Skip to content

Commit

Permalink
Enabled secure processing for all places again and not assuming defaults
Browse files Browse the repository at this point in the history
  • Loading branch information
@phax
phax committed Dec 13, 2024
1 parent 626ac1f commit 863cf4f
Showing 1 changed file with 54 additions and 29 deletions.
83 changes: 54 additions & 29 deletions ph-xml/src/main/java/com/helger/xml/XMLFactory.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -134,32 +134,25 @@ private static void _setFeature (@Nonnull final DocumentBuilderFactory aFactory,
}
}

/**
* Create a new {@link DocumentBuilderFactory} using the defaults defined in
* this class ({@link #DEFAULT_DOM_NAMESPACE_AWARE},
* {@link #DEFAULT_DOM_VALIDATING} ,
* {@link #DEFAULT_DOM_IGNORING_ELEMENT_CONTENT_WHITESPACE},
* {@link #DEFAULT_DOM_EXPAND_ENTITY_REFERENCES},
* {@link #DEFAULT_DOM_IGNORING_COMMENTS} and
* {@link #DEFAULT_DOM_COALESCING}.).
*
* @return Never <code>null</code>.
*/
@Nonnull
public static DocumentBuilderFactory createDefaultDocumentBuilderFactory ()
public static void defaultCustomizeDocumentBuilderFactory (@Nonnull final DocumentBuilderFactory aFactory)
{
// Secure processing is enabled by default since JDK 8
final DocumentBuilderFactory aFactory = DocumentBuilderFactory.newInstance ();
/*
* Secure processing is enabled by default since JDK 8. See class
* "com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderFactoryImpl"
* field "fSecure" is initially "true". However, if someone uses an external
* XML parser library (like Xerces) it might be disabled.
*/
_setFeature (aFactory, EXMLParserFeature.SECURE_PROCESSING, true);
_setFeature (aFactory, EXMLParserFeature.DISALLOW_DOCTYPE_DECL, true);
_setFeature (aFactory, EXMLParserFeature.EXTERNAL_GENERAL_ENTITIES, false);
_setFeature (aFactory, EXMLParserFeature.EXTERNAL_PARAMETER_ENTITIES, false);
_setFeature (aFactory, EXMLParserFeature.LOAD_EXTERNAL_DTD, false);
aFactory.setNamespaceAware (DEFAULT_DOM_NAMESPACE_AWARE);
aFactory.setValidating (DEFAULT_DOM_VALIDATING);
aFactory.setIgnoringElementContentWhitespace (DEFAULT_DOM_IGNORING_ELEMENT_CONTENT_WHITESPACE);
aFactory.setExpandEntityReferences (DEFAULT_DOM_EXPAND_ENTITY_REFERENCES);
aFactory.setIgnoringComments (DEFAULT_DOM_IGNORING_COMMENTS);
aFactory.setCoalescing (DEFAULT_DOM_COALESCING);

try
{
aFactory.setXIncludeAware (DEFAULT_DOM_XINCLUDE_AWARE);
Expand All @@ -168,6 +161,24 @@ public static DocumentBuilderFactory createDefaultDocumentBuilderFactory ()
{
// Ignore
}
}

/**
* Create a new {@link DocumentBuilderFactory} using the defaults defined in
* this class ({@link #DEFAULT_DOM_NAMESPACE_AWARE},
* {@link #DEFAULT_DOM_VALIDATING} ,
* {@link #DEFAULT_DOM_IGNORING_ELEMENT_CONTENT_WHITESPACE},
* {@link #DEFAULT_DOM_EXPAND_ENTITY_REFERENCES},
* {@link #DEFAULT_DOM_IGNORING_COMMENTS} and
* {@link #DEFAULT_DOM_COALESCING}.).
*
* @return Never <code>null</code>.
*/
@Nonnull
public static DocumentBuilderFactory createDefaultDocumentBuilderFactory ()
{
final DocumentBuilderFactory aFactory = DocumentBuilderFactory.newInstance ();
defaultCustomizeDocumentBuilderFactory (aFactory);
return aFactory;
}

Expand Down Expand Up @@ -440,6 +451,18 @@ private static void _setFeature (@Nonnull final SAXParserFactory aFactory,
}
}

public static void defaultCustomizeSAXParserFactory (@Nonnull final SAXParserFactory aFactory)
{
_setFeature (aFactory, EXMLParserFeature.SECURE_PROCESSING, true);
_setFeature (aFactory, EXMLParserFeature.DISALLOW_DOCTYPE_DECL, true);
_setFeature (aFactory, EXMLParserFeature.EXTERNAL_GENERAL_ENTITIES, false);
_setFeature (aFactory, EXMLParserFeature.EXTERNAL_PARAMETER_ENTITIES, false);
_setFeature (aFactory, EXMLParserFeature.LOAD_EXTERNAL_DTD, false);
aFactory.setNamespaceAware (DEFAULT_SAX_NAMESPACE_AWARE);
aFactory.setValidating (DEFAULT_SAX_VALIDATING);
aFactory.setXIncludeAware (DEFAULT_SAX_XINCLUDE_AWARE);
}

@Nonnull
public static SAXParserFactory createDefaultSAXParserFactory ()
{
Expand All @@ -454,12 +477,7 @@ public static SAXParserFactory createDefaultSAXParserFactory ()
// Java 8 method - see #41
aFactory = SAXParserFactory.newInstance ();
}
_setFeature (aFactory, EXMLParserFeature.DISALLOW_DOCTYPE_DECL, true);
_setFeature (aFactory, EXMLParserFeature.EXTERNAL_GENERAL_ENTITIES, false);
_setFeature (aFactory, EXMLParserFeature.EXTERNAL_PARAMETER_ENTITIES, false);
aFactory.setNamespaceAware (DEFAULT_SAX_NAMESPACE_AWARE);
aFactory.setValidating (DEFAULT_SAX_VALIDATING);
aFactory.setXIncludeAware (DEFAULT_SAX_XINCLUDE_AWARE);
defaultCustomizeSAXParserFactory (aFactory);
return aFactory;
}

Expand All @@ -482,19 +500,26 @@ private static void _setFeature (@Nonnull final TransformerFactory aFactory,
}
}

public static void defaultCustomizeTransformerFactory (@Nonnull final TransformerFactory aFactory)
{
if (false)
{
// This prevents to use XSLT includes
_setFeature (aFactory, EXMLParserFeature.SECURE_PROCESSING, true);
}
_setFeature (aFactory, EXMLParserFeature.DISALLOW_DOCTYPE_DECL, true);
_setFeature (aFactory, EXMLParserFeature.EXTERNAL_GENERAL_ENTITIES, false);
_setFeature (aFactory, EXMLParserFeature.EXTERNAL_PARAMETER_ENTITIES, false);
_setFeature (aFactory, EXMLParserFeature.LOAD_EXTERNAL_DTD, false);
}

@Nonnull
public static TransformerFactory createDefaultTransformerFactory ()
{
try
{
final TransformerFactory aFactory = TransformerFactory.newInstance ();
if (false)
{
// Not needed for Java 11
_setFeature (aFactory, EXMLParserFeature.DISALLOW_DOCTYPE_DECL, true);
_setFeature (aFactory, EXMLParserFeature.EXTERNAL_GENERAL_ENTITIES, false);
_setFeature (aFactory, EXMLParserFeature.EXTERNAL_PARAMETER_ENTITIES, false);
}
defaultCustomizeTransformerFactory (aFactory);
return aFactory;
}
catch (final TransformerFactoryConfigurationError ex)
Expand Down

0 comments on commit 863cf4f

Please sign in to comment.