Move XXE safe SAXParserFactory and XMLReader instantiation to XMLUtil
This commit is contained in:
parent
2d80a09deb
commit
f0a25dabe3
|
@ -36,7 +36,6 @@ import java.util.List;
|
||||||
|
|
||||||
import javax.xml.parsers.DocumentBuilder;
|
import javax.xml.parsers.DocumentBuilder;
|
||||||
import javax.xml.parsers.DocumentBuilderFactory;
|
import javax.xml.parsers.DocumentBuilderFactory;
|
||||||
import javax.xml.parsers.SAXParser;
|
|
||||||
import javax.xml.parsers.SAXParserFactory;
|
import javax.xml.parsers.SAXParserFactory;
|
||||||
import javax.xml.transform.Transformer;
|
import javax.xml.transform.Transformer;
|
||||||
import javax.xml.transform.TransformerFactory;
|
import javax.xml.transform.TransformerFactory;
|
||||||
|
@ -95,16 +94,10 @@ public class XmlParser extends ParserBase {
|
||||||
DocumentBuilder docBuilder = factory.newDocumentBuilder();
|
DocumentBuilder docBuilder = factory.newDocumentBuilder();
|
||||||
doc = docBuilder.newDocument();
|
doc = docBuilder.newDocument();
|
||||||
DOMResult domResult = new DOMResult(doc);
|
DOMResult domResult = new DOMResult(doc);
|
||||||
SAXParserFactory spf = SAXParserFactory.newInstance();
|
SAXParserFactory spf = XMLUtil.newXXEProtectedSaxParserFactory();
|
||||||
spf.setNamespaceAware(true);
|
spf.setNamespaceAware(true);
|
||||||
spf.setValidating(false);
|
spf.setValidating(false);
|
||||||
SAXParser saxParser = spf.newSAXParser();
|
XMLReader xmlReader = XMLUtil.getXXEProtectedXMLReader(spf);
|
||||||
XMLReader xmlReader = saxParser.getXMLReader();
|
|
||||||
// xxe protection
|
|
||||||
spf.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
|
||||||
spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
|
||||||
xmlReader.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
|
||||||
xmlReader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
|
||||||
|
|
||||||
XmlLocationAnnotator locationAnnotator = new XmlLocationAnnotator(xmlReader, doc);
|
XmlLocationAnnotator locationAnnotator = new XmlLocationAnnotator(xmlReader, doc);
|
||||||
InputSource inputSource = new InputSource(stream);
|
InputSource inputSource = new InputSource(stream);
|
||||||
|
|
|
@ -41,7 +41,6 @@ import java.util.List;
|
||||||
|
|
||||||
import javax.xml.parsers.DocumentBuilder;
|
import javax.xml.parsers.DocumentBuilder;
|
||||||
import javax.xml.parsers.DocumentBuilderFactory;
|
import javax.xml.parsers.DocumentBuilderFactory;
|
||||||
import javax.xml.parsers.SAXParser;
|
|
||||||
import javax.xml.parsers.SAXParserFactory;
|
import javax.xml.parsers.SAXParserFactory;
|
||||||
import javax.xml.transform.Transformer;
|
import javax.xml.transform.Transformer;
|
||||||
import javax.xml.transform.TransformerFactory;
|
import javax.xml.transform.TransformerFactory;
|
||||||
|
@ -114,17 +113,10 @@ public class XmlParser extends ParserBase {
|
||||||
DocumentBuilder docBuilder = factory.newDocumentBuilder();
|
DocumentBuilder docBuilder = factory.newDocumentBuilder();
|
||||||
doc = docBuilder.newDocument();
|
doc = docBuilder.newDocument();
|
||||||
DOMResult domResult = new DOMResult(doc);
|
DOMResult domResult = new DOMResult(doc);
|
||||||
SAXParserFactory spf = SAXParserFactory.newInstance();
|
SAXParserFactory spf = XMLUtil.newXXEProtectedSaxParserFactory();
|
||||||
spf.setNamespaceAware(true);
|
spf.setNamespaceAware(true);
|
||||||
spf.setValidating(false);
|
spf.setValidating(false);
|
||||||
// xxe protection
|
XMLReader xmlReader = XMLUtil.getXXEProtectedXMLReader(spf);
|
||||||
spf.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
|
||||||
spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
|
||||||
SAXParser saxParser = spf.newSAXParser();
|
|
||||||
XMLReader xmlReader = saxParser.getXMLReader();
|
|
||||||
// xxe protection
|
|
||||||
xmlReader.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
|
||||||
xmlReader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
|
||||||
|
|
||||||
XmlLocationAnnotator locationAnnotator = new XmlLocationAnnotator(xmlReader, doc);
