Merge remote-tracking branch 'origin/master'
This commit is contained in:
Grahame Grieve
commit
89be42a649
|
|
@ -51,7 +51,7 @@ public class CDAUtilities {
|
|||
private final Document doc;
|
||||
|
||||
public CDAUtilities(InputStream stream) throws Exception {
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
|
||||
factory.setNamespaceAware(true);
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
|
||||
|
|
|
|||
|
|
@ -130,7 +130,7 @@ public class CKMImporter {
|
|||
res.checkThrowException();
|
||||
InputStream xml = new ByteArrayInputStream(res.getContent());
|
||||
|
||||
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
|
||||
DocumentBuilderFactory dbf = XMLUtil.newXXEProtectedDocumentBuilderFactory();
|
||||
DocumentBuilder db = dbf.newDocumentBuilder();
|
||||
return db.parse(xml);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -357,7 +357,7 @@ public class CountryCodesConverter {
|
|||
}
|
||||
|
||||
private Document load() throws ParserConfigurationException, SAXException, IOException {
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
|
||||
factory.setNamespaceAware(true);
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
|
||||
|
|
|
|||
|
|
@ -131,7 +131,7 @@ public class DicomPackageBuilder {
|
|||
}
|
||||
|
||||
private CodeSystem buildCodeSystem() throws ParserConfigurationException, FileNotFoundException, SAXException, IOException {
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
|
||||
factory.setNamespaceAware(true);
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
Document doc = builder.parse(ManagedFileAccess.inStream(Utilities.path(source, "Resources", "Ontology", "DCM", "dcm.owl")));
|
||||
|
|
|
|||
|
|
@ -120,7 +120,7 @@ public class ICPC2Importer {
|
|||
}
|
||||
|
||||
public void go() throws Exception {
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
|
||||
factory.setNamespaceAware(false);
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
Document doc = builder.parse(ManagedFileAccess.inStream(sourceFileName));
|
||||
|
|
|
|||
|
|
@ -148,7 +148,7 @@ public class LoincToDEConvertor {
|
|||
|
||||
}
|
||||
private void loadLoinc() throws FileNotFoundException, SAXException, IOException, ParserConfigurationException {
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
|
||||
factory.setNamespaceAware(true);
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
|
||||
|
|
|
|||
|
|
@ -1,7 +1,5 @@
|
|||
package org.hl7.fhir.convertors.misc.adl;
|
||||
|
||||
import java.io.FileInputStream;
|
||||
import java.io.FileOutputStream;
|
||||
import java.util.ArrayList;
|
||||
import java.util.HashMap;
|
||||
import java.util.List;
|
||||
|
|
@ -89,7 +87,7 @@ public class ADLImporter {
|
|||
|
||||
private void execute() throws Exception {
|
||||
// load config
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
|
||||
factory.setNamespaceAware(true);
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
adlConfig = builder.parse(ManagedFileAccess.inStream(config)).getDocumentElement();
|
||||
|
|
|
|||
|
|
@ -317,7 +317,7 @@ public class ISO21090Importer {
|
|||
}
|
||||
|
||||
private void load() throws ParserConfigurationException, SAXException, IOException {
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
|
||||
factory.setNamespaceAware(false);
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
Document doc = builder.parse(ManagedFileAccess.inStream("C:\\work\\projects\\org.hl7.v3.dt\\iso\\iso-21090-datatypes.xsd"));
|
||||
|
|
|
|||
|
|
@ -162,7 +162,7 @@ public class LoincToDEConvertor {
|
|||
}
|
||||
|
||||
private void loadLoinc() throws FileNotFoundException, SAXException, IOException, ParserConfigurationException {
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
|
||||
factory.setNamespaceAware(true);
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
|
||||
|
|
|
|||
|
|
@ -60,6 +60,7 @@ import javax.xml.parsers.DocumentBuilderFactory;
|
|||
import javax.xml.parsers.ParserConfigurationException;
|
||||
|
||||
import org.hl7.fhir.exceptions.FHIRException;
|
||||
import org.hl7.fhir.utilities.xml.XMLUtil;
|
||||
import org.hl7.fhir.utilities.xml.XmlGenerator;
|
||||
import org.w3c.dom.Document;
|
||||
import org.xml.sax.SAXException;
|
||||
|
|
@ -73,7 +74,7 @@ public class DigitalSignatures {
|
|||
//
|
||||
byte[] inputXml = "<Envelope xmlns=\"urn:envelope\">\r\n</Envelope>\r\n".getBytes();
|
||||
// load the document that's going to be signed
|
||||
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
|
||||
DocumentBuilderFactory dbf = XMLUtil.newXXEProtectedDocumentBuilderFactory();
|
||||
dbf.setNamespaceAware(true);
|
||||
DocumentBuilder builder = dbf.newDocumentBuilder();
|
||||
Document doc = builder.parse(new ByteArrayInputStream(inputXml));
|
||||
|
|
|
|||
|
|
@ -70,7 +70,7 @@ public class Translations {
|
|||
*/
|
||||
public void load(String filename)
|
||||
throws FileNotFoundException, SAXException, IOException, ParserConfigurationException {
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
loadMessages(builder.parse(new CSFileInputStream(filename)));
|
||||
}
|
||||
|
|
|
|||
|
|
@ -17,6 +17,7 @@ import org.hl7.fhir.utilities.TextFile;
|
|||
import org.hl7.fhir.utilities.Utilities;
|
||||
import org.hl7.fhir.utilities.filesystem.CSFile;
|
||||
