WI#9sW~T`dZw6Pg@V6ioYrOHt z#g3~EPepd<Wv<1aW9-RZBFo9pi_$`Zxf3ieYTP-HQd$vS`Yx00pM(v7g^@TJ#TgUd2Yp5D#M z^2o?N-VA+HpZkilP)7@zRf~E+&OEKdCtpHYYCJizd9ZhUuGvs9yz^0G-64%@^owT*!gMAPojC7Xb^|>qV=(e6-l)B3o3&$qgu>gKT8l`ukfKjU-eSWTSh|30 zRK+G_tS=WoN)3@4w~LOaIRAvb{q1T2O--mk8RD!XD@ha=7*MPv zK-WJMImJC1bUhG!VueT)CPhDsALXF7i!W7CXN}xT0;ZKAZ)rASqbOe!zzg45b=+vA zGjHN~jB5+z69Emmu|E&%<~DLd>?)@=*u9 z;tCZmCZ1=mAbdABXzkmsq4J%|%HoeNb!+8o4+B$`&6o44UCr*hwG)vc$ISSmHt;|1 zcW<81=QLMbc*LNsZB4g4UDa_?%vaot{G`>$8`m}h$dbZD_*_ITZfL>Z?_r>J+s$rk zx3sw+?t+;Ev*gu>m4Q=^=9W`V>&e#I6XEt6d;#qt>x4!Jt*7Ymth)6whr?(u9=p5~ zChTv?+#$7)10BM*Ip*s%0+1>V^UwuR|Q+zd1;xeI>F^uk~R7B#xXVpM*6lQ#0 z3>Qv4YF?8@xJz8wh}oP#sL6jSRsP_BG-rKiJS=&nzGkcP#o>@o7aypufZBs`4A&b%+F(z7u(R>4?D!kS_D zf=39`&mra1)gkz}3A)H?#{_|S=1m5s&N(8-Xf3{v$rfs)Dy&i&&Il3>9j7X>dGjS( z9>~nR7mC4Y%~?(2iM6B|6V7TCY1_ruLa_?ttR$!W9MPfSIY_NE7`kv+NPv^f(ypXA z?g?UCqhg4BcX*#hP@P7SXn=GkC2)OAl8&0dH2Dci*b=M8wmyoX&?piUCM3lcg$Dma zVYH{8SP(|39;BQZt=wQkwz2=T)jujRIiUDmY35ha#F8DO6yeY=UYZ`-==rPzqL$)q z(Fcxd*TC+r8}|%?B@V2}#lumLC*OP?8p~^JDK4m>LpMs44c`!3CM0+mIr~}JYcOIB zAWDMS*y&|kACXy}o_Tjr@X!YOX+foom{3Kyx;tG~xHmoGkV6~)Rl$Op%E?iKMrh2+ z(DSXphYh8W&Fz#U%spRzWL>|zA6#7a^XClA&Pe|GeuDa=M!*J!7N9@r?j-gfGa16_ z>;%@~{dKYX3*-Brf4!lEsq`zo6#=^QZj-Yduml)FqN=FVsj1s;v|{nC#Om7B6}-|; z^V+Psp4sTf8n^c8-Nu>)*93voiMRB+1+%nY8lJue%aG&E?)M8Pi@K=PAT>~8fab8b zUBV+h$;^6m!;S&n})To`c%f&m1qp~aQ10tRun!td`%r|d~2*kK@Kh!Qk6Dg9nxq0jBeKZ9vb6~ zlxswq7Ua^&dNDxz=8Q!&yT)IKX+j9hD8u-{xjong#`(Xs;8_oJU@bVFM@q#x@KC4+ z$sb1|7nMsjt0-Tcc72Fi=_PD)*$RwSoY$MviHr?|InGkxb+3~SE6kQK$LxW)Y@!Q+gpXfHf62!nDA4poKDB*TGw zyH;Qv7`}@35F3suK%Lb5MgBkmlcbF<3Gj*T^6{+*BSz(JwwaIo)T9ON*>;?rOob~6 z9QjVMX#9fEPqAW*wZ;?#~mloKsrIWFquC0H0K5$mZ6Fs(WOZ#?Fi~k8cg?-7f zf&|q4O`8>98024y)O=9qyf{^5Bhjo@Z2je0)1H2Kk0)}rQ*&%~lC!m+?=AW@KZ@{z zr|TQU^|XwYB{kQ_mbo*srX_a84&=}&DHm@*cUt+vTGCaE;K;vWE6 z#}KG?)=N1Z??XwBtC^=eWPM1oHG*2N-E7yBRU#oHE8AF!{-85#d(v8~<5Nf6`M@i$ z(nBCD9p%V@vjGyvYq}hMdN_I$Q)a%c-+e`@xz)W|!RYQTVS^j_v-7X+qwh&~@7z!_ zLwuOeRE2wP1EI;~HC@m?7je{cBMm=UrQezWPa|#E__uF3a|M6mLVden!q*TokeefP z^kTp9z;~KnIKiX~CBs)RuHmzEnk?I?JoaQg?&S8}mNhJ8c{q47go{)5s?U4_*4zRB zFfjyV`h0u$OV|1O57+sp>GTiaU)wJzu(8>XA0S{|^fe6sk}V2@`(}&&67C|-tETAX zIFB#G{cVx{F31bitJd6Q)NYu<{2kg!xzY!h`?msB+)dAk+ zKsztPT^{HCF3yV#Ty5|!1H%*kP2xqn_dC#ER|e{p%Ah6svH1V>2mfvLSG$ADL7H8` syWA`MF4BwTU%kg(MkXftQ2>{2wf_Wp9j3GZ03qzR2c}lWWZ(Y#KkPIU7ytkO literal 0 HcmV?d00001