honeymoose
/
org.hl7.fhir.core
mirror of https://github.com/hapifhir/org.hl7.fhir.core.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1717 from hapifhir/do-20240816-xslt-external 

Move all instantiation of transformerFactory to XMLUtils and set ACCESS_EXTERNAL flags automatically
This commit is contained in:
Grahame Grieve 2024-08-27 08:00:51 +08:00 committed by GitHub
parent 9aef2793ce 5dc40f8030
commit edd5b7a560
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
11 changed files with 50 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.github/workflows/license-check/license-whitelist.txt vendored
View File

@ -10,6 +10,7 @@ Apache-2.0
Apache 2 Apache 2
Apache 2.0 Apache 2.0
Apache License 2.0 Apache License 2.0
Apache License version 2.0
Eclipse Public License v2.0 Eclipse Public License v2.0
BSD licence BSD licence
The BSD License The BSD License

2
org.hl7.fhir.dstu2016may/src/main/java/org/hl7/fhir/dstu2016may/metamodel/XmlParser.java
View File

@ -90,7 +90,7 @@ public class XmlParser extends ParserBase {
factory.setNamespaceAware(true); factory.setNamespaceAware(true);
if (policy == ValidationPolicy.EVERYTHING) { if (policy == ValidationPolicy.EVERYTHING) {
// use a slower parser that keeps location data // use a slower parser that keeps location data
TransformerFactory transformerFactory = TransformerFactory.newInstance(); TransformerFactory transformerFactory = XMLUtil.newXXEProtectedTransformerFactory();
Transformer nullTransformer = transformerFactory.newTransformer(); Transformer nullTransformer = transformerFactory.newTransformer();
DocumentBuilder docBuilder = factory.newDocumentBuilder(); DocumentBuilder docBuilder = factory.newDocumentBuilder();
doc = docBuilder.newDocument(); doc = docBuilder.newDocument();

2
org.hl7.fhir.dstu3/src/main/java/org/hl7/fhir/dstu3/elementmodel/XmlParser.java
View File

@ -109,7 +109,7 @@ public class XmlParser extends ParserBase {
factory.setNamespaceAware(true); factory.setNamespaceAware(true);
if (policy == ValidationPolicy.EVERYTHING) { if (policy == ValidationPolicy.EVERYTHING) {
// use a slower parser that keeps location data // use a slower parser that keeps location data
TransformerFactory transformerFactory = TransformerFactory.newInstance(); TransformerFactory transformerFactory = XMLUtil.newXXEProtectedTransformerFactory();
Transformer nullTransformer = transformerFactory.newTransformer(); Transformer nullTransformer = transformerFactory.newTransformer();
DocumentBuilder docBuilder = factory.newDocumentBuilder(); DocumentBuilder docBuilder = factory.newDocumentBuilder();
doc = docBuilder.newDocument(); doc = docBuilder.newDocument();

2
org.hl7.fhir.r4/src/main/java/org/hl7/fhir/r4/elementmodel/XmlParser.java
View File

@ -108,7 +108,7 @@ public class XmlParser extends ParserBase {
factory.setNamespaceAware(true); factory.setNamespaceAware(true);
if (policy == ValidationPolicy.EVERYTHING) { if (policy == ValidationPolicy.EVERYTHING) {
// use a slower parser that keeps location data // use a slower parser that keeps location data
TransformerFactory transformerFactory = TransformerFactory.newInstance(); TransformerFactory transformerFactory = XMLUtil.newXXEProtectedTransformerFactory();
Transformer nullTransformer = transformerFactory.newTransformer(); Transformer nullTransformer = transformerFactory.newTransformer();
DocumentBuilder docBuilder = factory.newDocumentBuilder(); DocumentBuilder docBuilder = factory.newDocumentBuilder();
doc = docBuilder.newDocument(); doc = docBuilder.newDocument();

2
org.hl7.fhir.r4b/src/main/java/org/hl7/fhir/r4b/elementmodel/XmlParser.java
View File

@ -131,7 +131,7 @@ public class XmlParser extends ParserBase {
stream.reset(); stream.reset();
} }
// use a slower parser that keeps location data // use a slower parser that keeps location data
TransformerFactory transformerFactory = TransformerFactory.newInstance(); TransformerFactory transformerFactory = XMLUtil.newXXEProtectedTransformerFactory();
Transformer nullTransformer = transformerFactory.newTransformer(); Transformer nullTransformer = transformerFactory.newTransformer();
DocumentBuilder docBuilder = factory.newDocumentBuilder(); DocumentBuilder docBuilder = factory.newDocumentBuilder();
doc = docBuilder.newDocument(); doc = docBuilder.newDocument();

2
org.hl7.fhir.r5/src/main/java/org/hl7/fhir/r5/elementmodel/XmlParser.java
View File

@ -144,7 +144,7 @@ public class XmlParser extends ParserBase {
stream.reset(); stream.reset();
// use a slower parser that keeps location data // use a slower parser that keeps location data
TransformerFactory transformerFactory = TransformerFactory.newInstance(); TransformerFactory transformerFactory = XMLUtil.newXXEProtectedTransformerFactory();
Transformer nullTransformer = transformerFactory.newTransformer(); Transformer nullTransformer = transformerFactory.newTransformer();
DocumentBuilder docBuilder = factory.newDocumentBuilder(); DocumentBuilder docBuilder = factory.newDocumentBuilder();
doc = docBuilder.newDocument(); doc = docBuilder.newDocument();

2
org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/MyURIResolver.java
View File