import org.hl7.fhir.utilities.filesystem.ManagedFileAccess;
|
||||
import org.hl7.fhir.utilities.xml.XMLUtil;
|
||||
import org.w3c.dom.Document;
|
||||
import org.w3c.dom.Element;
|
||||
import org.w3c.dom.NamedNodeMap;
|
||||
|
|
@ -145,7 +146,7 @@ public class TestingUtilities {
|
|||
}
|
||||
|
||||
private static Document loadXml(String fn) throws Exception {
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
|
||||
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||
|
|
|
|||
|
|
@ -36,7 +36,6 @@ import java.util.List;
|
|||
|
||||
import javax.xml.parsers.DocumentBuilder;
|
||||
import javax.xml.parsers.DocumentBuilderFactory;
|
||||
import javax.xml.parsers.SAXParser;
|
||||
import javax.xml.parsers.SAXParserFactory;
|
||||
import javax.xml.transform.Transformer;
|
||||
import javax.xml.transform.TransformerFactory;
|
||||
|
|
@ -78,7 +77,7 @@ public class XmlParser extends ParserBase {
|
|||
public Element parse(InputStream stream) throws Exception {
|
||||
Document doc = null;
|
||||
try {
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
|
||||
// xxe protection
|
||||
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
|
|
@ -95,16 +94,10 @@ public class XmlParser extends ParserBase {
|
|||
DocumentBuilder docBuilder = factory.newDocumentBuilder();
|
||||
doc = docBuilder.newDocument();
|
||||
DOMResult domResult = new DOMResult(doc);
|
||||
SAXParserFactory spf = SAXParserFactory.newInstance();
|
||||
SAXParserFactory spf = XMLUtil.newXXEProtectedSaxParserFactory();
|
||||
spf.setNamespaceAware(true);
|
||||
spf.setValidating(false);
|
||||
SAXParser saxParser = spf.newSAXParser();
|
||||
XMLReader xmlReader = saxParser.getXMLReader();
|
||||
// xxe protection
|
||||
spf.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
xmlReader.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
xmlReader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
XMLReader xmlReader = XMLUtil.getXXEProtectedXMLReader(spf);
|
||||
|
||||
XmlLocationAnnotator locationAnnotator = new XmlLocationAnnotator(xmlReader, doc);
|
||||
InputSource inputSource = new InputSource(stream);
|
||||
|
|
|
|||
|
|
@ -116,7 +116,7 @@ public class ICPC2Importer {
|
|||
}
|
||||
|
||||
public void go() throws Exception {
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
|
||||
factory.setNamespaceAware(false);
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
Document doc = builder.parse(ManagedFileAccess.inStream(sourceFileName));
|
||||
|
|
|
|||
|
|
@ -162,7 +162,7 @@ public class LoincToDEConvertor {
|
|||
}
|
||||
|
||||
private void loadLoinc() throws FileNotFoundException, SAXException, IOException, ParserConfigurationException {
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
|
||||
factory.setNamespaceAware(true);
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
|
||||
|
|
|
|||
|
|
@ -60,6 +60,7 @@ import javax.xml.parsers.DocumentBuilderFactory;
|
|||
import javax.xml.parsers.ParserConfigurationException;
|
||||
|
||||
import org.hl7.fhir.exceptions.FHIRException;
|
||||
import org.hl7.fhir.utilities.xml.XMLUtil;
|
||||
import org.hl7.fhir.utilities.xml.XmlGenerator;
|
||||
import org.w3c.dom.Document;
|
||||
import org.xml.sax.SAXException;
|
||||
|
|
@ -73,7 +74,7 @@ public class DigitalSignatures {
|
|||
//
|
||||
byte[] inputXml = "<Envelope xmlns=\"urn:envelope\">\r\n</Envelope>\r\n".getBytes();
|
||||
// load the document that's going to be signed
|
||||
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
|
||||
DocumentBuilderFactory dbf = XMLUtil.newXXEProtectedDocumentBuilderFactory();
|
||||
dbf.setNamespaceAware(true);
|
||||
DocumentBuilder builder = dbf.newDocumentBuilder();
|
||||
Document doc = builder.parse(new ByteArrayInputStream(inputXml));
|
||||
|
|
|
|||
|
|
@ -70,7 +70,7 @@ public class Translations {
|
|||
*/
|
||||
public void load(String filename)
|
||||
throws FileNotFoundException, SAXException, IOException, ParserConfigurationException {
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
loadMessages(builder.parse(new CSFileInputStream(filename)));
|
||||
}
|
||||
|
|
|
|||
|
|
@ -17,6 +17,7 @@ import org.hl7.fhir.utilities.TextFile;
|
|||
import org.hl7.fhir.utilities.Utilities;
|
||||
import org.hl7.fhir.utilities.filesystem.CSFile;
|
||||
import org.hl7.fhir.utilities.filesystem.ManagedFileAccess;
|
||||
import org.hl7.fhir.utilities.xml.XMLUtil;
|
||||
import org.w3c.dom.Document;
|
||||
import org.w3c.dom.Element;
|
||||
import org.w3c.dom.NamedNodeMap;
|
||||
|
|
@ -145,7 +146,7 @@ public class TestingUtilities {
|
|||
}
|
||||
|
||||
private static Document loadXml(String fn) throws Exception {
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
|
||||
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||
|
|
|
|||
|
|
@ -41,7 +41,6 @@ import java.util.List;
|
|||
|
||||
import javax.xml.parsers.DocumentBuilder;
|
||||
import javax.xml.parsers.DocumentBuilderFactory;
|
||||
import javax.xml.parsers.SAXParser;
|
||||
import javax.xml.parsers.SAXParserFactory;
|
||||
import javax.xml.transform.Transformer;
|
||||
import javax.xml.transform.TransformerFactory;
|
||||
|
|
@ -97,7 +96,7 @@ public class XmlParser extends ParserBase {
|
|||
public Element parse(InputStream stream) throws FHIRFormatError, DefinitionException, FHIRException, IOException {
|
