Sonar Fixes - fix/annotate type "vulnerability" / severity "blocker"

git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1870657 13f79535-47bb-0310-9956-ffa450edef68

src/java/org/apache/poi/hssf/record/RecordFactoryInputStream.java

@@ -102,6 +102,7 @@ public final class RecordFactoryInputStream {
 			_lastRecord = rec;
 		}
 
+		@SuppressWarnings({"squid:S2068"})
 		public RecordInputStream createDecryptingStream(InputStream original) {
             String userPassword = Biff8EncryptionKey.getCurrentUserPassword();
 			if (userPassword == null) {

src/java/org/apache/poi/poifs/crypt/CryptoFunctions.java

@@ -101,6 +101,7 @@ public class CryptoFunctions {
      *        if false the n-1 hash value is applied first
      * @return the hashed password
      */
+    @SuppressWarnings({"squid:S2068"})
     public static byte[] hashPassword(String password, HashAlgorithm hashAlgorithm, byte[] salt, int spinCount, boolean iteratorFirst) {
         // If no password was given, use the default
         if (password == null) {

src/java/org/apache/poi/poifs/crypt/Decryptor.java

@@ -33,6 +33,7 @@ import org.apache.poi.poifs.filesystem.POIFSFileSystem;
 import org.apache.poi.util.GenericRecordUtil;
 
 public abstract class Decryptor implements Cloneable, GenericRecord {
+    @SuppressWarnings({"squid:S2068"})
     public static final String DEFAULT_PASSWORD="VelvetSweatshop";
     public static final String DEFAULT_POIFS_ENTRY="EncryptedPackage";
     

src/java/org/apache/poi/util/StaxHelper.java

@@ -17,6 +17,8 @@
 
 package org.apache.poi.util;
 
+import java.util.function.Consumer;
+
 import javax.xml.stream.XMLEventFactory;
 import javax.xml.stream.XMLInputFactory;
 import javax.xml.stream.XMLOutputFactory;
@@ -28,17 +30,19 @@ import javax.xml.stream.XMLOutputFactory;
 public final class StaxHelper {
     private static final POILogger logger = POILogFactory.getLogger(StaxHelper.class);
 
-    private StaxHelper() {}
+    private StaxHelper() {
+    }
 
     /**
      * Creates a new StAX XMLInputFactory, with sensible defaults
      */
+    @SuppressWarnings({"squid:S2755"})
     public static XMLInputFactory newXMLInputFactory() {
         XMLInputFactory factory = XMLInputFactory.newInstance();
-        trySetProperty(factory, XMLInputFactory.IS_NAMESPACE_AWARE, true);
+        trySet(XMLInputFactory.IS_NAMESPACE_AWARE, (n) -> factory.setProperty(n, true));
-        trySetProperty(factory, XMLInputFactory.IS_VALIDATING, false);
+        trySet(XMLInputFactory.IS_VALIDATING, (n) -> factory.setProperty(n, false));
-        trySetProperty(factory, XMLInputFactory.SUPPORT_DTD, false);
+        trySet(XMLInputFactory.SUPPORT_DTD, (n) -> factory.setProperty(n, false));
-        trySetProperty(factory, XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
+        trySet(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, (n) -> factory.setProperty(n, false));
         return factory;
     }
 
@@ -47,7 +51,7 @@ public final class StaxHelper {
      */
     public static XMLOutputFactory newXMLOutputFactory() {
         XMLOutputFactory factory = XMLOutputFactory.newInstance();
-        trySetProperty(factory, XMLOutputFactory.IS_REPAIRING_NAMESPACES, true);
+        trySet(XMLOutputFactory.IS_REPAIRING_NAMESPACES, (n) -> factory.setProperty(n, true));
         return factory;
     }
 
@@ -59,23 +63,13 @@ public final class StaxHelper {
         return XMLEventFactory.newInstance();
     }
 
-    private static void trySetProperty(XMLInputFactory factory, String feature, boolean flag) {
+    private static void trySet(String name, Consumer<String> securityFeature) {
         try {
-            factory.setProperty(feature, flag);
+            securityFeature.accept(name);
         } catch (Exception e) {
-            logger.log(POILogger.WARN, "StAX Property unsupported", feature, e);
+            logger.log(POILogger.WARN, "StAX Property unsupported", name, e);
         } catch (AbstractMethodError ame) {
-            logger.log(POILogger.WARN, "Cannot set StAX property because outdated StAX parser in classpath", feature, ame);
+            logger.log(POILogger.WARN, "Cannot set StAX property because outdated StAX parser in classpath", name, ame);
-        }
-    }
-
-    private static void trySetProperty(XMLOutputFactory factory, String feature, boolean flag) {
-        try {
-            factory.setProperty(feature, flag);
-        } catch (Exception e) {
-            logger.log(POILogger.WARN, "StAX Property unsupported", feature, e);
-        } catch (AbstractMethodError ame) {
-            logger.log(POILogger.WARN, "Cannot set StAX property because outdated StAX parser in classpath", feature, ame);
         }
     }
 }

src/java/org/apache/poi/util/XMLHelper.java

@@ -19,37 +19,47 @@ package org.apache.poi.util;
 
 import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
 
 /**
  * Helper methods for working with javax.xml classes.
  */
-public final class XMLHelper
+public final class XMLHelper {
-{
     private static POILogger logger = POILogFactory.getLogger(XMLHelper.class);
 
