Merge pull request #1717 from hapifhir/do-20240816-xslt-external

Move all instantiation of transformerFactory to XMLUtils and set ACCESS_EXTERNAL flags automatically
This commit is contained in:
Grahame Grieve 2024-08-27 08:00:51 +08:00 committed by GitHub
commit edd5b7a560
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
11 changed files with 50 additions and 40 deletions

View File

@ -10,6 +10,7 @@ Apache-2.0
Apache 2
Apache 2.0
Apache License 2.0
Apache License version 2.0
Eclipse Public License v2.0
BSD licence
The BSD License

View File

@ -90,7 +90,7 @@ public class XmlParser extends ParserBase {
factory.setNamespaceAware(true);
if (policy == ValidationPolicy.EVERYTHING) {
// use a slower parser that keeps location data
TransformerFactory transformerFactory = TransformerFactory.newInstance();
TransformerFactory transformerFactory = XMLUtil.newXXEProtectedTransformerFactory();
Transformer nullTransformer = transformerFactory.newTransformer();
DocumentBuilder docBuilder = factory.newDocumentBuilder();
doc = docBuilder.newDocument();

View File

@ -109,7 +109,7 @@ public class XmlParser extends ParserBase {
factory.setNamespaceAware(true);
if (policy == ValidationPolicy.EVERYTHING) {
// use a slower parser that keeps location data
TransformerFactory transformerFactory = TransformerFactory.newInstance();
TransformerFactory transformerFactory = XMLUtil.newXXEProtectedTransformerFactory();
Transformer nullTransformer = transformerFactory.newTransformer();
DocumentBuilder docBuilder = factory.newDocumentBuilder();
doc = docBuilder.newDocument();

View File

@ -108,7 +108,7 @@ public class XmlParser extends ParserBase {
factory.setNamespaceAware(true);
if (policy == ValidationPolicy.EVERYTHING) {
// use a slower parser that keeps location data
TransformerFactory transformerFactory = TransformerFactory.newInstance();
TransformerFactory transformerFactory = XMLUtil.newXXEProtectedTransformerFactory();
Transformer nullTransformer = transformerFactory.newTransformer();
DocumentBuilder docBuilder = factory.newDocumentBuilder();
doc = docBuilder.newDocument();

View File

@ -131,7 +131,7 @@ public class XmlParser extends ParserBase {
stream.reset();
}
// use a slower parser that keeps location data
TransformerFactory transformerFactory = TransformerFactory.newInstance();
TransformerFactory transformerFactory = XMLUtil.newXXEProtectedTransformerFactory();
Transformer nullTransformer = transformerFactory.newTransformer();
DocumentBuilder docBuilder = factory.newDocumentBuilder();
doc = docBuilder.newDocument();

View File

@ -144,7 +144,7 @@ public class XmlParser extends ParserBase {
stream.reset();
// use a slower parser that keeps location data
TransformerFactory transformerFactory = TransformerFactory.newInstance();
TransformerFactory transformerFactory = XMLUtil.newXXEProtectedTransformerFactory();
Transformer nullTransformer = transformerFactory.newTransformer();
DocumentBuilder docBuilder = factory.newDocumentBuilder();
doc = docBuilder.newDocument();

View File

@ -94,7 +94,7 @@ public class MyURIResolver implements URIResolver {
if (s != null)
return s;
}
return TransformerFactory.newInstance().getURIResolver().resolve(href, base);
return org.hl7.fhir.utilities.xml.XMLUtil.newXXEProtectedTransformerFactory().getURIResolver().resolve(href, base);
} else
return new StreamSource(ManagedFileAccess.inStream(href.contains(File.separator) ? href : Utilities.path(path, href)));
} catch (FileNotFoundException e) {

View File

@ -73,7 +73,7 @@ public class XsltUtilities {
}
public static byte[] transform(Map<String, byte[]> files, byte[] source, byte[] xslt) throws TransformerException {
TransformerFactory f = TransformerFactory.newInstance();
TransformerFactory f = org.hl7.fhir.utilities.xml.XMLUtil.newXXEProtectedTransformerFactory();
f.setAttribute("http://saxon.sf.net/feature/version-warning", Boolean.FALSE);
StreamSource xsrc = new StreamSource(new ByteArrayInputStream(xslt));
f.setURIResolver(new ZipURIResolver(files));
@ -129,7 +129,7 @@ public class XsltUtilities {
public static void transform(String xsltDir, String source, String xslt, String dest, URIResolver alt) throws TransformerException, IOException {
TransformerFactory f = TransformerFactory.newInstance();
TransformerFactory f = org.hl7.fhir.utilities.xml.XMLUtil.newXXEProtectedTransformerFactory();
StreamSource xsrc = new StreamSource(ManagedFileAccess.inStream(xslt));
f.setURIResolver(new MyURIResolver(xsltDir, alt));
Transformer t = f.newTransformer(xsrc);

View File

@ -229,7 +229,7 @@ public class XLSXmlNormaliser {
private void saveXml(FileOutputStream stream) throws TransformerException, IOException {
TransformerFactory factory = TransformerFactory.newInstance();
TransformerFactory factory = XMLUtil.newXXEProtectedTransformerFactory();
Transformer transformer = factory.newTransformer();
Result result = new StreamResult(stream);
Source source = new DOMSource(xml);

View File

@ -42,6 +42,7 @@ import java.util.ArrayList;
import java.util.List;
import java.util.Set;
import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
@ -501,8 +502,16 @@ public class XMLUtil {
return e == null ? null : e.getAttribute(aname);
}
public static void writeDomToFile(Document doc, String filename) throws TransformerException, IOException {
public static TransformerFactory newXXEProtectedTransformerFactory() {
TransformerFactory transformerFactory = TransformerFactory.newInstance();
transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
return transformerFactory;
}
public static void writeDomToFile(Document doc, String filename) throws TransformerException, IOException {
TransformerFactory transformerFactory = XMLUtil.newXXEProtectedTransformerFactory();
Transformer transformer = transformerFactory.newTransformer();
DOMSource source = new DOMSource(doc);
StreamResult streamResult = new StreamResult(ManagedFileAccess.file(filename));
@ -593,7 +602,7 @@ public class XMLUtil {
}
public static void saveToFile(Element root, OutputStream stream) throws TransformerException {
Transformer transformer = TransformerFactory.newInstance().newTransformer();
Transformer transformer = XMLUtil.newXXEProtectedTransformerFactory().newTransformer();
Result output = new StreamResult(stream);
Source input = new DOMSource(root);

View File

@ -32,7 +32,7 @@
<lombok_version>1.18.32</lombok_version>
<byte_buddy_version>1.14.8</byte_buddy_version>
<apache_poi_version>5.2.1</apache_poi_version>
<saxon_he_version>9.8.0-15</saxon_he_version>
<saxon_he_version>11.6</saxon_he_version>
<maven.compiler.release>11</maven.compiler.release>
<maven.compiler.source>11</maven.compiler.source>
<maven.compiler.target>11</maven.compiler.target>