||||
Document doc = null;
|
||||
try {
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
|
||||
// xxe protection
|
||||
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
|
|
@ -114,18 +113,11 @@ public class XmlParser extends ParserBase {
|
|||
DocumentBuilder docBuilder = factory.newDocumentBuilder();
|
||||
doc = docBuilder.newDocument();
|
||||
DOMResult domResult = new DOMResult(doc);
|
||||
SAXParserFactory spf = SAXParserFactory.newInstance();
|
||||
SAXParserFactory spf = XMLUtil.newXXEProtectedSaxParserFactory();
|
||||
spf.setNamespaceAware(true);
|
||||
spf.setValidating(false);
|
||||
// xxe protection
|
||||
spf.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
SAXParser saxParser = spf.newSAXParser();
|
||||
XMLReader xmlReader = saxParser.getXMLReader();
|
||||
// xxe protection
|
||||
xmlReader.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
xmlReader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
|
||||
XMLReader xmlReader = XMLUtil.getXXEProtectedXMLReader(spf);
|
||||
|
||||
XmlLocationAnnotator locationAnnotator = new XmlLocationAnnotator(xmlReader, doc);
|
||||
InputSource inputSource = new InputSource(stream);
|
||||
SAXSource saxSource = new SAXSource(locationAnnotator, inputSource);
|
||||
|
|
|
|||
|
|
@ -154,7 +154,7 @@ public class LoincToDEConvertor {
|
|||
|
||||
}
|
||||
private void loadLoinc() throws FileNotFoundException, SAXException, IOException, ParserConfigurationException {
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
|
||||
factory.setNamespaceAware(true);
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
|
||||
|
|
|
|||
|
|
@ -62,6 +62,7 @@ import javax.xml.parsers.DocumentBuilderFactory;
|
|||
import javax.xml.parsers.ParserConfigurationException;
|
||||
|
||||
import org.hl7.fhir.exceptions.FHIRException;
|
||||
import org.hl7.fhir.utilities.xml.XMLUtil;
|
||||
import org.hl7.fhir.utilities.xml.XmlGenerator;
|
||||
import org.w3c.dom.Document;
|
||||
import org.xml.sax.SAXException;
|
||||
|
|
@ -74,7 +75,7 @@ public class DigitalSignatures {
|
|||
//
|
||||
byte[] inputXml = "<Envelope xmlns=\"urn:envelope\">\r\n</Envelope>\r\n".getBytes();
|
||||
// load the document that's going to be signed
|
||||
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
|
||||
DocumentBuilderFactory dbf = XMLUtil.newXXEProtectedDocumentBuilderFactory();
|
||||
dbf.setNamespaceAware(true);
|
||||
DocumentBuilder builder = dbf.newDocumentBuilder();
|
||||
Document doc = builder.parse(new ByteArrayInputStream(inputXml));
|
||||
|
|
|
|||
|
|
@ -1,33 +1,33 @@
|
|||
package org.hl7.fhir.dstu3.utils;
|
||||
|
||||
/*
|
||||
Copyright (c) 2011+, HL7, Inc.
|
||||
All rights reserved.
|
||||
|
||||
Redistribution and use in source and binary forms, with or without modification,
|
||||
are permitted provided that the following conditions are met:
|
||||
|
||||
* Redistributions of source code must retain the above copyright notice, this
|
||||
list of conditions and the following disclaimer.
|
||||
* Redistributions in binary form must reproduce the above copyright notice,
|
||||
this list of conditions and the following disclaimer in the documentation
|
||||
and/or other materials provided with the distribution.
|
||||
* Neither the name of HL7 nor the names of its contributors may be used to
|
||||
endorse or promote products derived from this software without specific
|
||||
prior written permission.
|
||||
|
||||
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
|
||||
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
|
||||
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
||||
IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
|
||||
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
||||
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
|
||||
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
|
||||
WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||
POSSIBILITY OF SUCH DAMAGE.
|
||||
|
||||
*/
|
||||
/*
|
||||
Copyright (c) 2011+, HL7, Inc.
|
||||
All rights reserved.
|
||||
|
||||
Redistribution and use in source and binary forms, with or without modification,
|
||||
are permitted provided that the following conditions are met:
|
||||
|
||||
* Redistributions of source code must retain the above copyright notice, this
|
||||
list of conditions and the following disclaimer.
|
||||
* Redistributions in binary form must reproduce the above copyright notice,
|
||||
this list of conditions and the following disclaimer in the documentation
|
||||
and/or other materials provided with the distribution.
|
||||
* Neither the name of HL7 nor the names of its contributors may be used to
|
||||
endorse or promote products derived from this software without specific
|
||||
prior written permission.
|
||||
|
||||
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
|
||||
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
|
||||
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
||||
IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
|
||||
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
||||
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
|
||||
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
|
||||
WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||
POSSIBILITY OF SUCH DAMAGE.