|
XmlLocationAnnotator locationAnnotator = new XmlLocationAnnotator(xmlReader, doc);
|
||||||
InputSource inputSource = new InputSource(stream);
|
InputSource inputSource = new InputSource(stream);
|
||||||
|
|
|
@ -39,7 +39,6 @@ import java.util.List;
|
||||||
|
|
||||||
import javax.xml.parsers.DocumentBuilder;
|
import javax.xml.parsers.DocumentBuilder;
|
||||||
import javax.xml.parsers.DocumentBuilderFactory;
|
import javax.xml.parsers.DocumentBuilderFactory;
|
||||||
import javax.xml.parsers.SAXParser;
|
|
||||||
import javax.xml.parsers.SAXParserFactory;
|
import javax.xml.parsers.SAXParserFactory;
|
||||||
import javax.xml.transform.Transformer;
|
import javax.xml.transform.Transformer;
|
||||||
import javax.xml.transform.TransformerFactory;
|
import javax.xml.transform.TransformerFactory;
|
||||||
|
@ -113,17 +112,10 @@ public class XmlParser extends ParserBase {
|
||||||
DocumentBuilder docBuilder = factory.newDocumentBuilder();
|
DocumentBuilder docBuilder = factory.newDocumentBuilder();
|
||||||
doc = docBuilder.newDocument();
|
doc = docBuilder.newDocument();
|
||||||
DOMResult domResult = new DOMResult(doc);
|
DOMResult domResult = new DOMResult(doc);
|
||||||
SAXParserFactory spf = SAXParserFactory.newInstance();
|
SAXParserFactory spf = XMLUtil.newXXEProtectedSaxParserFactory();
|
||||||
spf.setNamespaceAware(true);
|
spf.setNamespaceAware(true);
|
||||||
spf.setValidating(false);
|
spf.setValidating(false);
|
||||||
// xxe protection
|
XMLReader xmlReader = XMLUtil.getXXEProtectedXMLReader(spf);
|
||||||
spf.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
|
||||||
spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
|
||||||
SAXParser saxParser = spf.newSAXParser();
|
|
||||||
XMLReader xmlReader = saxParser.getXMLReader();
|
|
||||||
// xxe protection
|
|
||||||
xmlReader.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
|
||||||
xmlReader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
|
||||||
|
|
||||||
XmlLocationAnnotator locationAnnotator = new XmlLocationAnnotator(xmlReader, doc);
|
XmlLocationAnnotator locationAnnotator = new XmlLocationAnnotator(xmlReader, doc);
|
||||||
InputSource inputSource = new InputSource(stream);
|
InputSource inputSource = new InputSource(stream);
|
||||||
|
|
|
@ -39,7 +39,6 @@ import java.util.List;
|
||||||
|
|
||||||
import javax.xml.parsers.DocumentBuilder;
|
import javax.xml.parsers.DocumentBuilder;
|
||||||
import javax.xml.parsers.DocumentBuilderFactory;
|
import javax.xml.parsers.DocumentBuilderFactory;
|
||||||
import javax.xml.parsers.SAXParser;
|
|
||||||
import javax.xml.parsers.SAXParserFactory;
|
import javax.xml.parsers.SAXParserFactory;
|
||||||
import javax.xml.transform.Transformer;
|
import javax.xml.transform.Transformer;
|
||||||
import javax.xml.transform.TransformerFactory;
|
import javax.xml.transform.TransformerFactory;
|
||||||
|
@ -52,7 +51,6 @@ import org.hl7.fhir.exceptions.FHIRFormatError;
|
||||||
import org.hl7.fhir.r4b.conformance.ProfileUtilities;
|
import org.hl7.fhir.r4b.conformance.ProfileUtilities;
|
||||||
import org.hl7.fhir.r4b.context.IWorkerContext;
|
import org.hl7.fhir.r4b.context.IWorkerContext;
|
||||||
import org.hl7.fhir.r4b.elementmodel.Element.SpecialElement;
|
import org.hl7.fhir.r4b.elementmodel.Element.SpecialElement;
|
||||||
import org.hl7.fhir.r4b.elementmodel.ParserBase.NamedElement;
|
|
||||||
import org.hl7.fhir.r4b.formats.FormatUtilities;
|
import org.hl7.fhir.r4b.formats.FormatUtilities;
|
||||||
import org.hl7.fhir.r4b.formats.IParser.OutputStyle;
|
import org.hl7.fhir.r4b.formats.IParser.OutputStyle;
|
||||||
import org.hl7.fhir.r4b.model.DateTimeType;
|
import org.hl7.fhir.r4b.model.DateTimeType;
|
||||||
|
@ -136,17 +134,10 @@ public class XmlParser extends ParserBase {
|
||||||
DocumentBuilder docBuilder = factory.newDocumentBuilder();
|
DocumentBuilder docBuilder = factory.newDocumentBuilder();
|
||||||
doc = docBuilder.newDocument();
|
doc = docBuilder.newDocument();
|
||||||
