List of usage examples for javax.xml.parsers DocumentBuilderFactory setExpandEntityReferences
public void setExpandEntityReferences(boolean expandEntityRef)
From source file:net.sourceforge.pmd.lang.xml.ast.XmlParser.java
protected Document parseDocument(Reader reader) throws ParseException { nodeCache.clear();//w w w .j a va 2 s . c om try { String xmlData = IOUtils.toString(reader); DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); dbf.setNamespaceAware(parserOptions.isNamespaceAware()); dbf.setValidating(parserOptions.isValidating()); dbf.setIgnoringComments(parserOptions.isIgnoringComments()); dbf.setIgnoringElementContentWhitespace(parserOptions.isIgnoringElementContentWhitespace()); dbf.setExpandEntityReferences(parserOptions.isExpandEntityReferences()); dbf.setCoalescing(parserOptions.isCoalescing()); dbf.setXIncludeAware(parserOptions.isXincludeAware()); dbf.setFeature("http://xml.org/sax/features/external-general-entities", false); dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false); DocumentBuilder documentBuilder = dbf.newDocumentBuilder(); documentBuilder.setEntityResolver(parserOptions.getEntityResolver()); Document document = documentBuilder.parse(new InputSource(new StringReader(xmlData))); DOMLineNumbers lineNumbers = new DOMLineNumbers(document, xmlData); lineNumbers.determine(); return document; } catch (ParserConfigurationException | SAXException | IOException e) { throw new ParseException(e); } }
From source file:net.sourceforge.pmd.RuleSetFactory.java
private DocumentBuilder createDocumentBuilder() throws ParserConfigurationException { final DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); try {//from w ww. j a va 2 s . c o m /* * parser hardening * https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#JAXP_DocumentBuilderFactory.2C_SAXParserFactory_and_DOM4J */ // This is the PRIMARY defense. If DTDs (doctypes) are disallowed, almost all XML entity attacks are prevented // Xerces 2 only - http://xerces.apache.org/xerces2-j/features.html#disallow-doctype-decl dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); // If you can't completely disable DTDs, then at least do the following: // Xerces 1 - http://xerces.apache.org/xerces-j/features.html#external-general-entities // Xerces 2 - http://xerces.apache.org/xerces2-j/features.html#external-general-entities // JDK7+ - http://xml.org/sax/features/external-general-entities dbf.setFeature("http://xml.org/sax/features/external-general-entities", false); // Xerces 1 - http://xerces.apache.org/xerces-j/features.html#external-parameter-entities // Xerces 2 - http://xerces.apache.org/xerces2-j/features.html#external-parameter-entities // JDK7+ - http://xml.org/sax/features/external-parameter-entities dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false); // Disable external DTDs as well dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); // and these as well, per Timothy Morgan's 2014 paper: "XML Schema, DTD, and Entity Attacks" dbf.setXIncludeAware(false); dbf.setExpandEntityReferences(false); } catch (final ParserConfigurationException e) { // an unsupported feature... too bad, but won't fail execution due to this LOG.log(Level.WARNING, "Ignored unsupported XML Parser Feature for parsing rulesets", e); } return dbf.newDocumentBuilder(); }
From source file:nl.armatiek.xslweb.utils.XMLUtils.java
public static DocumentBuilder getDocumentBuilder(boolean validate, boolean namespaceAware, boolean xincludeAware) throws XSLWebException { try {/*www . j av a 2 s . c o m*/ DocumentBuilderFactory docFactory = DocumentBuilderFactory.newInstance(); if (xincludeAware) { docFactory.setFeature("http://apache.org/xml/features/xinclude", true); docFactory.setFeature("http://apache.org/xml/features/xinclude/fixup-base-uris", false); docFactory.setFeature("http://apache.org/xml/features/xinclude/fixup-language", false); docFactory.setXIncludeAware(true); } docFactory.setNamespaceAware(namespaceAware); docFactory.setValidating(validate); docFactory.setExpandEntityReferences(true); if (validate) { docFactory.setFeature("http://apache.org/xml/features/validation/dynamic", true); docFactory.setFeature("http://apache.org/xml/features/validation/schema", true); } docFactory.setIgnoringElementContentWhitespace(true); return docFactory.newDocumentBuilder(); } catch (Exception e) { throw new XSLWebException(e); } }
