Merge pull request #1717 from hapifhir/do-20240816-xslt-external

Move all instantiation of transformerFactory to XMLUtils and set ACCESS_EXTERNAL flags automatically
2024-08-27 08:00:51 +08:00 · 2024-08-27 08:00:51 +08:00 · edd5b7a560
parent 9aef2793ce 5dc40f8030
commit edd5b7a560
11 changed files with 50 additions and 40 deletions
--- a/.github/workflows/license-check/license-whitelist.txt
+++ b/.github/workflows/license-check/license-whitelist.txt
@ -10,6 +10,7 @@ Apache-2.0
 Apache 2
 Apache 2.0
 Apache License 2.0
+Apache License version 2.0
 Eclipse Public License v2.0
 BSD licence
 The BSD License
--- a/org.hl7.fhir.dstu2016may/src/main/java/org/hl7/fhir/dstu2016may/metamodel/XmlParser.java
+++ b/org.hl7.fhir.dstu2016may/src/main/java/org/hl7/fhir/dstu2016may/metamodel/XmlParser.java
@ -90,7 +90,7 @@ public class XmlParser extends ParserBase {
      factory.setNamespaceAware(true);
      if (policy == ValidationPolicy.EVERYTHING) {
        // use a slower parser that keeps location data
-        TransformerFactory transformerFactory = TransformerFactory.newInstance();
+        TransformerFactory transformerFactory = XMLUtil.newXXEProtectedTransformerFactory();
        Transformer nullTransformer = transformerFactory.newTransformer();
        DocumentBuilder docBuilder = factory.newDocumentBuilder();
        doc = docBuilder.newDocument();
--- a/org.hl7.fhir.dstu3/src/main/java/org/hl7/fhir/dstu3/elementmodel/XmlParser.java
+++ b/org.hl7.fhir.dstu3/src/main/java/org/hl7/fhir/dstu3/elementmodel/XmlParser.java
@ -1,33 +1,33 @@
 package org.hl7.fhir.dstu3.elementmodel;

-/*
-  Copyright (c) 2011+, HL7, Inc.
-  All rights reserved.
-  
-  Redistribution and use in source and binary forms, with or without modification, 
-  are permitted provided that the following conditions are met:
-    
-   * Redistributions of source code must retain the above copyright notice, this 
-     list of conditions and the following disclaimer.
-   * Redistributions in binary form must reproduce the above copyright notice, 
-     this list of conditions and the following disclaimer in the documentation 
-     and/or other materials provided with the distribution.
-   * Neither the name of HL7 nor the names of its contributors may be used to 
-     endorse or promote products derived from this software without specific 
-     prior written permission.
-  
-  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 
-  ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 
-  WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 
-  IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, 
-  INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 
-  NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 
-  PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
-  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 
-  ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
-  POSSIBILITY OF SUCH DAMAGE.
-  
- */
+/*
+  Copyright (c) 2011+, HL7, Inc.
+  All rights reserved.
+  
+  Redistribution and use in source and binary forms, with or without modification, 
+  are permitted provided that the following conditions are met:
+    
+   * Redistributions of source code must retain the above copyright notice, this 
+     list of conditions and the following disclaimer.
+   * Redistributions in binary form must reproduce the above copyright notice, 
+     this list of conditions and the following disclaimer in the documentation 
+     and/or other materials provided with the distribution.
+   * Neither the name of HL7 nor the names of its contributors may be used to 
+     endorse or promote products derived from this software without specific 
+     prior written permission.
+  
+  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 
+  ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 
+  WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 
+  IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, 
+  INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 
+  NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 
+  PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
+  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 
+  ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
+  POSSIBILITY OF SUCH DAMAGE.
+  
+ */



@ -109,7 +109,7 @@ public class XmlParser extends ParserBase {
  		factory.setNamespaceAware(true);
  		if (policy == ValidationPolicy.EVERYTHING) {
  			// use a slower parser that keeps location data
-  			TransformerFactory transformerFactory = TransformerFactory.newInstance();
+  			TransformerFactory transformerFactory = XMLUtil.newXXEProtectedTransformerFactory();
  			Transformer nullTransformer = transformerFactory.newTransformer();
  			DocumentBuilder docBuilder = factory.newDocumentBuilder();
  			doc = docBuilder.newDocument();
--- a/org.hl7.fhir.r4/src/main/java/org/hl7/fhir/r4/elementmodel/XmlParser.java
+++ b/org.hl7.fhir.r4/src/main/java/org/hl7/fhir/r4/elementmodel/XmlParser.java
@ -108,7 +108,7 @@ public class XmlParser extends ParserBase {
      factory.setNamespaceAware(true);
      if (policy == ValidationPolicy.EVERYTHING) {
        // use a slower parser that keeps location data
-        TransformerFactory transformerFactory = TransformerFactory.newInstance();
+        TransformerFactory transformerFactory = XMLUtil.newXXEProtectedTransformerFactory();
        Transformer nullTransformer = transformerFactory.newTransformer();
        DocumentBuilder docBuilder = factory.newDocumentBuilder();
        doc = docBuilder.newDocument();
--- a/org.hl7.fhir.r4b/src/main/java/org/hl7/fhir/r4b/elementmodel/XmlParser.java
+++ b/org.hl7.fhir.r4b/src/main/java/org/hl7/fhir/r4b/elementmodel/XmlParser.java
@ -131,7 +131,7 @@ public class XmlParser extends ParserBase {
          stream.reset();
        }
        // use a slower parser that keeps location data
-        TransformerFactory transformerFactory = TransformerFactory.newInstance();
+        TransformerFactory transformerFactory = XMLUtil.newXXEProtectedTransformerFactory();
        Transformer nullTransformer = transformerFactory.newTransformer();
        DocumentBuilder docBuilder = factory.newDocumentBuilder();
        doc = docBuilder.newDocument();
--- a/org.hl7.fhir.r5/src/main/java/org/hl7/fhir/r5/elementmodel/XmlParser.java
+++ b/org.hl7.fhir.r5/src/main/java/org/hl7/fhir/r5/elementmodel/XmlParser.java
@ -144,7 +144,7 @@ public class XmlParser extends ParserBase {
        stream.reset();