|
||||
|
||||
*/
|
||||
|
||||
|
||||
|
||||
|
|
@ -71,7 +71,7 @@ public class Translations {
|
|||
* @throws Exception
|
||||
*/
|
||||
public void load(String filename) throws FileNotFoundException, SAXException, IOException, ParserConfigurationException {
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
loadMessages(builder.parse(new CSFileInputStream(filename)));
|
||||
}
|
||||
|
|
|
|||
|
|
@ -20,6 +20,7 @@ import org.hl7.fhir.utilities.Utilities;
|
|||
import org.hl7.fhir.utilities.filesystem.CSFile;
|
||||
import org.hl7.fhir.utilities.filesystem.ManagedFileAccess;
|
||||
import org.hl7.fhir.utilities.tests.BaseTestingUtilities;
|
||||
import org.hl7.fhir.utilities.xml.XMLUtil;
|
||||
import org.w3c.dom.Document;
|
||||
import org.w3c.dom.Element;
|
||||
import org.w3c.dom.NamedNodeMap;
|
||||
|
|
@ -176,7 +177,7 @@ public class TestingUtilities extends BaseTestingUtilities {
|
|||
}
|
||||
|
||||
private static Document loadXml(InputStream fn) throws Exception {
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
|
||||
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||
|
|
|
|||
|
|
@ -39,7 +39,6 @@ import java.util.List;
|
|||
|
||||
import javax.xml.parsers.DocumentBuilder;
|
||||
import javax.xml.parsers.DocumentBuilderFactory;
|
||||
import javax.xml.parsers.SAXParser;
|
||||
import javax.xml.parsers.SAXParserFactory;
|
||||
import javax.xml.transform.Transformer;
|
||||
import javax.xml.transform.TransformerFactory;
|
||||
|
|
@ -96,7 +95,7 @@ public class XmlParser extends ParserBase {
|
|||
public Element parse(InputStream stream) throws FHIRFormatError, DefinitionException, FHIRException, IOException {
|
||||
Document doc = null;
|
||||
try {
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
|
||||
// xxe protection
|
||||
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
|
|
@ -113,17 +112,10 @@ public class XmlParser extends ParserBase {
|
|||
DocumentBuilder docBuilder = factory.newDocumentBuilder();
|
||||
doc = docBuilder.newDocument();
|
||||
DOMResult domResult = new DOMResult(doc);
|
||||
SAXParserFactory spf = SAXParserFactory.newInstance();
|
||||
SAXParserFactory spf = XMLUtil.newXXEProtectedSaxParserFactory();
|
||||
spf.setNamespaceAware(true);
|
||||
spf.setValidating(false);
|
||||
// xxe protection
|
||||
spf.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
SAXParser saxParser = spf.newSAXParser();
|
||||
XMLReader xmlReader = saxParser.getXMLReader();
|
||||
// xxe protection
|
||||
xmlReader.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
xmlReader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
XMLReader xmlReader = XMLUtil.getXXEProtectedXMLReader(spf);
|
||||
|
||||
XmlLocationAnnotator locationAnnotator = new XmlLocationAnnotator(xmlReader, doc);
|
||||
InputSource inputSource = new InputSource(stream);
|
||||
|
|
|
|||
|
|
@ -156,7 +156,7 @@ public class LoincToDEConvertor {
|
|||
}
|
||||
|
||||
private void loadLoinc() throws FileNotFoundException, SAXException, IOException, ParserConfigurationException {
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
|
||||
factory.setNamespaceAware(true);
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
|
||||
|
|
|
|||
|
|
@ -59,6 +59,7 @@ import org.hl7.fhir.utilities.settings.FhirSettings;
|
|||
import org.hl7.fhir.utilities.tests.BaseTestingUtilities;
|
||||
import org.hl7.fhir.utilities.tests.ResourceLoaderTests;
|
||||
import org.hl7.fhir.utilities.tests.TestConfig;
|
||||
import org.hl7.fhir.utilities.xml.XMLUtil;
|
||||
import org.w3c.dom.Document;
|
||||
import org.w3c.dom.Element;
|
||||
import org.w3c.dom.NamedNodeMap;
|
||||
|
|
@ -256,7 +257,7 @@ public class TestingUtilities {
|
|||
}
|
||||
|
||||
private static Document loadXml(InputStream fn) throws Exception {
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
|
||||
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||
|
|
|
|||
|
|
@ -60,6 +60,7 @@ import javax.xml.parsers.DocumentBuilderFactory;
|
|||
|
||||
import org.hl7.fhir.utilities.Utilities;
|
||||
import org.hl7.fhir.utilities.filesystem.ManagedFileAccess;
|
||||
import org.hl7.fhir.utilities.xml.XMLUtil;
|
||||
import org.hl7.fhir.utilities.xml.XmlGenerator;
|
||||
import org.w3c.dom.Document;
|
||||
|
||||
|
|
@ -88,7 +89,7 @@ public class DigitalSignatures {
|
|||
//
|
||||
byte[] inputXml = "<Envelope xmlns=\"urn:envelope\">\r\n</Envelope>\r\n".getBytes();
|
||||
// load the document that's going to be signed
|
||||
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
|
||||
DocumentBuilderFactory dbf = XMLUtil.newXXEProtectedDocumentBuilderFactory();
|
||||
dbf.setNamespaceAware(true);
|
||||
DocumentBuilder builder = dbf.newDocumentBuilder();
|
||||
Document doc = builder.parse(new ByteArrayInputStream(inputXml));
|
||||
|
|
|
|||
|
|
@ -70,7 +70,7 @@ public class Translations {
|
|||
*/
|
||||
public void load(String filename)
|
||||
throws FileNotFoundException, SAXException, IOException, ParserConfigurationException {
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
loadMessages(builder.parse(new CSFileInputStream(filename)));
|
||||
}
|
||||
|
|
|
|||
|
|
@ -39,7 +39,6 @@ import java.util.List;
|
|||
|
||||
import javax.xml.parsers.DocumentBuilder;
|
||||
import javax.xml.parsers.DocumentBuilderFactory;
|
||||
import javax.xml.parsers.SAXParser;
|
||||
import javax.xml.parsers.SAXParserFactory;
|
||||
import javax.xml.transform.Transformer;
|
||||
import javax.xml.transform.TransformerFactory;
|
||||
|
|
@ -52,7 +51,6 @@ import org.hl7.fhir.exceptions.FHIRFormatError;
|
|||
import org.hl7.fhir.r4b.conformance.ProfileUtilities;
|
||||
import org.hl7.fhir.r4b.context.IWorkerContext;
