/** * Disables certain dangerous features that attempt to automatically fetch DTDs * * See <a href="https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#XMLReader">OWASP XXE Cheat Sheet</a> * @param reader the reader to disable the features on * @throws SAXNotRecognizedException * @throws SAXNotSupportedException */ private void disableExternalResourceFetching(XMLReader reader) throws SAXNotRecognizedException, SAXNotSupportedException { reader.setFeature("http://xml.org/sax/features/external-general-entities", false); reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false); reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd",false); }
public void setFeature(final String uri, final boolean value) throws SAXNotRecognizedException, SAXNotSupportedException { this.reader.setFeature(uri, value); }
/** * Create an {@code XMLReader} that this marshaller will when passed an empty {@code SAXSource}. * @return the XMLReader * @throws SAXException if thrown by JAXP methods */ @SuppressWarnings("deprecation") // on JDK 9 protected XMLReader createXmlReader() throws SAXException { XMLReader xmlReader = org.xml.sax.helpers.XMLReaderFactory.createXMLReader(); xmlReader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", !isSupportDtd()); xmlReader.setFeature("http://xml.org/sax/features/external-general-entities", isProcessExternalEntities()); if (!isProcessExternalEntities()) { xmlReader.setEntityResolver(NO_OP_ENTITY_RESOLVER); } return xmlReader; }
private static void trySetSAXFeature(XMLReader xmlReader, String feature, boolean enabled) { try { xmlReader.setFeature(feature, enabled); } catch (Exception e) { logger.warn("SAX Feature unsupported "+ feature, e); } catch (AbstractMethodError ame) { logger.warn( "Cannot set SAX feature because outdated XML parser in classpath" + feature, ame); } }
@SuppressWarnings("deprecation") // on JDK 9 private SAXSource readSAXSource(InputStream body, HttpInputMessage inputMessage) throws IOException { try { XMLReader xmlReader = org.xml.sax.helpers.XMLReaderFactory.createXMLReader(); xmlReader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", !isSupportDtd()); xmlReader.setFeature("http://xml.org/sax/features/external-general-entities", isProcessExternalEntities()); if (!isProcessExternalEntities()) { xmlReader.setEntityResolver(NO_OP_ENTITY_RESOLVER); } byte[] bytes = StreamUtils.copyToByteArray(body); return new SAXSource(xmlReader, new InputSource(new ByteArrayInputStream(bytes))); } catch (SAXException ex) { throw new HttpMessageNotReadableException( "Could not parse document: " + ex.getMessage(), ex, inputMessage); } }
@SuppressWarnings("deprecation") // on JDK 9 protected Source processSource(Source source) { if (source instanceof StreamSource) { StreamSource streamSource = (StreamSource) source; InputSource inputSource = new InputSource(streamSource.getInputStream()); try { XMLReader xmlReader = org.xml.sax.helpers.XMLReaderFactory.createXMLReader(); xmlReader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", !isSupportDtd()); String featureName = "http://xml.org/sax/features/external-general-entities"; xmlReader.setFeature(featureName, isProcessExternalEntities()); if (!isProcessExternalEntities()) { xmlReader.setEntityResolver(NO_OP_ENTITY_RESOLVER); } return new SAXSource(xmlReader, inputSource); } catch (SAXException ex) { logger.warn("Processing of external entities could not be disabled", ex); return source; } } else { return source; } }
@SuppressWarnings("deprecation") // on JDK 9 private Schema loadSchema(Resource[] resources, String schemaLanguage) throws IOException, SAXException { if (logger.isDebugEnabled()) { logger.debug("Setting validation schema to " + StringUtils.arrayToCommaDelimitedString(this.schemaResources)); } Assert.notEmpty(resources, "No resources given"); Assert.hasLength(schemaLanguage, "No schema language provided"); Source[] schemaSources = new Source[resources.length]; XMLReader xmlReader = org.xml.sax.helpers.XMLReaderFactory.createXMLReader(); xmlReader.setFeature("http://xml.org/sax/features/namespace-prefixes", true); for (int i = 0; i < resources.length; i++) { Resource resource = resources[i]; Assert.isTrue(resource != null && resource.exists(), () -> "Resource does not exist: " + resource); InputSource inputSource = SaxResourceUtils.createInputSource(resource); schemaSources[i] = new SAXSource(xmlReader, inputSource); } SchemaFactory schemaFactory = SchemaFactory.newInstance(schemaLanguage); if (this.schemaResourceResolver != null) { schemaFactory.setResourceResolver(this.schemaResourceResolver); } return schemaFactory.newSchema(schemaSources); }