DOMResult domResult = new DOMResult(doc);
|
DOMResult domResult = new DOMResult(doc);
|
||||||
SAXParserFactory spf = SAXParserFactory.newInstance();
|
SAXParserFactory spf = XMLUtil.newXXEProtectedSaxParserFactory();
|
||||||
spf.setNamespaceAware(true);
|
spf.setNamespaceAware(true);
|
||||||
spf.setValidating(false);
|
spf.setValidating(false);
|
||||||
// xxe protection
|
XMLReader xmlReader = XMLUtil.getXXEProtectedXMLReader(spf);
|
||||||
spf.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
|
||||||
spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
|
||||||
SAXParser saxParser = spf.newSAXParser();
|
|
||||||
XMLReader xmlReader = saxParser.getXMLReader();
|
|
||||||
// xxe protection
|
|
||||||
xmlReader.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
|
||||||
xmlReader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
|
||||||
|
|
||||||
XmlLocationAnnotator locationAnnotator = new XmlLocationAnnotator(xmlReader, doc);
|
XmlLocationAnnotator locationAnnotator = new XmlLocationAnnotator(xmlReader, doc);
|
||||||
InputSource inputSource = new InputSource(stream);
|
InputSource inputSource = new InputSource(stream);
|
||||||
|
|
|
@ -44,7 +44,6 @@ import java.util.Set;
|
||||||
|
|
||||||
import javax.xml.parsers.DocumentBuilder;
|
import javax.xml.parsers.DocumentBuilder;
|
||||||
import javax.xml.parsers.DocumentBuilderFactory;
|
import javax.xml.parsers.DocumentBuilderFactory;
|
||||||
import javax.xml.parsers.SAXParser;
|
|
||||||
import javax.xml.parsers.SAXParserFactory;
|
import javax.xml.parsers.SAXParserFactory;
|
||||||
import javax.xml.transform.Transformer;
|
import javax.xml.transform.Transformer;
|
||||||
import javax.xml.transform.TransformerFactory;
|
import javax.xml.transform.TransformerFactory;
|
||||||
|
@ -150,17 +149,11 @@ public class XmlParser extends ParserBase {
|
||||||
DocumentBuilder docBuilder = factory.newDocumentBuilder();
|
DocumentBuilder docBuilder = factory.newDocumentBuilder();
|
||||||
doc = docBuilder.newDocument();
|
doc = docBuilder.newDocument();
|
||||||
DOMResult domResult = new DOMResult(doc);
|
DOMResult domResult = new DOMResult(doc);
|
||||||
SAXParserFactory spf = SAXParserFactory.newInstance();
|
SAXParserFactory spf = XMLUtil.newXXEProtectedSaxParserFactory();
|
||||||
spf.setNamespaceAware(true);
|
spf.setNamespaceAware(true);
|
||||||
spf.setValidating(false);
|
spf.setValidating(false);
|
||||||
// xxe protection
|
|
||||||
spf.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
XMLReader xmlReader = XMLUtil.getXXEProtectedXMLReader(spf);
|
||||||
spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
|
||||||
SAXParser saxParser = spf.newSAXParser();
|
|
||||||
XMLReader xmlReader = saxParser.getXMLReader();
|
|
||||||
// xxe protection
|
|
||||||
xmlReader.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
|
||||||
xmlReader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
|
||||||
|
|
||||||
XmlLocationAnnotator locationAnnotator = new XmlLocationAnnotator(xmlReader, doc);
|
XmlLocationAnnotator locationAnnotator = new XmlLocationAnnotator(xmlReader, doc);
|
||||||
InputSource inputSource = new InputSource(stream);
|
InputSource inputSource = new InputSource(stream);
|
||||||
|
|
|
@ -42,9 +42,7 @@ import java.util.List;
|
||||||
import java.util.Set;
|
import java.util.Set;
|
||||||
|
|
||||||
import javax.xml.XMLConstants;
|
import javax.xml.XMLConstants;
|
||||||
import javax.xml.parsers.DocumentBuilder;
|
import javax.xml.parsers.*;
|
||||||
import javax.xml.parsers.DocumentBuilderFactory;
|
|
||||||
import javax.xml.parsers.ParserConfigurationException;
|
|
||||||
import javax.xml.transform.Result;
|
import javax.xml.transform.Result;
|
||||||
import javax.xml.transform.Source;
|
import javax.xml.transform.Source;
|
||||||
import javax.xml.transform.Transformer;
|
import javax.xml.transform.Transformer;
|
||||||
|
@ -64,10 +62,15 @@ import org.w3c.dom.NodeList;
|
||||||
import org.w3c.dom.ls.DOMImplementationLS;
|
import org.w3c.dom.ls.DOMImplementationLS;
