From 60470b1a28155df059d30ce7754aec568efe4b30 Mon Sep 17 00:00:00 2001 From: dotasek Date: Fri, 16 Aug 2024 10:34:50 -0400 Subject: [PATCH 1/3] Move all instantiation of transformerFactory to XMLUtils and set ACCESS_EXTERNAL flags automatically --- .../fhir/dstu2016may/metamodel/XmlParser.java | 2 +- .../fhir/dstu3/elementmodel/XmlParser.java | 58 +++++++++---------- .../hl7/fhir/r4/elementmodel/XmlParser.java | 2 +- .../hl7/fhir/r4b/elementmodel/XmlParser.java | 2 +- .../hl7/fhir/r5/elementmodel/XmlParser.java | 2 +- .../org/hl7/fhir/utilities/MyURIResolver.java | 2 +- .../org/hl7/fhir/utilities/XsltUtilities.java | 4 +- .../fhir/utilities/xls/XLSXmlNormaliser.java | 2 +- .../org/hl7/fhir/utilities/xml/XMLUtil.java | 13 ++++- pom.xml | 2 +- 10 files changed, 49 insertions(+), 40 deletions(-) diff --git a/org.hl7.fhir.dstu2016may/src/main/java/org/hl7/fhir/dstu2016may/metamodel/XmlParser.java b/org.hl7.fhir.dstu2016may/src/main/java/org/hl7/fhir/dstu2016may/metamodel/XmlParser.java index d9d4746cd..fd78719fd 100644 --- a/org.hl7.fhir.dstu2016may/src/main/java/org/hl7/fhir/dstu2016may/metamodel/XmlParser.java +++ b/org.hl7.fhir.dstu2016may/src/main/java/org/hl7/fhir/dstu2016may/metamodel/XmlParser.java @@ -90,7 +90,7 @@ public class XmlParser extends ParserBase { factory.setNamespaceAware(true); if (policy == ValidationPolicy.EVERYTHING) { // use a slower parser that keeps location data - TransformerFactory transformerFactory = TransformerFactory.newInstance(); + TransformerFactory transformerFactory = XMLUtil.newXXEProtectedTransformerFactory(); Transformer nullTransformer = transformerFactory.newTransformer(); DocumentBuilder docBuilder = factory.newDocumentBuilder(); doc = docBuilder.newDocument(); diff --git a/org.hl7.fhir.dstu3/src/main/java/org/hl7/fhir/dstu3/elementmodel/XmlParser.java b/org.hl7.fhir.dstu3/src/main/java/org/hl7/fhir/dstu3/elementmodel/XmlParser.java index 805db40c1..3e160f815 100644 --- a/org.hl7.fhir.dstu3/src/main/java/org/hl7/fhir/dstu3/elementmodel/XmlParser.java +++ b/org.hl7.fhir.dstu3/src/main/java/org/hl7/fhir/dstu3/elementmodel/XmlParser.java @@ -1,33 +1,33 @@ package org.hl7.fhir.dstu3.elementmodel; -/* - Copyright (c) 2011+, HL7, Inc. - All rights reserved. - - Redistribution and use in source and binary forms, with or without modification, - are permitted provided that the following conditions are met: - - * Redistributions of source code must retain the above copyright notice, this - list of conditions and the following disclaimer. - * Redistributions in binary form must reproduce the above copyright notice, - this list of conditions and the following disclaimer in the documentation - and/or other materials provided with the distribution. - * Neither the name of HL7 nor the names of its contributors may be used to - endorse or promote products derived from this software without specific - prior written permission. - - THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND - ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED - WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, - INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR - PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, - WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - - */ +/* + Copyright (c) 2011+, HL7, Inc. + All rights reserved. + + Redistribution and use in source and binary forms, with or without modification, + are permitted provided that the following conditions are met: + + * Redistributions of source code must retain the above copyright notice, this + list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above copyright notice, + this list of conditions and the following disclaimer in the documentation + and/or other materials provided with the distribution. + * Neither the name of HL7 nor the names of its contributors may be used to + endorse or promote products derived from this software without specific + prior written permission. + + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND + ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR + PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, + WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + + */ @@ -109,7 +109,7 @@ public class XmlParser extends ParserBase { factory.setNamespaceAware(true); if (policy == ValidationPolicy.EVERYTHING) { // use a slower parser that keeps location data - TransformerFactory transformerFactory = TransformerFactory.newInstance(); + TransformerFactory transformerFactory = XMLUtil.newXXEProtectedTransformerFactory(); Transformer nullTransformer = transformerFactory.newTransformer(); DocumentBuilder docBuilder = factory.newDocumentBuilder(); doc = docBuilder.newDocument(); diff --git a/org.hl7.fhir.r4/src/main/java/org/hl7/fhir/r4/elementmodel/XmlParser.java b/org.hl7.fhir.r4/src/main/java/org/hl7/fhir/r4/elementmodel/XmlParser.java index 8c49d9dff..c6675bc87 100644 --- a/org.hl7.fhir.r4/src/main/java/org/hl7/fhir/r4/elementmodel/XmlParser.java +++ b/org.hl7.fhir.r4/src/main/java/org/hl7/fhir/r4/elementmodel/XmlParser.java @@ -108,7 +108,7 @@ public class XmlParser extends ParserBase { factory.setNamespaceAware(true); if (policy == ValidationPolicy.EVERYTHING) { // use a slower parser that keeps location data - TransformerFactory transformerFactory = TransformerFactory.newInstance(); + TransformerFactory transformerFactory = XMLUtil.newXXEProtectedTransformerFactory(); Transformer nullTransformer = transformerFactory.newTransformer(); DocumentBuilder docBuilder = factory.newDocumentBuilder(); doc = docBuilder.newDocument(); diff --git a/org.hl7.fhir.r4b/src/main/java/org/hl7/fhir/r4b/elementmodel/XmlParser.java b/org.hl7.fhir.r4b/src/main/java/org/hl7/fhir/r4b/elementmodel/XmlParser.java index c36fb2ba6..5127bb8c3 100644 --- a/org.hl7.fhir.r4b/src/main/java/org/hl7/fhir/r4b/elementmodel/XmlParser.java +++ b/org.hl7.fhir.r4b/src/main/java/org/hl7/fhir/r4b/elementmodel/XmlParser.java @@ -131,7 +131,7 @@ public class XmlParser extends ParserBase { stream.reset(); } // use a slower parser that keeps location data - TransformerFactory transformerFactory = TransformerFactory.newInstance(); + TransformerFactory transformerFactory = XMLUtil.newXXEProtectedTransformerFactory(); Transformer nullTransformer = transformerFactory.newTransformer(); DocumentBuilder docBuilder = factory.newDocumentBuilder(); doc = docBuilder.newDocument(); diff --git a/org.hl7.fhir.r5/src/main/java/org/hl7/fhir/r5/elementmodel/XmlParser.java b/org.hl7.fhir.r5/src/main/java/org/hl7/fhir/r5/elementmodel/XmlParser.java index 58a799d6a..2509eb803 100644 --- a/org.hl7.fhir.r5/src/main/java/org/hl7/fhir/r5/elementmodel/XmlParser.java +++ b/org.hl7.fhir.r5/src/main/java/org/hl7/fhir/r5/elementmodel/XmlParser.java @@ -144,7 +144,7 @@ public class XmlParser extends ParserBase { stream.reset(); // use a slower parser that keeps location data - TransformerFactory transformerFactory = TransformerFactory.newInstance(); + TransformerFactory transformerFactory = XMLUtil.newXXEProtectedTransformerFactory(); Transformer nullTransformer = transformerFactory.newTransformer(); DocumentBuilder docBuilder = factory.newDocumentBuilder(); doc = docBuilder.newDocument(); diff --git a/org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/MyURIResolver.java b/org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/MyURIResolver.java index cc11943a1..eecdb942f 100644 --- a/org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/MyURIResolver.java +++ b/org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/MyURIResolver.java @@ -94,7 +94,7 @@ public class MyURIResolver implements URIResolver { if (s != null) return s; } - return TransformerFactory.newInstance().getURIResolver().resolve(href, base); + return org.hl7.fhir.utilities.xml.XMLUtil.newXXEProtectedTransformerFactory().getURIResolver().resolve(href, base); } else return new StreamSource(ManagedFileAccess.inStream(href.contains(File.separator) ? href : Utilities.path(path, href))); } catch (FileNotFoundException e) { diff --git a/org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/XsltUtilities.java b/org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/XsltUtilities.java index 4507fc6c9..5a7e9b9fb 100644 --- a/org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/XsltUtilities.java +++ b/org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/XsltUtilities.java @@ -73,7 +73,7 @@ public class XsltUtilities { } public static byte[] transform(Map files, byte[] source, byte[] xslt) throws TransformerException { - TransformerFactory f = TransformerFactory.newInstance(); + TransformerFactory f = org.hl7.fhir.utilities.xml.XMLUtil.newXXEProtectedTransformerFactory(); f.setAttribute("http://saxon.sf.net/feature/version-warning", Boolean.FALSE); StreamSource