|
||||
import org.hl7.fhir.r4b.elementmodel.Element.SpecialElement;
|
||||
import org.hl7.fhir.r4b.elementmodel.ParserBase.NamedElement;
|
||||
import org.hl7.fhir.r4b.formats.FormatUtilities;
|
||||
import org.hl7.fhir.r4b.formats.IParser.OutputStyle;
|
||||
import org.hl7.fhir.r4b.model.DateTimeType;
|
||||
|
|
@ -111,7 +109,7 @@ public class XmlParser extends ParserBase {
|
|||
List<NamedElement> res = new ArrayList<>();
|
||||
Document doc = null;
|
||||
try {
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
|
||||
// xxe protection
|
||||
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
|
|
@ -136,17 +134,10 @@ public class XmlParser extends ParserBase {
|
|||
DocumentBuilder docBuilder = factory.newDocumentBuilder();
|
||||
doc = docBuilder.newDocument();
|
||||
DOMResult domResult = new DOMResult(doc);
|
||||
SAXParserFactory spf = SAXParserFactory.newInstance();
|
||||
SAXParserFactory spf = XMLUtil.newXXEProtectedSaxParserFactory();
|
||||
spf.setNamespaceAware(true);
|
||||
spf.setValidating(false);
|
||||
// xxe protection
|
||||
spf.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
SAXParser saxParser = spf.newSAXParser();
|
||||
XMLReader xmlReader = saxParser.getXMLReader();
|
||||
// xxe protection
|
||||
xmlReader.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
xmlReader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
XMLReader xmlReader = XMLUtil.getXXEProtectedXMLReader(spf);
|
||||
|
||||
XmlLocationAnnotator locationAnnotator = new XmlLocationAnnotator(xmlReader, doc);
|
||||
InputSource inputSource = new InputSource(stream);
|
||||
|
|
|
|||
|
|
@ -156,7 +156,7 @@ public class LoincToDEConvertor {
|
|||
}
|
||||
|
||||
private void loadLoinc() throws FileNotFoundException, SAXException, IOException, ParserConfigurationException {
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
|
||||
factory.setNamespaceAware(true);
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
|
||||
|
|
|
|||
|
|
@ -23,6 +23,7 @@ import org.hl7.fhir.utilities.filesystem.ManagedFileAccess;
|
|||
import org.hl7.fhir.utilities.npm.FilesystemPackageCacheManager;
|
||||
|
||||
import org.hl7.fhir.utilities.tests.BaseTestingUtilities;
|
||||
import org.hl7.fhir.utilities.xml.XMLUtil;
|
||||
import org.w3c.dom.Document;
|
||||
import org.w3c.dom.Element;
|
||||
import org.w3c.dom.NamedNodeMap;
|
||||
|
|
@ -269,7 +270,7 @@ public class TestingUtilities extends BaseTestingUtilities {
|
|||
}
|
||||
|
||||
private static Document loadXml(InputStream fn) throws Exception {
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
|
||||
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||
|
|
|
|||
|
|
@ -60,6 +60,7 @@ import javax.xml.parsers.DocumentBuilderFactory;
|
|||
|
||||
import org.hl7.fhir.utilities.Utilities;
|
||||
import org.hl7.fhir.utilities.filesystem.ManagedFileAccess;
|
||||
import org.hl7.fhir.utilities.xml.XMLUtil;
|
||||
import org.hl7.fhir.utilities.xml.XmlGenerator;
|
||||
import org.w3c.dom.Document;
|
||||
|
||||
|
|
@ -88,7 +89,7 @@ public class DigitalSignatures {
|
|||
//
|
||||
byte[] inputXml = "<Envelope xmlns=\"urn:envelope\">\r\n</Envelope>\r\n".getBytes();
|
||||
// load the document that's going to be signed
|
||||
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
|
||||
DocumentBuilderFactory dbf = XMLUtil.newXXEProtectedDocumentBuilderFactory();
|
||||
dbf.setNamespaceAware(true);
|
||||
DocumentBuilder builder = dbf.newDocumentBuilder();
|
||||
Document doc = builder.parse(new ByteArrayInputStream(inputXml));
|
||||
|
|
|
|||
|
|
@ -70,7 +70,7 @@ public class Translations {
|
|||
*/
|
||||
public void load(String filename)
|
||||
throws FileNotFoundException, SAXException, IOException, ParserConfigurationException {
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
loadMessages(builder.parse(new CSFileInputStream(filename)));
|
||||
}
|
||||
|
|
|
|||
|
|
@ -44,7 +44,6 @@ import java.util.Set;
|
|||
|
||||
import javax.xml.parsers.DocumentBuilder;
|
||||
import javax.xml.parsers.DocumentBuilderFactory;
|
||||
import javax.xml.parsers.SAXParser;
|
||||
import javax.xml.parsers.SAXParserFactory;
|
||||
import javax.xml.transform.Transformer;
|
||||
import javax.xml.transform.TransformerFactory;
|
||||
|
|
@ -126,7 +125,7 @@ public class XmlParser extends ParserBase {
|
|||
ByteArrayInputStream stream = new ByteArrayInputStream(content);
|
||||
Document doc = null;
|
||||
try {
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
|
||||
// xxe protection
|
||||
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
|
|
@ -150,17 +149,11 @@ public class XmlParser extends ParserBase {
|
|||
DocumentBuilder docBuilder = factory.newDocumentBuilder();
|
||||
doc = docBuilder.newDocument();
|
||||
DOMResult domResult = new DOMResult(doc);
|
||||
SAXParserFactory spf = SAXParserFactory.newInstance();
|
||||
SAXParserFactory spf = XMLUtil.newXXEProtectedSaxParserFactory();
|
||||
spf.setNamespaceAware(true);
|
||||
spf.setValidating(false);
|
||||
// xxe protection
|
||||
spf.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
SAXParser saxParser = spf.newSAXParser();
|
||||
XMLReader xmlReader = saxParser.getXMLReader();
|
||||
// xxe protection
|
||||
xmlReader.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
xmlReader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
|
||||
XMLReader xmlReader = XMLUtil.getXXEProtectedXMLReader(spf);
|
||||
|
||||
XmlLocationAnnotator locationAnnotator = new XmlLocationAnnotator(xmlReader, doc);
|
||||
InputSource inputSource = new InputSource(stream);
|
||||
|
|
|
|||
|
|
@ -15,6 +15,7 @@ import org.hl7.fhir.utilities.json.model.JsonPrimitive;