+    @FunctionalInterface
+    private interface SecurityFeature {
+        void accept(String name) throws ParserConfigurationException;
+    }
+
     /**
      * Creates a new DocumentBuilderFactory, with sensible defaults
+     *
+     * @see <a href="https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html">OWASP XXE</a>
      */
+    @SuppressWarnings({"squid:S2755"})
     public static DocumentBuilderFactory getDocumentBuilderFactory() {
         DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
         factory.setExpandEntityReferences(false);
-        trySetSAXFeature(factory, XMLConstants.FEATURE_SECURE_PROCESSING, true);
+        trySet(XMLConstants.FEATURE_SECURE_PROCESSING, (n) -> factory.setFeature(n, true));
-        trySetSAXFeature(factory, "http://xml.org/sax/features/external-general-entities", false);
+        trySet(XMLConstants.ACCESS_EXTERNAL_SCHEMA, (n) -> factory.setAttribute(n, ""));
-        trySetSAXFeature(factory, "http://xml.org/sax/features/external-parameter-entities", false);
+        trySet(XMLConstants.ACCESS_EXTERNAL_DTD, (n) -> factory.setAttribute(n, ""));
-        trySetSAXFeature(factory, "http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+        trySet("http://xml.org/sax/features/external-general-entities", (n) -> factory.setFeature(n, false));
-        trySetSAXFeature(factory, "http://apache.org/xml/features/nonvalidating/load-dtd-grammar", false);
+        trySet("http://xml.org/sax/features/external-parameter-entities", (n) -> factory.setFeature(n, false));
+        trySet("http://apache.org/xml/features/nonvalidating/load-external-dtd", (n) -> factory.setFeature(n, false));
+        trySet("http://apache.org/xml/features/nonvalidating/load-dtd-grammar", (n) -> factory.setFeature(n, false));
+        trySet("http://apache.org/xml/features/disallow-doctype-decl", (n) -> factory.setFeature(n, true));
+        trySet("XIncludeAware", (n) -> factory.setXIncludeAware(false));
         return factory;
     }
 
-    private static void trySetSAXFeature(DocumentBuilderFactory documentBuilderFactory, String feature, boolean enabled) {
+    private static void trySet(String name, SecurityFeature feature) {
         try {
-            documentBuilderFactory.setFeature(feature, enabled);
+            feature.accept(name);
         } catch (Exception e) {
-            logger.log(POILogger.WARN, "SAX Feature unsupported", feature, e);
+            logger.log(POILogger.WARN, "SAX Feature unsupported", name, e);
         } catch (AbstractMethodError ame) {
-            logger.log(POILogger.WARN, "Cannot set SAX feature because outdated XML parser in classpath", feature, ame);
+            logger.log(POILogger.WARN, "Cannot set SAX feature because outdated XML parser in classpath", name, ame);
         }
     }
-    
-
 }

src/ooxml/java/org/apache/poi/xssf/extractor/XSSFExportToXml.java

@@ -39,10 +39,10 @@ import javax.xml.validation.Schema;
 import javax.xml.validation.SchemaFactory;
 import javax.xml.validation.Validator;
 
+import org.apache.poi.ooxml.util.DocumentHelper;
 import org.apache.poi.ooxml.util.TransformerHelper;
 import org.apache.poi.ss.usermodel.CellType;
 import org.apache.poi.ss.usermodel.DateUtil;
-import org.apache.poi.ooxml.util.DocumentHelper;
 import org.apache.poi.util.LocaleUtil;
 import org.apache.poi.util.POILogFactory;
 import org.apache.poi.util.POILogger;
@@ -82,6 +82,13 @@ import org.xml.sax.SAXException;
 public class XSSFExportToXml implements Comparator<String>{
     private static final POILogger LOG = POILogFactory.getLogger(XSSFExportToXml.class);
 
+
+    @FunctionalInterface
+    private interface SecurityFeature {
+        void accept(String name) throws SAXException;
+    }
+
+
     private XSSFMap map;
     private final HashMap<String, Integer> indexMap = new HashMap<>();
     /**
@@ -240,11 +247,13 @@ public class XSSFExportToXml implements Comparator<String>{
      * @return true, if document is valid
      * @throws SAXException If validating the document fails
      */
+    @SuppressWarnings({"squid:S2755"})
     private boolean isValid(Document xml) throws SAXException{
         try {
-            String language = "http://www.w3.org/2001/XMLSchema";
+            SchemaFactory factory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
-            SchemaFactory factory = SchemaFactory.newInstance(language);
+            trySet(XMLConstants.FEATURE_SECURE_PROCESSING, (n) -> factory.setFeature(n, true));
-            trySetFeature(factory, XMLConstants.FEATURE_SECURE_PROCESSING, true);
+            trySet(XMLConstants.ACCESS_EXTERNAL_DTD, (n) -> factory.setProperty(n,""));
+            trySet(XMLConstants.ACCESS_EXTERNAL_SCHEMA, (n) -> factory.setProperty(n,""));
 
             Source source = new DOMSource(map.getSchema());
             Schema schema = factory.newSchema(source);
@@ -537,13 +546,13 @@ public class XSSFExportToXml implements Comparator<String>{
         return complexTypeNode;
     }
 
-    private static void trySetFeature(SchemaFactory sf, String feature, boolean enabled) {
+    private static void trySet(String name, SecurityFeature securityFeature) {
         try {
-            sf.setFeature(feature, enabled);
+            securityFeature.accept(name);
         } catch (Exception e) {
-            LOG.log(POILogger.WARN, "SchemaFactory Feature unsupported", feature, e);
+            LOG.log(POILogger.WARN, "SchemaFactory feature unsupported", name, e);
         } catch (AbstractMethodError ame) {
-            LOG.log(POILogger.WARN, "Cannot set SchemaFactory feature because outdated XML parser in classpath", feature, ame);
+            LOG.log(POILogger.WARN, "Cannot set SchemaFactory feature because outdated XML parser in classpath", name, ame);
         }
     }
 }