Bug 63768: Adjust handling of SchemaFactory

git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1867484 13f79535-47bb-0310-9956-ffa450edef68
2019-09-24 18:33:37 +00:00 · 2019-09-24 18:33:37 +00:00 · 06f28db213
parent 8e3286a64c
commit 06f28db213
3 changed files with 286 additions and 262 deletions
--- a/src/ooxml/java/org/apache/poi/xssf/extractor/XSSFExportToXml.java
+++ b/src/ooxml/java/org/apache/poi/xssf/extractor/XSSFExportToXml.java
@ -28,6 +28,7 @@ import java.util.Locale;
 import java.util.Map;
 import java.util.Vector;

+import javax.xml.XMLConstants;
 import javax.xml.transform.OutputKeys;
 import javax.xml.transform.Source;
 import javax.xml.transform.Transformer;
@ -244,6 +245,7 @@ public class XSSFExportToXml implements Comparator<String>{
        try {
            String language = "http://www.w3.org/2001/XMLSchema";
            SchemaFactory factory = SchemaFactory.newInstance(language);
+            trySetFeature(factory, XMLConstants.FEATURE_SECURE_PROCESSING, true);

            Source source = new DOMSource(map.getSchema());
            Schema schema = factory.newSchema(source);
@ -535,4 +537,14 @@ public class XSSFExportToXml implements Comparator<String>{
        }
        return complexTypeNode;
    }
+
+    private static void trySetFeature(SchemaFactory sf, String feature, boolean enabled) {
+        try {
+            sf.setFeature(feature, enabled);
+        } catch (Exception e) {
+            LOG.log(POILogger.WARN, "SchemaFactory Feature unsupported", feature, e);
+        } catch (AbstractMethodError ame) {
+            LOG.log(POILogger.WARN, "Cannot set SchemaFactory feature because outdated XML parser in classpath", feature, ame);
+        }
+    }
 }
--- a/src/ooxml/testcases/org/apache/poi/xssf/extractor/TestXSSFExportToXML.java
+++ b/src/ooxml/testcases/org/apache/poi/xssf/extractor/TestXSSFExportToXML.java
@ -51,6 +51,7 @@ import org.junit.Test;
 import org.xml.sax.EntityResolver;
 import org.xml.sax.InputSource;
 import org.xml.sax.SAXException;
+import org.xml.sax.SAXParseException;

 /**
 * @author Roberto Manicardi
@ -671,4 +672,15 @@ public final class TestXSSFExportToXML {
            }
        }
    }
+
+    @Test(expected = SAXParseException.class)
+    public void testXXEInSchema() throws Exception {
+        try (XSSFWorkbook wb = XSSFTestDataSamples.openSampleWorkbook("xxe_in_schema.xlsx")) {
+            for (XSSFMap map : wb.getCustomXMLMappings()) {
+                XSSFExportToXml exporter = new XSSFExportToXml(map);
+                ByteArrayOutputStream bos = new ByteArrayOutputStream();
+                exporter.exportToXML(bos, true);
+            }
+        }
+    }
 }
--- a/test-data/spreadsheet/xxe_in_schema.xlsx
+++ b/test-data/spreadsheet/xxe_in_schema.xlsx