        // use a slower parser that keeps location data
-        TransformerFactory transformerFactory = TransformerFactory.newInstance();
+        TransformerFactory transformerFactory = XMLUtil.newXXEProtectedTransformerFactory();
        Transformer nullTransformer = transformerFactory.newTransformer();
        DocumentBuilder docBuilder = factory.newDocumentBuilder();
        doc = docBuilder.newDocument();
--- a/org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/MyURIResolver.java
+++ b/org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/MyURIResolver.java
@ -94,7 +94,7 @@ public class MyURIResolver implements URIResolver {
          if (s != null)
            return s;
        }
-        return TransformerFactory.newInstance().getURIResolver().resolve(href, base);
+        return org.hl7.fhir.utilities.xml.XMLUtil.newXXEProtectedTransformerFactory().getURIResolver().resolve(href, base);
      } else
        return new StreamSource(ManagedFileAccess.inStream(href.contains(File.separator) ? href : Utilities.path(path, href)));
    } catch (FileNotFoundException e) {
--- a/org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/XsltUtilities.java
+++ b/org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/XsltUtilities.java
@ -73,7 +73,7 @@ public class XsltUtilities {
  }

  public static byte[] transform(Map<String, byte[]> files, byte[] source, byte[] xslt) throws TransformerException {
-    TransformerFactory f = TransformerFactory.newInstance();
+    TransformerFactory f = org.hl7.fhir.utilities.xml.XMLUtil.newXXEProtectedTransformerFactory();
    f.setAttribute("http://saxon.sf.net/feature/version-warning", Boolean.FALSE);
    StreamSource xsrc = new StreamSource(new ByteArrayInputStream(xslt));
    f.setURIResolver(new ZipURIResolver(files));
@ -129,7 +129,7 @@ public class XsltUtilities {

  public static void transform(String xsltDir, String source, String xslt, String dest, URIResolver alt) throws TransformerException, IOException {

-    TransformerFactory f = TransformerFactory.newInstance();
+    TransformerFactory f = org.hl7.fhir.utilities.xml.XMLUtil.newXXEProtectedTransformerFactory();
    StreamSource xsrc = new StreamSource(ManagedFileAccess.inStream(xslt));
    f.setURIResolver(new MyURIResolver(xsltDir, alt));
    Transformer t = f.newTransformer(xsrc);
--- a/org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/xls/XLSXmlNormaliser.java
+++ b/org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/xls/XLSXmlNormaliser.java
@ -229,7 +229,7 @@ public class XLSXmlNormaliser {

  private void saveXml(FileOutputStream stream) throws TransformerException, IOException {

-    TransformerFactory factory = TransformerFactory.newInstance();
+    TransformerFactory factory = XMLUtil.newXXEProtectedTransformerFactory();
    Transformer transformer = factory.newTransformer();
    Result result = new StreamResult(stream);
    Source source = new DOMSource(xml);
--- a/org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/xml/XMLUtil.java
+++ b/org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/xml/XMLUtil.java
@ -42,6 +42,7 @@ import java.util.ArrayList;
 import java.util.List;
 import java.util.Set;

+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
@ -501,8 +502,16 @@ public class XMLUtil {
    return e == null ? null : e.getAttribute(aname);
  }

-  public static void writeDomToFile(Document doc, String filename) throws TransformerException, IOException {
+  public static TransformerFactory newXXEProtectedTransformerFactory() {
    TransformerFactory transformerFactory = TransformerFactory.newInstance();
+    transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+    transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+    return transformerFactory;
+  }
+
+
+  public static void writeDomToFile(Document doc, String filename) throws TransformerException, IOException {
+    TransformerFactory transformerFactory = XMLUtil.newXXEProtectedTransformerFactory();
    Transformer transformer = transformerFactory.newTransformer();
    DOMSource source = new DOMSource(doc);
    StreamResult streamResult =  new StreamResult(ManagedFileAccess.file(filename));
@ -593,7 +602,7 @@ public class XMLUtil {
  }

  public static void saveToFile(Element root, OutputStream stream) throws TransformerException {
-    Transformer transformer = TransformerFactory.newInstance().newTransformer();
+    Transformer transformer = XMLUtil.newXXEProtectedTransformerFactory().newTransformer();
    Result output = new StreamResult(stream);
    Source input = new DOMSource(root);

--- a/pom.xml
+++ b/pom.xml
@ -32,7 +32,7 @@
        <lombok_version>1.18.32</lombok_version>
        <byte_buddy_version>1.14.8</byte_buddy_version>
        <apache_poi_version>5.2.1</apache_poi_version>
-        <saxon_he_version>9.8.0-15</saxon_he_version>
+        <saxon_he_version>11.6</saxon_he_version>
        <maven.compiler.release>11</maven.compiler.release>
        <maven.compiler.source>11</maven.compiler.source>
        <maven.compiler.target>11</maven.compiler.target>