Example usage for javax.xml.parsers DocumentBuilderFactory setExpandEntityReferences

List of usage examples for javax.xml.parsers DocumentBuilderFactory setExpandEntityReferences

  1. HOME
  2. Java
  3. javax
  4. javax.xml.parsers.*
  5. DocumentBuilderFactory
  6. setExpandEntityReferences

Introduction

In this page you can find the example usage for javax.xml.parsers DocumentBuilderFactory setExpandEntityReferences.

Prototype


public void setExpandEntityReferences(boolean expandEntityRef)

Source Link

Document

Specifies that the parser produced by this code will expand entity reference nodes.

Usage

From source file:org.wso2.identity.iml.dsl.mediators.SAMLRequestProcessor.java

private AuthnRequest SAMLRequestParser(String samlRequest) throws ParserConfigurationException, SAXException,
        ConfigurationException, IOException, UnmarshallingException {

    IMLUtils.doBootstrap();/*from   w  ww  .  j  ava2 s.  co  m*/
    DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
    documentBuilderFactory.setNamespaceAware(true);
    documentBuilderFactory.setExpandEntityReferences(false);
    documentBuilderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);

    org.apache.xerces.util.SecurityManager securityManager = new SecurityManager();
    securityManager.setEntityExpansionLimit(0);

    documentBuilderFactory.setAttribute(SECURITY_MANAGER_PROPERTY, securityManager);
    DocumentBuilder docBuilder = documentBuilderFactory.newDocumentBuilder();
    docBuilder.setEntityResolver((publicId, systemId) -> {
        throw new SAXException(
                "SAML request contains invalid elements. Possible XML External Entity " + "(XXE) attack.");
    });

    try (InputStream inputStream = new ByteArrayInputStream(
            samlRequest.trim().getBytes(StandardCharsets.UTF_8))) {

        Document document = docBuilder.parse(inputStream);
        Element element = document.getDocumentElement();

        UnmarshallerFactory unmarshallerFactory = Configuration.getUnmarshallerFactory();
        Unmarshaller unmarshaller = unmarshallerFactory.getUnmarshaller(element);

        AuthnRequest authnRequest = (AuthnRequest) unmarshaller.unmarshall(element);
        return authnRequest;
    }

}

From source file:org.wso2.identity.integration.common.clients.sso.saml.query.QueryClientUtils.java

/**
 * This method is used to unmarshall request message
 * @param xmlString Request message in text format
 * @return XMLObject Request message as XML
 *///from  w w  w  . j  av a 2s .  c o  m
private static XMLObject unmarshall(String xmlString) {
    InputStream inputStream;
    try {
        doBootstrap();
        DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
        documentBuilderFactory.setNamespaceAware(true);
        documentBuilderFactory.setXIncludeAware(false);
        documentBuilderFactory.setExpandEntityReferences(false);
        DocumentBuilder docBuilder = documentBuilderFactory.newDocumentBuilder();
        inputStream = new ByteArrayInputStream(xmlString.trim().getBytes(StandardCharsets.UTF_8));
        Document document = docBuilder.parse(inputStream);
        Element element = document.getDocumentElement();
        UnmarshallerFactory unmarshallerFactory = XMLObjectProviderRegistrySupport.getUnmarshallerFactory();
        Unmarshaller unmarshaller = unmarshallerFactory.getUnmarshaller(element);
        return unmarshaller.unmarshall(element);
    } catch (UnmarshallingException e) {
        log.error("Unable to unmarshall request message", e);
    } catch (SAXException e) {
        log.error("Unable to parse input stream", e);
    } catch (ParserConfigurationException e) {
        log.error("Unable to initiate document builder", e);
    } catch (IOException e) {
        log.error("Unable to read xml stream", e);
    }

    return null;
}

From source file:org.wso2.identity.scenarios.commons.SAML2SSOTestBase.java

private XMLObject unmarshall(String saml2SSOString) throws Exception {

    doBootstrap();/*from  w w  w.  ja  va  2 s. com*/
    DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
    documentBuilderFactory.setNamespaceAware(true);
    documentBuilderFactory.setXIncludeAware(false);
    documentBuilderFactory.setExpandEntityReferences(false);
    try {
        documentBuilderFactory
                .setFeature(Constants.SAX_FEATURE_PREFIX + Constants.EXTERNAL_GENERAL_ENTITIES_FEATURE, false);
        documentBuilderFactory.setFeature(
                Constants.SAX_FEATURE_PREFIX + Constants.EXTERNAL_PARAMETER_ENTITIES_FEATURE, false);
        documentBuilderFactory.setFeature(Constants.XERCES_FEATURE_PREFIX + Constants.LOAD_EXTERNAL_DTD_FEATURE,
                false);
        documentBuilderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);

    } catch (ParserConfigurationException e) {
        log.error("Failed to load XML Processor Feature " + Constants.EXTERNAL_GENERAL_ENTITIES_FEATURE + " or "
                + Constants.EXTERNAL_PARAMETER_ENTITIES_FEATURE + " or " + Constants.LOAD_EXTERNAL_DTD_FEATURE
                + " or secure-processing.");
    }

    org.apache.xerces.util.SecurityManager securityManager = new SecurityManager();
    securityManager.setEntityExpansionLimit(ENTITY_EXPANSION_LIMIT);
    documentBuilderFactory.setAttribute(Constants.XERCES_PROPERTY_PREFIX + Constants.SECURITY_MANAGER_PROPERTY,
            securityManager);

    documentBuilderFactory.setIgnoringComments(true);
    Document document = getDocument(documentBuilderFactory, saml2SSOString);
    if (isSignedWithComments(document)) {
        documentBuilderFactory.setIgnoringComments(false);
        document = getDocument(documentBuilderFactory, saml2SSOString);
    }
    Element element = document.getDocumentElement();
    UnmarshallerFactory unmarshallerFactory = Configuration.getUnmarshallerFactory();
    Unmarshaller unmarshaller = unmarshallerFactory.getUnmarshaller(element);
    return unmarshaller.unmarshall(element);
}

From source file:org.xdi.service.XmlService.java

private DocumentBuilderFactory creaeDocumentBuilderFactory() throws ParserConfigurationException {
    DocumentBuilderFactory fty = DocumentBuilderFactory.newInstance();

    fty.setNamespaceAware(true);//from w w  w . j  a v  a2  s  . c o m

    // Fix XXE vulnerability
    fty.setXIncludeAware(false);
    fty.setExpandEntityReferences(false);
    fty.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
    fty.setFeature("http://xml.org/sax/features/external-general-entities", false);
    fty.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
    return fty;
}

From source file:org.zaproxy.zap.extension.ascanrulesBeta.CrossDomainScanner.java

@Override
public void init() {
    DocumentBuilderFactory docBuilderFactory = DocumentBuilderFactory.newInstance();
    try {//from  w  ww . j a  va 2 s.c o m
        docBuilderFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
        docBuilderFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
        docBuilderFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
        docBuilderFactory.setExpandEntityReferences(false);
        docBuilder = docBuilderFactory.newDocumentBuilder();
        xpath = XPathFactory.newInstance().newXPath();
    } catch (ParserConfigurationException e) {
        log.error("Failed to create document builder:", e);
    }
}