xsrc = new StreamSource(new ByteArrayInputStream(xslt)); f.setURIResolver(new ZipURIResolver(files)); @@ -129,7 +129,7 @@ public class XsltUtilities { public static void transform(String xsltDir, String source, String xslt, String dest, URIResolver alt) throws TransformerException, IOException { - TransformerFactory f = TransformerFactory.newInstance(); + TransformerFactory f = org.hl7.fhir.utilities.xml.XMLUtil.newXXEProtectedTransformerFactory(); StreamSource xsrc = new StreamSource(ManagedFileAccess.inStream(xslt)); f.setURIResolver(new MyURIResolver(xsltDir, alt)); Transformer t = f.newTransformer(xsrc); diff --git a/org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/xls/XLSXmlNormaliser.java b/org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/xls/XLSXmlNormaliser.java index add5a4b01..270d9700b 100644 --- a/org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/xls/XLSXmlNormaliser.java +++ b/org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/xls/XLSXmlNormaliser.java @@ -229,7 +229,7 @@ public class XLSXmlNormaliser { private void saveXml(FileOutputStream stream) throws TransformerException, IOException { - TransformerFactory factory = TransformerFactory.newInstance(); + TransformerFactory factory = XMLUtil.newXXEProtectedTransformerFactory(); Transformer transformer = factory.newTransformer(); Result result = new StreamResult(stream); Source source = new DOMSource(xml); diff --git a/org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/xml/XMLUtil.java b/org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/xml/XMLUtil.java index a68dbe688..371f44705 100644 --- a/org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/xml/XMLUtil.java +++ b/org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/xml/XMLUtil.java @@ -42,6 +42,7 @@ import java.util.ArrayList; import java.util.List; import java.util.Set; +import javax.xml.XMLConstants; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.ParserConfigurationException; @@ -501,8 +502,16 @@ public class XMLUtil { return e == null ? null : e.getAttribute(aname); } - public static void writeDomToFile(Document doc, String filename) throws TransformerException, IOException { + public static TransformerFactory newXXEProtectedTransformerFactory() { TransformerFactory transformerFactory = TransformerFactory.newInstance(); + transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + return transformerFactory; + } + + + public static void writeDomToFile(Document doc, String filename) throws TransformerException, IOException { + TransformerFactory transformerFactory = XMLUtil.newXXEProtectedTransformerFactory(); Transformer transformer = transformerFactory.newTransformer(); DOMSource source = new DOMSource(doc); StreamResult streamResult = new StreamResult(ManagedFileAccess.file(filename)); @@ -593,7 +602,7 @@ public class XMLUtil { } public static void saveToFile(Element root, OutputStream stream) throws TransformerException { - Transformer transformer = TransformerFactory.newInstance().newTransformer(); + Transformer transformer = XMLUtil.newXXEProtectedTransformerFactory().newTransformer(); Result output = new StreamResult(stream); Source input = new DOMSource(root); diff --git a/pom.xml b/pom.xml index c5f5508ca..5f2ac137a 100644 --- a/pom.xml +++ b/pom.xml @@ -32,7 +32,7 @@ 1.18.32 1.14.8 5.2.1 - 9.8.0-15 + 12.5 11 11 11 From d449ba32fca76ff5280b9242b254e9948c7687af Mon Sep 17 00:00:00 2001 From: dotasek Date: Fri, 16 Aug 2024 17:53:10 -0400 Subject: [PATCH 2/3] Drop to saxon 11.6 for now --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 5f2ac137a..3b271c7c9 100644 --- a/pom.xml +++ b/pom.xml @@ -32,7 +32,7 @@ 1.18.32 1.14.8 5.2.1 - 12.5 + 11.6 11 11 11 From 5dc40f8030fa4f2c49e5b4e28ac1a1e72151a89e Mon Sep 17 00:00:00 2001 From: dotasek Date: Mon, 26 Aug 2024 15:27:06 -0400 Subject: [PATCH 3/3] Update license-whitelist.txt --- .github/workflows/license-check/license-whitelist.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/license-check/license-whitelist.txt b/.github/workflows/license-check/license-whitelist.txt index 8ca2bd194..b938e0ba5 100644 --- a/.github/workflows/license-check/license-whitelist.txt +++ b/.github/workflows/license-check/license-whitelist.txt @@ -10,6 +10,7 @@ Apache-2.0 Apache 2 Apache 2.0 Apache License 2.0 +Apache License version 2.0 Eclipse Public License v2.0 BSD licence The BSD License