From 64bbeb4c3326ca9f99840f2a9f0c5cb59a87ad92 Mon Sep 17 00:00:00 2001 From: tlenz Date: Tue, 27 Jun 2017 10:40:58 +0200 Subject: add Xerces SecurityManager --- .../java/at/gv/egovernment/moaspss/util/DOMUtils.java | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/moaSig/common/src/main/java/at/gv/egovernment/moaspss/util/DOMUtils.java b/moaSig/common/src/main/java/at/gv/egovernment/moaspss/util/DOMUtils.java index c5550ad..2a907e7 100644 --- a/moaSig/common/src/main/java/at/gv/egovernment/moaspss/util/DOMUtils.java +++ b/moaSig/common/src/main/java/at/gv/egovernment/moaspss/util/DOMUtils.java @@ -48,9 +48,11 @@ import javax.xml.transform.TransformerFactory; import javax.xml.transform.dom.DOMSource; import javax.xml.transform.stream.StreamResult; +import org.apache.xerces.impl.Constants; import org.apache.xerces.parsers.DOMParser; import org.apache.xerces.parsers.SAXParser; import org.apache.xerces.parsers.XMLGrammarPreparser; +import org.apache.xerces.util.SecurityManager; import org.apache.xerces.util.SymbolTable; import org.apache.xerces.util.XMLGrammarPoolImpl; import org.apache.xerces.xni.grammars.XMLGrammarDescription; @@ -118,6 +120,9 @@ public class DOMUtils { private static final String DISALLOW_DOCTYPE_FEATURE = "http://apache.org/xml/features/disallow-doctype-decl"; + //Security Manager feature for XERCES XML parser + private static final String SECURITY_MANAGER = + Constants.XERCES_PROPERTY_PREFIX + Constants.SECURITY_MANAGER_PROPERTY; /** Property URI for the Xerces grammar pool. */ @@ -236,6 +241,8 @@ public class DOMUtils { parser = new DOMParser(); } + + // set parser features and properties try { parser.setFeature(NAMESPACES_FEATURE, true); @@ -247,6 +254,9 @@ public class DOMUtils { parser.setFeature(EXTERNAL_GENERAL_ENTITIES_FEATURE, false); parser.setFeature(EXTERNAL_PARAMETER_ENTITIES_FEATURE, false); + SecurityManager xmlParserSecManager = new org.apache.xerces.util.SecurityManager(); + parser.setProperty(SECURITY_MANAGER, xmlParserSecManager); + //fix XXE problem //parser.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); @@ -324,7 +334,10 @@ public class DOMUtils { parser.setFeature(NORMALIZED_VALUE_FEATURE, false); parser.setFeature(INCLUDE_IGNORABLE_WHITESPACE_FEATURE, true); parser.setFeature(CREATE_ENTITY_REF_NODES_FEATURE, false); - + + SecurityManager xmlParserSecManager = new org.apache.xerces.util.SecurityManager(); + parser.setProperty(SECURITY_MANAGER, xmlParserSecManager); + parser.parse(new InputSource(inputStream)); return parser.getDocument(); @@ -591,6 +604,9 @@ public class DOMUtils { parser.setFeature(VALIDATION_FEATURE, true); parser.setFeature(SCHEMA_VALIDATION_FEATURE, true); + SecurityManager xmlParserSecManager = new org.apache.xerces.util.SecurityManager(); + parser.setProperty(SECURITY_MANAGER, xmlParserSecManager); + if (externalSchemaLocations != null) { parser.setProperty( EXTERNAL_SCHEMA_LOCATION_PROPERTY, -- cgit v1.2.3