private void resetInternal() throws SAXNotSupportedException, SAXNotRecognizedException { reader = new ExpatReader(); for (Map.Entry<String,Boolean> entry : initialFeatures.entrySet()) { reader.setFeature(entry.getKey(), entry.getValue()); } }
public final List<BitextPatternRule> getRules(InputStream is, String filename) throws IOException { List<BitextPatternRule> rules; try { BitextPatternRuleHandler handler = new BitextPatternRuleHandler(); SAXParserFactory factory = SAXParserFactory.newInstance(); SAXParser saxParser = factory.newSAXParser(); saxParser.getXMLReader().setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); saxParser.parse(is, handler); rules = handler.getBitextRules(); return rules; } catch (Exception e) { throw new IOException("Cannot load or parse '" + filename + "'", e); } }
@SuppressWarnings("deprecation") // on JDK 9 private SAXSource readSAXSource(InputStream body, HttpInputMessage inputMessage) throws IOException { try { XMLReader xmlReader = org.xml.sax.helpers.XMLReaderFactory.createXMLReader(); xmlReader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", !isSupportDtd()); xmlReader.setFeature("http://xml.org/sax/features/external-general-entities", isProcessExternalEntities()); if (!isProcessExternalEntities()) { xmlReader.setEntityResolver(NO_OP_ENTITY_RESOLVER); } byte[] bytes = StreamUtils.copyToByteArray(body); return new SAXSource(xmlReader, new InputSource(new ByteArrayInputStream(bytes))); } catch (SAXException ex) { throw new HttpMessageNotReadableException( "Could not parse document: " + ex.getMessage(), ex, inputMessage); } }
xmlReader = org.xml.sax.helpers.XMLReaderFactory.createXMLReader(); xmlReader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", !isSupportDtd()); String name = "http://xml.org/sax/features/external-general-entities"; xmlReader.setFeature(name, isProcessExternalEntities()); if (!isProcessExternalEntities()) { xmlReader.setEntityResolver(NO_OP_ENTITY_RESOLVER);
@Test public void contentHandlerDocumentNamespacePrefixes() throws Exception { xmlReader.setFeature("http://xml.org/sax/features/namespace-prefixes", true); handler = new DomContentHandler(result); expected = documentBuilder.parse(new InputSource(new StringReader(XML_1))); xmlReader.setContentHandler(handler); xmlReader.parse(new InputSource(new StringReader(XML_1))); assertThat("Invalid result", result, isSimilarTo(expected)); }
@Test public void namespacePrefixesDom() throws Exception { DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance(); documentBuilderFactory.setNamespaceAware(true); DocumentBuilder documentBuilder = documentBuilderFactory.newDocumentBuilder(); Document expected = documentBuilder.parse(new InputSource(new StringReader(SIMPLE_XML))); Document result = documentBuilder.newDocument(); AbstractStaxHandler handler = createStaxHandler(new DOMResult(result)); xmlReader.setContentHandler(handler); xmlReader.setProperty("http://xml.org/sax/properties/lexical-handler", handler); xmlReader.setFeature("http://xml.org/sax/features/namespaces", true); xmlReader.setFeature("http://xml.org/sax/features/namespace-prefixes", true); xmlReader.parse(new InputSource(new StringReader(SIMPLE_XML))); assertThat(expected, isSimilarTo(result).withNodeFilter(nodeFilter)); }
@Test public void noNamespacePrefixesDom() throws Exception { DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance(); documentBuilderFactory.setNamespaceAware(true); DocumentBuilder documentBuilder = documentBuilderFactory.newDocumentBuilder(); Document expected = documentBuilder.parse(new InputSource(new StringReader(SIMPLE_XML))); Document result = documentBuilder.newDocument(); AbstractStaxHandler handler = createStaxHandler(new DOMResult(result)); xmlReader.setContentHandler(handler); xmlReader.setProperty("http://xml.org/sax/properties/lexical-handler", handler); xmlReader.setFeature("http://xml.org/sax/features/namespaces", true); xmlReader.setFeature("http://xml.org/sax/features/namespace-prefixes", false); xmlReader.parse(new InputSource(new StringReader(SIMPLE_XML))); assertThat(result, isSimilarTo(expected).withNodeFilter(nodeFilter)); }