|
||||||
import org.w3c.dom.ls.LSSerializer;
|
import org.w3c.dom.ls.LSSerializer;
|
||||||
import org.xml.sax.SAXException;
|
import org.xml.sax.SAXException;
|
||||||
|
import org.xml.sax.SAXNotRecognizedException;
|
||||||
|
import org.xml.sax.SAXNotSupportedException;
|
||||||
|
import org.xml.sax.XMLReader;
|
||||||
|
|
||||||
public class XMLUtil {
|
public class XMLUtil {
|
||||||
|
|
||||||
public static final String SPACE_CHAR = "\u00A0";
|
public static final String SPACE_CHAR = "\u00A0";
|
||||||
|
public static final String SAX_FEATURES_EXTERNAL_GENERAL_ENTITIES = "http://xml.org/sax/features/external-general-entities";
|
||||||
|
public static final String APACHE_XML_FEATURES_DISALLOW_DOCTYPE_DECL = "http://apache.org/xml/features/disallow-doctype-decl";
|
||||||
|
|
||||||
public static boolean isNMToken(String name) {
|
public static boolean isNMToken(String name) {
|
||||||
if (name == null)
|
if (name == null)
|
||||||
|
@ -510,12 +513,34 @@ public class XMLUtil {
|
||||||
|
|
||||||
public static DocumentBuilderFactory newXXEProtectedDocumentBuilderFactory() throws ParserConfigurationException {
|
public static DocumentBuilderFactory newXXEProtectedDocumentBuilderFactory() throws ParserConfigurationException {
|
||||||
final DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
|
final DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
|
||||||
documentBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
documentBuilderFactory.setFeature(APACHE_XML_FEATURES_DISALLOW_DOCTYPE_DECL, true);
|
||||||
documentBuilderFactory.setXIncludeAware(false);
|
documentBuilderFactory.setXIncludeAware(false);
|
||||||
return documentBuilderFactory;
|
return documentBuilderFactory;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public static SAXParserFactory newXXEProtectedSaxParserFactory() throws SAXNotSupportedException, SAXNotRecognizedException, ParserConfigurationException {
|
||||||
|
final SAXParserFactory spf = SAXParserFactory.newInstance();
|
||||||
|
spf.setFeature(SAX_FEATURES_EXTERNAL_GENERAL_ENTITIES, false);
|
||||||
|
spf.setFeature(APACHE_XML_FEATURES_DISALLOW_DOCTYPE_DECL, true);
|
||||||
|
return spf;
|
||||||
|
}
|
||||||
|
|
||||||
|
public static XMLReader getXXEProtectedXMLReader(SAXParserFactory spf) throws ParserConfigurationException, SAXException {
|
||||||
|
final SAXParser saxParser = spf.newSAXParser();
|
||||||
|
final XMLReader xmlReader = saxParser.getXMLReader();
|
||||||
|
|
||||||
|
final boolean externalGeneralEntitiesFeatureValue = spf.getFeature(SAX_FEATURES_EXTERNAL_GENERAL_ENTITIES);
|
||||||
|
if (externalGeneralEntitiesFeatureValue) {
|
||||||
|
throw new IllegalArgumentException("SAXParserFactory has insecure feature setting:" + SAX_FEATURES_EXTERNAL_GENERAL_ENTITIES+ "=" + externalGeneralEntitiesFeatureValue);
|
||||||
|
}
|
||||||
|
final boolean disallowDocTypeDeclFeatureValue = spf.getFeature(APACHE_XML_FEATURES_DISALLOW_DOCTYPE_DECL);
|
||||||
|
if (!disallowDocTypeDeclFeatureValue) {
|
||||||
|
throw new IllegalArgumentException("SAXParserFactory has insecure feature setting:" + APACHE_XML_FEATURES_DISALLOW_DOCTYPE_DECL + "=" + disallowDocTypeDeclFeatureValue);
|
||||||
|
}
|
||||||
|
xmlReader.setFeature(SAX_FEATURES_EXTERNAL_GENERAL_ENTITIES, false);
|
||||||
|
xmlReader.setFeature(APACHE_XML_FEATURES_DISALLOW_DOCTYPE_DECL, true);
|
||||||
|
return xmlReader;
|
||||||
|
}
|
||||||
public static void writeDomToFile(Document doc, String filename) throws TransformerException, IOException {
|
public static void writeDomToFile(Document doc, String filename) throws TransformerException, IOException {
|
||||||
TransformerFactory transformerFactory = XMLUtil.newXXEProtectedTransformerFactory();
|
TransformerFactory transformerFactory = XMLUtil.newXXEProtectedTransformerFactory();
|
||||||
Transformer transformer = transformerFactory.newTransformer();
|
Transformer transformer = transformerFactory.newTransformer();
|
||||||
|
|
Loading…
Reference in New Issue