2 files changed, 134 insertions, 12 deletions

diff --git a/utils/src/main/java/at/gv/egiz/dom/DOMUtils.java b/utils/src/main/java/at/gv/egiz/dom/DOMUtils.java
index eae8f05e..2054021a 100644
--- a/utils/src/main/java/at/gv/egiz/dom/DOMUtils.java
+++ b/utils/src/main/java/at/gv/egiz/dom/DOMUtils.java
@@ -33,7 +33,8 @@ import java.io.StringWriter;
 

 import javax.xml.parsers.DocumentBuilder;

 import javax.xml.parsers.DocumentBuilderFactory;

-import javax.xml.parsers.ParserConfigurationException;

+import javax.xml.parsers.ParserConfigurationException;
+import javax.xml.stream.XMLStreamException;
 import javax.xml.transform.OutputKeys;
 import javax.xml.transform.Transformer;
 import javax.xml.transform.TransformerException;
@@ -47,7 +48,8 @@ import org.w3c.dom.Document;
 import org.w3c.dom.Node;
 import org.w3c.dom.Text;

 import org.w3c.dom.bootstrap.DOMImplementationRegistry;

-import org.w3c.dom.ls.DOMImplementationLS;

+import org.w3c.dom.ls.DOMImplementationLS;
+import org.xml.sax.SAXException;

 
 public final class DOMUtils {

 

@@ -160,6 +162,76 @@ public final class DOMUtils {
     

     base64OutputStream.close();

     return doc.createTextNode(outputStream.toString("ASCII"));

-  }

+  }
+  
+  /**
+   * Set XML parser features to {@link DocumentBuilderFactory} to prevent XXE, XEE and SSRF attacks
+   * <br>
+   * <br>
+   * These features are set by this method:
+   * <ul>
+   * 	<li>http://xml.org/sax/features/external-general-entities --> false</li>
+   * 	<li>http://xml.org/sax/features/external-parameter-entities --> false</li>
+   * 	<li>http://apache.org/xml/features/nonvalidating/load-external-dtd --> false</li>
+   * 	<li>http://apache.org/xml/features/disallow-doctype-decl --> true</li>
+   * </ul>
+   *  
+   * 
+   * @param dbf {@link DocumentBuilderFactory} on which the features should be registered
+   */
+  public static void setXMLParserFlagsAgainstXXEAndSSRFAttacks(DocumentBuilderFactory dbf) {
+	  try {
+			dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
+			dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+			dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+			dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+						
+		} catch (ParserConfigurationException e) {
+			log.error("Can NOT set Xerces parser security features. -> XML parsing is possible insecure!!!! ", e);
+			
+		}
+	  
+  }
+  
+  /**
+   * Parse an {@link InputStream} that contains a XML document into a {@link Document}
+   * This method set all features to prevent XXE, XEE and SSRF attacks
+   * 
+   * These features are set by this method:
+   * <ul>
+   * 	<li>http://xml.org/sax/features/external-general-entities --> false</li>
+   * 	<li>http://xml.org/sax/features/external-parameter-entities --> false</li>
+   * 	<li>http://apache.org/xml/features/nonvalidating/load-external-dtd --> false</li>
+   * 	<li>http://apache.org/xml/features/disallow-doctype-decl --> true</li>
+   * </ul>
+   * 
+   * @param is {@link InputStream} that contains a serialized XML document 
+   * @return Deserialized {@link Document} from input XML 
+   * @throws XMLStreamException XML parser has an error 
+   * @throws IOException 
+   */
+	public static Document validateXMLAgainstXXEAndSSRFAttacks(InputStream is) throws XMLStreamException, IOException {		
+		DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();		
+		setXMLParserFlagsAgainstXXEAndSSRFAttacks(dbf);
+		    	    	        
+		try {        	
+			//validate input stream        	
+			return dbf.newDocumentBuilder().parse(is);
+            		    		    		
+		} catch (SAXException e) {
+			log.error("XML data validation FAILED with msg: " + e.getMessage(), e);
+			throw new XMLStreamException("XML data validation FAILED with msg: " + e.getMessage(), e);
+
+		} catch (ParserConfigurationException e) {
+			log.error("XML data validation FAILED with msg: " + e.getMessage(), e);
+			throw new XMLStreamException("XML data validation FAILED with msg: " + e.getMessage(), e);
+    		
+		} catch (IOException e) {
+			log.error("XML data validation FAILED with msg: " + e.getMessage(), e);
+			throw new XMLStreamException("XML data validation FAILED with msg: " + e.getMessage(), e);
+    		
+		}
+		
+	}

 

 }

diff --git a/utils/src/main/java/at/gv/egiz/slbinding/SLUnmarshaller.java b/utils/src/main/java/at/gv/egiz/slbinding/SLUnmarshaller.java
index de1b2ddf..489c36d8 100644
--- a/utils/src/main/java/at/gv/egiz/slbinding/SLUnmarshaller.java
+++ b/utils/src/main/java/at/gv/egiz/slbinding/SLUnmarshaller.java
@@ -25,7 +25,10 @@
 
 package at.gv.egiz.slbinding;
 