private static void trySetSAXFeature(XMLReader xmlReader, String feature) { try { xmlReader.setFeature(feature, true); } catch (Exception e) { logger.log(POILogger.WARN, "SAX Feature unsupported", feature, e); } catch (AbstractMethodError ame) { logger.log(POILogger.WARN, "Cannot set SAX feature because outdated XML parser in classpath", feature, ame); } }
@Test public void namespacePrefixes() throws Exception { Assume.assumeTrue(wwwSpringframeworkOrgIsAccessible()); StringWriter stringWriter = new StringWriter(); AbstractStaxHandler handler = createStaxHandler(new StreamResult(stringWriter)); xmlReader.setContentHandler(handler); xmlReader.setProperty("http://xml.org/sax/properties/lexical-handler", handler); xmlReader.setFeature("http://xml.org/sax/features/namespaces", true); xmlReader.setFeature("http://xml.org/sax/features/namespace-prefixes", true); xmlReader.parse(new InputSource(new StringReader(COMPLEX_XML))); assertThat(stringWriter.toString(), isSimilarTo(COMPLEX_XML).withNodeFilter(nodeFilter)); }
@Test public void noNamespacePrefixes() throws Exception { Assume.assumeTrue(wwwSpringframeworkOrgIsAccessible()); StringWriter stringWriter = new StringWriter(); AbstractStaxHandler handler = createStaxHandler(new StreamResult(stringWriter)); xmlReader.setContentHandler(handler); xmlReader.setProperty("http://xml.org/sax/properties/lexical-handler", handler); xmlReader.setFeature("http://xml.org/sax/features/namespaces", true); xmlReader.setFeature("http://xml.org/sax/features/namespace-prefixes", false); xmlReader.parse(new InputSource(new StringReader(COMPLEX_XML))); assertThat(stringWriter.toString(), isSimilarTo(COMPLEX_XML).withNodeFilter(nodeFilter)); }
@Test public void contentHandlerNamespacesNoPrefixes() throws Exception { standardReader.setFeature("http://xml.org/sax/features/namespaces", true); standardReader.setFeature("http://xml.org/sax/features/namespace-prefixes", false); standardReader.parse(new InputSource(createTestInputStream())); AbstractStaxXMLReader staxXmlReader = createStaxXmlReader(createTestInputStream()); ContentHandler contentHandler = mockContentHandler(); staxXmlReader.setFeature("http://xml.org/sax/features/namespaces", true); staxXmlReader.setFeature("http://xml.org/sax/features/namespace-prefixes", false); staxXmlReader.setContentHandler(contentHandler); staxXmlReader.parse(new InputSource()); verifyIdenticalInvocations(standardContentHandler, contentHandler); }
@Test public void contentHandlerNamespacesPrefixes() throws Exception { standardReader.setFeature("http://xml.org/sax/features/namespaces", true); standardReader.setFeature("http://xml.org/sax/features/namespace-prefixes", true); standardReader.parse(new InputSource(createTestInputStream())); AbstractStaxXMLReader staxXmlReader = createStaxXmlReader(createTestInputStream()); ContentHandler contentHandler = mockContentHandler(); staxXmlReader.setFeature("http://xml.org/sax/features/namespaces", true); staxXmlReader.setFeature("http://xml.org/sax/features/namespace-prefixes", true); staxXmlReader.setContentHandler(contentHandler); staxXmlReader.parse(new InputSource()); verifyIdenticalInvocations(standardContentHandler, contentHandler); }
@Test public void contentHandlerNoNamespacesPrefixes() throws Exception { standardReader.setFeature("http://xml.org/sax/features/namespaces", false); standardReader.setFeature("http://xml.org/sax/features/namespace-prefixes", true); standardReader.parse(new InputSource(createTestInputStream())); AbstractStaxXMLReader staxXmlReader = createStaxXmlReader(createTestInputStream()); ContentHandler contentHandler = mockContentHandler(); staxXmlReader.setFeature("http://xml.org/sax/features/namespaces", false); staxXmlReader.setFeature("http://xml.org/sax/features/namespace-prefixes", true); staxXmlReader.setContentHandler(contentHandler); staxXmlReader.parse(new InputSource()); verifyIdenticalInvocations(standardContentHandler, contentHandler); }