|
|||
import org.hl7.fhir.utilities.json.model.JsonProperty;
|
||||
import org.hl7.fhir.utilities.json.parser.JsonParser;
|
||||
import org.hl7.fhir.utilities.settings.FhirSettings;
|
||||
import org.hl7.fhir.utilities.xml.XMLUtil;
|
||||
import org.w3c.dom.Document;
|
||||
import org.w3c.dom.Element;
|
||||
import org.w3c.dom.NamedNodeMap;
|
||||
|
|
@ -205,7 +206,7 @@ public class CompareUtilities extends BaseTestingUtilities {
|
|||
}
|
||||
|
||||
private Document loadXml(InputStream fn) throws Exception {
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
|
||||
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||
|
|
|
|||
|
|
@ -62,6 +62,7 @@ import javax.xml.parsers.DocumentBuilderFactory;
|
|||
|
||||
import org.hl7.fhir.utilities.Utilities;
|
||||
import org.hl7.fhir.utilities.filesystem.ManagedFileAccess;
|
||||
import org.hl7.fhir.utilities.xml.XMLUtil;
|
||||
import org.hl7.fhir.utilities.xml.XmlGenerator;
|
||||
import org.w3c.dom.Document;
|
||||
|
||||
|
|
@ -91,7 +92,7 @@ public class DigitalSignatures {
|
|||
//
|
||||
byte[] inputXml = "<Envelope xmlns=\"urn:envelope\">\r\n</Envelope>\r\n".getBytes();
|
||||
// load the document that's going to be signed
|
||||
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
|
||||
DocumentBuilderFactory dbf = XMLUtil.newXXEProtectedDocumentBuilderFactory();
|
||||
dbf.setNamespaceAware(true);
|
||||
DocumentBuilder builder = dbf.newDocumentBuilder();
|
||||
Document doc = builder.parse(new ByteArrayInputStream(inputXml));
|
||||
|
|
|
|||
|
|
@ -1,33 +1,33 @@
|
|||
package org.hl7.fhir.r5.utils;
|
||||
|
||||
/*
|
||||
Copyright (c) 2011+, HL7, Inc.
|
||||
All rights reserved.
|
||||
|
||||
Redistribution and use in source and binary forms, with or without modification,
|
||||
are permitted provided that the following conditions are met:
|
||||
|
||||
* Redistributions of source code must retain the above copyright notice, this
|
||||
list of conditions and the following disclaimer.
|
||||
* Redistributions in binary form must reproduce the above copyright notice,
|
||||
this list of conditions and the following disclaimer in the documentation
|
||||
and/or other materials provided with the distribution.
|
||||
* Neither the name of HL7 nor the names of its contributors may be used to
|
||||
endorse or promote products derived from this software without specific
|
||||
prior written permission.
|
||||
|
||||
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
|
||||
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
|
||||
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
||||
IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
|
||||
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
||||
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
|
||||
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
|
||||
WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||
POSSIBILITY OF SUCH DAMAGE.
|
||||
|
||||
*/
|
||||
/*
|
||||
Copyright (c) 2011+, HL7, Inc.
|
||||
All rights reserved.
|
||||
|
||||
Redistribution and use in source and binary forms, with or without modification,
|
||||
are permitted provided that the following conditions are met:
|
||||
|
||||
* Redistributions of source code must retain the above copyright notice, this
|
||||
list of conditions and the following disclaimer.
|
||||
* Redistributions in binary form must reproduce the above copyright notice,
|
||||
this list of conditions and the following disclaimer in the documentation
|
||||
and/or other materials provided with the distribution.
|
||||
* Neither the name of HL7 nor the names of its contributors may be used to
|
||||
endorse or promote products derived from this software without specific
|
||||
prior written permission.
|
||||
|
||||
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
|
||||
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
|
||||
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
||||
IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
|
||||
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
||||
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
|
||||
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
|
||||
WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||
POSSIBILITY OF SUCH DAMAGE.
|
||||
|
||||
*/
|
||||
|
||||
|
||||
|
||||
|
|
@ -71,7 +71,7 @@ public class Translations {
|
|||
* @throws Exception
|
||||
*/
|
||||
public void load(String filename) throws FileNotFoundException, SAXException, IOException, ParserConfigurationException {
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
loadMessages(builder.parse(new CSFileInputStream(filename)));
|
||||
}
|
||||
|
|
|
|||
|
|
@ -69,7 +69,7 @@ public class TranslatorXml implements TranslationServices {
|
|||
|
||||
|
||||
private void load(String filename) throws ParserConfigurationException, SAXException, IOException {
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
|
||||
factory.setNamespaceAware(false);
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
Document xml = builder.parse(ManagedFileAccess.file(filename));
|
||||
|
|
|
|||
|
|
@ -221,7 +221,7 @@ public class XLSXmlNormaliser {
|
|||
|
||||
|
||||
private Document parseXml(InputStream in) throws FHIRException, ParserConfigurationException, SAXException, IOException {
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
|
||||
factory.setNamespaceAware(true);
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
return builder.parse(in);
|
||||
|
|
|
|||
|
|
@ -1,33 +1,33 @@
|
|||
package org.hl7.fhir.utilities.xls;
|
||||
|
||||
/*
|
||||
Copyright (c) 2011+, HL7, Inc.