@ -94,7 +94,7 @@ public class MyURIResolver implements URIResolver {
if (s != null) if (s != null)
return s; return s;
} }
return TransformerFactory.newInstance().getURIResolver().resolve(href, base); return org.hl7.fhir.utilities.xml.XMLUtil.newXXEProtectedTransformerFactory().getURIResolver().resolve(href, base);
} else } else
return new StreamSource(ManagedFileAccess.inStream(href.contains(File.separator) ? href : Utilities.path(path, href))); return new StreamSource(ManagedFileAccess.inStream(href.contains(File.separator) ? href : Utilities.path(path, href)));
} catch (FileNotFoundException e) { } catch (FileNotFoundException e) {

4
org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/XsltUtilities.java
View File

@ -73,7 +73,7 @@ public class XsltUtilities {
} }
public static byte[] transform(Map<String, byte[]> files, byte[] source, byte[] xslt) throws TransformerException { public static byte[] transform(Map<String, byte[]> files, byte[] source, byte[] xslt) throws TransformerException {
TransformerFactory f = TransformerFactory.newInstance(); TransformerFactory f = org.hl7.fhir.utilities.xml.XMLUtil.newXXEProtectedTransformerFactory();
f.setAttribute("http://saxon.sf.net/feature/version-warning", Boolean.FALSE); f.setAttribute("http://saxon.sf.net/feature/version-warning", Boolean.FALSE);
StreamSource xsrc = new StreamSource(new ByteArrayInputStream(xslt)); StreamSource xsrc = new StreamSource(new ByteArrayInputStream(xslt));
f.setURIResolver(new ZipURIResolver(files)); f.setURIResolver(new ZipURIResolver(files));
@ -129,7 +129,7 @@ public class XsltUtilities {
public static void transform(String xsltDir, String source, String xslt, String dest, URIResolver alt) throws TransformerException, IOException { public static void transform(String xsltDir, String source, String xslt, String dest, URIResolver alt) throws TransformerException, IOException {
TransformerFactory f = TransformerFactory.newInstance(); TransformerFactory f = org.hl7.fhir.utilities.xml.XMLUtil.newXXEProtectedTransformerFactory();
StreamSource xsrc = new StreamSource(ManagedFileAccess.inStream(xslt)); StreamSource xsrc = new StreamSource(ManagedFileAccess.inStream(xslt));
f.setURIResolver(new MyURIResolver(xsltDir, alt)); f.setURIResolver(new MyURIResolver(xsltDir, alt));
Transformer t = f.newTransformer(xsrc); Transformer t = f.newTransformer(xsrc);

2
org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/xls/XLSXmlNormaliser.java
View File

@ -229,7 +229,7 @@ public class XLSXmlNormaliser {
private void saveXml(FileOutputStream stream) throws TransformerException, IOException { private void saveXml(FileOutputStream stream) throws TransformerException, IOException {
TransformerFactory factory = TransformerFactory.newInstance(); TransformerFactory factory = XMLUtil.newXXEProtectedTransformerFactory();
Transformer transformer = factory.newTransformer(); Transformer transformer = factory.newTransformer();
Result result = new StreamResult(stream); Result result = new StreamResult(stream);
Source source = new DOMSource(xml); Source source = new DOMSource(xml);

13
org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/xml/XMLUtil.java
View File

@ -42,6 +42,7 @@ import java.util.ArrayList;
import java.util.List; import java.util.List;
import java.util.Set; import java.util.Set;
import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException; import javax.xml.parsers.ParserConfigurationException;
@ -501,8 +502,16 @@ public class XMLUtil {
return e == null ? null : e.getAttribute(aname); return e == null ? null : e.getAttribute(aname);
} }
public static void writeDomToFile(Document doc, String filename) throws TransformerException, IOException { public static TransformerFactory newXXEProtectedTransformerFactory() {
TransformerFactory transformerFactory = TransformerFactory.newInstance(); TransformerFactory transformerFactory = TransformerFactory.newInstance();
transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
return transformerFactory;
}
public static void writeDomToFile(Document doc, String filename) throws TransformerException, IOException {
TransformerFactory transformerFactory = XMLUtil.newXXEProtectedTransformerFactory();
Transformer transformer = transformerFactory.newTransformer(); Transformer transformer = transformerFactory.newTransformer();
DOMSource source = new DOMSource(doc); DOMSource source = new DOMSource(doc);
StreamResult streamResult = new StreamResult(ManagedFileAccess.file(filename)); StreamResult streamResult = new StreamResult(ManagedFileAccess.file(filename));
@ -593,7 +602,7 @@ public class XMLUtil {
} }
public static void saveToFile(Element root, OutputStream stream) throws TransformerException { public static void saveToFile(Element root, OutputStream stream) throws TransformerException {
Transformer transformer = TransformerFactory.newInstance().newTransformer(); Transformer transformer = XMLUtil.newXXEProtectedTransformerFactory().newTransformer();
Result output = new StreamResult(stream); Result output = new StreamResult(stream);
Source input = new DOMSource(root); Source input = new DOMSource(root);

2
pom.xml
View File

@ -32,7 +32,7 @@
<lombok_version>1.18.32</lombok_version> <lombok_version>1.18.32</lombok_version>
<byte_buddy_version>1.14.8</byte_buddy_version> <byte_buddy_version>1.14.8</byte_buddy_version>
<apache_poi_version>5.2.1</apache_poi_version> <apache_poi_version>5.2.1</apache_poi_version>
<saxon_he_version>9.8.0-15</saxon_he_version> <saxon_he_version>11.6</saxon_he_version>
<maven.compiler.release>11</maven.compiler.release> <maven.compiler.release>11</maven.compiler.release>
<maven.compiler.source>11</maven.compiler.source> <maven.compiler.source>11</maven.compiler.source>
<maven.compiler.target>11</maven.compiler.target> <maven.compiler.target>11</maven.compiler.target>