+import java.io.ByteArrayInputStream;
 import java.io.IOException;
+import java.io.InputStreamReader;
+import java.io.Reader;
 import java.net.URL;
 import java.util.Arrays;
 import java.util.Collection;
@@ -38,6 +41,8 @@ import javax.xml.bind.JAXBException;
 import javax.xml.bind.UnmarshalException;
 import javax.xml.bind.Unmarshaller;
 import javax.xml.bind.ValidationEvent;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.stream.XMLEventReader;
 import javax.xml.stream.XMLInputFactory;
 import javax.xml.stream.XMLStreamException;
@@ -46,11 +51,13 @@ import javax.xml.transform.stream.StreamSource;
 import javax.xml.validation.Schema;
 import javax.xml.validation.SchemaFactory;
 
+import org.apache.commons.io.IOUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.xml.sax.SAXException;
 
 import at.gv.egiz.bku.utils.ClasspathURLStreamHandler;
+import at.gv.egiz.dom.DOMUtils;
 import at.gv.egiz.validation.ReportingValidationEventHandler;
 
 public class SLUnmarshaller {
@@ -235,28 +242,71 @@ public class SLUnmarshaller {
    * @throws JAXBException
    */
 public Object unmarshal(StreamSource source) throws XMLStreamException, JAXBException {
+    Reader inputReader = source.getReader(); 
     
-    ReportingValidationEventHandler validationEventHandler = new ReportingValidationEventHandler();
-//    System.setProperty("javax.xml.stream.XMLInputFactory", "com.sun.xml.stream.ZephyrParserFactory");
-//    System.setProperty("com.sun.xml.stream.ZephyrParserFactory", "com.sun.xml.stream.ZephyrParserFactory");
-//    XMLInputFactory inputFactory = XMLInputFactory.newInstance("com.sun.xml.stream.ZephyrParserFactory", null);
-    
+    /* Validate XML against XXE, XEE, and SSRF
+     * 
+     * This pre-validation step is required because com.sun.xml.stream.sjsxp-1.0.2 XML stream parser library does not 
+     * support all XML parser features to prevent these types of attacks  
+     */
+    if (inputReader instanceof InputStreamReader) {    	    	        
+        try {        	
+        	//create copy of input stream
+        	InputStreamReader isReader = (InputStreamReader) inputReader;
+        	String encoding = isReader.getEncoding();        	
+        	byte[] backup = IOUtils.toByteArray(isReader, encoding);
+
+        	//validate input stream
+        	DOMUtils.validateXMLAgainstXXEAndSSRFAttacks(new ByteArrayInputStream(backup));
+        	    		
+    		//create new inputStreamReader for reak processing
+    		inputReader = new InputStreamReader(new ByteArrayInputStream(backup), encoding);
+    		
+    		
+    	} catch (XMLStreamException e) {
+    		log.error("XML data validation FAILED with msg: " + e.getMessage(), e);
+    		throw new XMLStreamException("XML data validation FAILED with msg: " + e.getMessage(), e);
+    		
+    	} catch (IOException e) {
+    		log.error("XML data validation FAILED with msg: " + e.getMessage(), e);
+    		throw new XMLStreamException("XML data validation FAILED with msg: " + e.getMessage(), e);
+    		
+		}
+    	    	
+    } else {
+    	log.error("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
+    	log.error("Reader is not of type InputStreamReader -> can not make a copy of the InputStream --> extended XML validation is not possible!!! ");
+    	log.error("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
+    	
+    }
+        
+    /* !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+     * parse XML with original functionality
+     * 
+     * This code implements the the original mocca XML processing by using 
+     *  com.sun.xml.stream.sjsxp-1.0.2 XML stream parser library. Currently, this library is required to get full 
+     *  security-layer specific XML processing. However, there this lib does not fully support XXE, XEE and SSRF
+     *  prevention mechanisms (e.g.: XMLInputFactory.SUPPORT_DTD flag is not used)    
+     * 
+     * !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+     */
     XMLInputFactory inputFactory = XMLInputFactory.newInstance();
     
     //disallow DTD and external entities
     inputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
     inputFactory.setProperty("javax.xml.stream.isSupportingExternalEntities", false);
-    
-    XMLEventReader eventReader = inputFactory.createXMLEventReader(source.getReader());
+        
+    XMLEventReader eventReader = inputFactory.createXMLEventReader(inputReader);
     RedirectEventFilter redirectEventFilter = new RedirectEventFilter();
     XMLEventReader filteredReader = inputFactory.createFilteredReader(eventReader, redirectEventFilter);
 
     Unmarshaller unmarshaller = jaxbContext.createUnmarshaller();
+    ReportingValidationEventHandler validationEventHandler = new ReportingValidationEventHandler();
     unmarshaller.setEventHandler(validationEventHandler);
 
     unmarshaller.setListener(new RedirectUnmarshallerListener(redirectEventFilter));
-    unmarshaller.setSchema(slSchema);
-
+    unmarshaller.setSchema(slSchema);    
+    
     Object object;
     try {
       log.trace("Before unmarshal().");