|
||||
All rights reserved.
|
||||
|
||||
Redistribution and use in source and binary forms, with or without modification,
|
||||
are permitted provided that the following conditions are met:
|
||||
|
||||
* Redistributions of source code must retain the above copyright notice, this
|
||||
list of conditions and the following disclaimer.
|
||||
* Redistributions in binary form must reproduce the above copyright notice,
|
||||
this list of conditions and the following disclaimer in the documentation
|
||||
and/or other materials provided with the distribution.
|
||||
* Neither the name of HL7 nor the names of its contributors may be used to
|
||||
endorse or promote products derived from this software without specific
|
||||
prior written permission.
|
||||
|
||||
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
|
||||
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
|
||||
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
||||
IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
|
||||
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
||||
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
|
||||
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
|
||||
WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||
POSSIBILITY OF SUCH DAMAGE.
|
||||
|
||||
*/
|
||||
/*
|
||||
Copyright (c) 2011+, HL7, Inc.
|
||||
All rights reserved.
|
||||
|
||||
Redistribution and use in source and binary forms, with or without modification,
|
||||
are permitted provided that the following conditions are met:
|
||||
|
||||
* Redistributions of source code must retain the above copyright notice, this
|
||||
list of conditions and the following disclaimer.
|
||||
* Redistributions in binary form must reproduce the above copyright notice,
|
||||
this list of conditions and the following disclaimer in the documentation
|
||||
and/or other materials provided with the distribution.
|
||||
* Neither the name of HL7 nor the names of its contributors may be used to
|
||||
endorse or promote products derived from this software without specific
|
||||
prior written permission.
|
||||
|
||||
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
|
||||
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
|
||||
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
||||
IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
|
||||
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
||||
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
|
||||
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
|
||||
WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||
POSSIBILITY OF SUCH DAMAGE.
|
||||
|
||||
*/
|
||||
|
||||
|
||||
|
||||
|
|
@ -166,7 +166,7 @@ public class XLSXmlParser {
|
|||
|
||||
private Document parseXml(InputStream in) throws FHIRException {
|
||||
try {
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
|
||||
factory.setNamespaceAware(true);
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
return builder.parse(in);
|
||||
|
|
|
|||
|
|
@ -32,7 +32,6 @@ package org.hl7.fhir.utilities.xml;
|
|||
|
||||
|
||||
import java.io.ByteArrayInputStream;
|
||||
import java.io.File;
|
||||
import java.io.FileInputStream;
|
||||
import java.io.IOException;
|
||||
import java.io.InputStream;
|
||||
|
|
@ -43,9 +42,7 @@ import java.util.List;
|
|||
import java.util.Set;
|
||||
|
||||
import javax.xml.XMLConstants;
|
||||
import javax.xml.parsers.DocumentBuilder;
|
||||
import javax.xml.parsers.DocumentBuilderFactory;
|
||||
import javax.xml.parsers.ParserConfigurationException;
|
||||
import javax.xml.parsers.*;
|
||||
import javax.xml.transform.Result;
|
||||
import javax.xml.transform.Source;
|
||||
import javax.xml.transform.Transformer;
|
||||
|
|
@ -65,10 +62,15 @@ import org.w3c.dom.NodeList;
|
|||
import org.w3c.dom.ls.DOMImplementationLS;
|
||||
import org.w3c.dom.ls.LSSerializer;
|
||||
import org.xml.sax.SAXException;
|
||||
import org.xml.sax.SAXNotRecognizedException;
|
||||
import org.xml.sax.SAXNotSupportedException;
|
||||
import org.xml.sax.XMLReader;
|
||||
|
||||
public class XMLUtil {
|
||||
|
||||
public static final String SPACE_CHAR = "\u00A0";
|
||||
public static final String SAX_FEATURES_EXTERNAL_GENERAL_ENTITIES = "http://xml.org/sax/features/external-general-entities";
|
||||
public static final String APACHE_XML_FEATURES_DISALLOW_DOCTYPE_DECL = "http://apache.org/xml/features/disallow-doctype-decl";
|
||||
|
||||
public static boolean isNMToken(String name) {
|
||||
if (name == null)
|
||||
|
|
@ -437,28 +439,28 @@ public class XMLUtil {
|
|||
}
|
||||
|
||||
public static Document parseToDom(String content) throws ParserConfigurationException, SAXException, IOException {
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
|
||||
factory.setNamespaceAware(false);
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
return builder.parse(new ByteArrayInputStream(content.getBytes()));
|
||||
}
|
||||
|
||||
public static Document parseToDom(byte[] content) throws ParserConfigurationException, SAXException, IOException {
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
|
||||
factory.setNamespaceAware(false);
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
return builder.parse(new ByteArrayInputStream(content));
|
||||
}
|
||||
|
||||
public static Document parseToDom(byte[] content, boolean ns) throws ParserConfigurationException, SAXException, IOException {
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
|
||||
factory.setNamespaceAware(ns);
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
return builder.parse(new ByteArrayInputStream(content));
|
||||
}
|
||||
|
||||
public static Document parseFileToDom(String filename) throws ParserConfigurationException, SAXException, IOException {
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
|
||||
factory.setNamespaceAware(false);
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
FileInputStream fs = ManagedFileAccess.inStream(filename);
|
||||
|
|
@ -470,7 +472,7 @@ public class XMLUtil {
|
|||
}
|
||||
|
||||
public static Document parseFileToDom(String filename, boolean ns) throws ParserConfigurationException, SAXException, IOException {
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
|
||||
factory.setNamespaceAware(ns);
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
FileInputStream fs = ManagedFileAccess.inStream(filename);
|
||||
|
|
@ -503,13 +505,42 @@ public class XMLUtil {
|
|||
}
|
||||
|
||||
public static TransformerFactory newXXEProtectedTransformerFactory() {
|
||||
TransformerFactory transformerFactory = TransformerFactory.newInstance();
|
||||
final TransformerFactory transformerFactory = TransformerFactory.newInstance();
|
||||
transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
|
||||
transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
|
||||
return transformerFactory;
|
||||
}
|
||||
|
||||
public static DocumentBuilderFactory newXXEProtectedDocumentBuilderFactory() throws ParserConfigurationException {
|
||||
final DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
|
||||
documentBuilderFactory.setFeature(APACHE_XML_FEATURES_DISALLOW_DOCTYPE_DECL, true);
|
||||
documentBuilderFactory.setXIncludeAware(false);
|
||||
return documentBuilderFactory;
|
||||
}
|
||||
|
||||
public static SAXParserFactory newXXEProtectedSaxParserFactory() throws SAXNotSupportedException, SAXNotRecognizedException, ParserConfigurationException {
|
||||
final SAXParserFactory spf = SAXParserFactory.newInstance();
|
||||
spf.setFeature(SAX_FEATURES_EXTERNAL_GENERAL_ENTITIES, false);
|
||||
spf.setFeature(APACHE_XML_FEATURES_DISALLOW_DOCTYPE_DECL, true);
|
||||
return spf;
|
||||
}
|
||||
|
||||
public static XMLReader getXXEProtectedXMLReader(SAXParserFactory spf) throws ParserConfigurationException, SAXException {
|
||||
final SAXParser saxParser = spf.newSAXParser();
|
||||
final XMLReader xmlReader = saxParser.getXMLReader();
|
||||
|
||||
final boolean externalGeneralEntitiesFeatureValue = spf.getFeature(SAX_FEATURES_EXTERNAL_GENERAL_ENTITIES);
|
||||
if (externalGeneralEntitiesFeatureValue) {
|
||||
throw new IllegalArgumentException("SAXParserFactory has insecure feature setting:" + SAX_FEATURES_EXTERNAL_GENERAL_ENTITIES+ "=" + externalGeneralEntitiesFeatureValue);
|
||||
}
|
||||
final boolean disallowDocTypeDeclFeatureValue = spf.getFeature(APACHE_XML_FEATURES_DISALLOW_DOCTYPE_DECL);
|
||||
if (!disallowDocTypeDeclFeatureValue) {
|
||||
throw new IllegalArgumentException("SAXParserFactory has insecure feature setting:" + APACHE_XML_FEATURES_DISALLOW_DOCTYPE_DECL + "=" + disallowDocTypeDeclFeatureValue);
|
||||
}
|
||||
xmlReader.setFeature(SAX_FEATURES_EXTERNAL_GENERAL_ENTITIES, false);
|
||||
xmlReader.setFeature(APACHE_XML_FEATURES_DISALLOW_DOCTYPE_DECL, true);
|
||||
return xmlReader;
|
||||
}
|
||||
public static void writeDomToFile(Document doc, String filename) throws TransformerException, IOException {
|
||||
TransformerFactory transformerFactory = XMLUtil.newXXEProtectedTransformerFactory();
|
||||
Transformer transformer = transformerFactory.newTransformer();
|
||||
|
|
|
|||
|
|
@ -37,6 +37,7 @@ import org.hl7.fhir.utilities.VersionUtilities;
|
|||
import org.hl7.fhir.utilities.filesystem.ManagedFileAccess;
|
||||
import org.hl7.fhir.utilities.i18n.I18nConstants;
|
||||
import org.hl7.fhir.utilities.validation.ValidationMessage;
|
||||
import org.hl7.fhir.utilities.xml.XMLUtil;
|
||||
import org.hl7.fhir.validation.cli.utils.AsteriskFilter;
|
||||
import org.hl7.fhir.validation.cli.utils.Common;
|
||||
import org.w3c.dom.Document;
|
||||
|
|
@ -115,7 +116,7 @@ public class ValidatorUtils {
|
|||
}
|
||||
|
||||
protected static Document parseXml(byte[] cnt) throws ParserConfigurationException, SAXException, IOException {
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
|
||||
// xxe protection
|
||||
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
|
|
|
|||
|
|
@ -64,6 +64,7 @@ import org.hl7.fhir.utilities.VersionUtilities;
|
|||
import org.hl7.fhir.utilities.filesystem.CSFile;
|
||||
import org.hl7.fhir.utilities.filesystem.ManagedFileAccess;
|
||||
import org.hl7.fhir.utilities.npm.FilesystemPackageCacheManager;
|
||||
import org.hl7.fhir.utilities.xml.XMLUtil;
|
||||
import org.w3c.dom.Document;
|
||||
import org.w3c.dom.Element;
|
||||
import org.w3c.dom.NamedNodeMap;
|
||||
|
|
@ -277,7 +278,7 @@ public class UtilitiesXTests {
|
|||
}
|
||||
|
||||
private static Document loadXml(InputStream fn) throws Exception {
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
|
||||
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||
|
|
|
|||
Loading…
Reference in New Issue