From source file:org.apache.oozie.cli.OozieCLI.java
private Properties parse(InputStream is, Properties conf) throws IOException { try {/*from w w w . j a v a 2s. c o m*/ DocumentBuilderFactory docBuilderFactory = DocumentBuilderFactory.newInstance(); docBuilderFactory.setNamespaceAware(true); // support for includes in the xml file docBuilderFactory.setXIncludeAware(true); // ignore all comments inside the xml file docBuilderFactory.setIgnoringComments(true); docBuilderFactory.setExpandEntityReferences(false); docBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); DocumentBuilder builder = docBuilderFactory.newDocumentBuilder(); Document doc = builder.parse(is); return parseDocument(doc, conf); } catch (SAXException e) { throw new IOException(e); } catch (ParserConfigurationException e) { throw new IOException(e); } }
From source file:org.apache.rahas.TrustUtil.java
/** * Create DocumentBuilderFactory with the XXE and XEE prevention measurements * * @return DocumentBuilderFactory instance *//*w w w . j a v a 2s . c om*/ public static DocumentBuilderFactory getSecuredDocumentBuilderFactory() { DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); dbf.setNamespaceAware(true); dbf.setXIncludeAware(false); dbf.setExpandEntityReferences(false); try { dbf.setFeature(Constants.SAX_FEATURE_PREFIX + Constants.EXTERNAL_GENERAL_ENTITIES_FEATURE, false); dbf.setFeature(Constants.SAX_FEATURE_PREFIX + Constants.EXTERNAL_PARAMETER_ENTITIES_FEATURE, false); dbf.setFeature(Constants.XERCES_FEATURE_PREFIX + Constants.LOAD_EXTERNAL_DTD_FEATURE, false); dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); } catch (ParserConfigurationException e) { logger.error("Failed to load XML Processor Feature " + Constants.EXTERNAL_GENERAL_ENTITIES_FEATURE + " or " + Constants.EXTERNAL_PARAMETER_ENTITIES_FEATURE + " or " + Constants.LOAD_EXTERNAL_DTD_FEATURE + "or secure-processing."); } SecurityManager securityManager = new SecurityManager(); securityManager.setEntityExpansionLimit(ENTITY_EXPANSION_LIMIT); dbf.setAttribute(Constants.XERCES_PROPERTY_PREFIX + Constants.SECURITY_MANAGER_PROPERTY, securityManager); return dbf; }
From source file:org.apache.rampart.util.Axis2Util.java
/** * Create DocumentBuilderFactory with the XXE prevention measurements * * @return DocumentBuilderFactory instance *//*from ww w . j a va 2s. c om*/ public static DocumentBuilderFactory getSecuredDocumentBuilderFactory() { DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); dbf.setNamespaceAware(true); dbf.setXIncludeAware(false); dbf.setExpandEntityReferences(false); try { dbf.setFeature(Constants.SAX_FEATURE_PREFIX + Constants.EXTERNAL_GENERAL_ENTITIES_FEATURE, false); dbf.setFeature(Constants.SAX_FEATURE_PREFIX + Constants.EXTERNAL_PARAMETER_ENTITIES_FEATURE, false); dbf.setFeature(Constants.XERCES_FEATURE_PREFIX + Constants.LOAD_EXTERNAL_DTD_FEATURE, false); dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); } catch (ParserConfigurationException e) { logger.error("Failed to load XML Processor Feature " + Constants.EXTERNAL_GENERAL_ENTITIES_FEATURE + " or " + Constants.EXTERNAL_PARAMETER_ENTITIES_FEATURE + " or " + Constants.LOAD_EXTERNAL_DTD_FEATURE); } SecurityManager securityManager = new SecurityManager(); securityManager.setEntityExpansionLimit(ENTITY_EXPANSION_LIMIT); dbf.setAttribute(Constants.XERCES_PROPERTY_PREFIX + Constants.SECURITY_MANAGER_PROPERTY, securityManager); return dbf; }
From source file:org.apache.wiki.auth.user.XMLUserDatabase.java
private void buildDOM() { // Read DOM/* w w w .j av a 2 s . c om*/ DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); factory.setValidating(false); factory.setExpandEntityReferences(false); factory.setIgnoringComments(true); factory.setNamespaceAware(false); try { c_dom = factory.newDocumentBuilder().parse(c_file); log.debug("Database successfully initialized"); c_lastModified = c_file.lastModified(); c_lastCheck = System.currentTimeMillis(); } catch (ParserConfigurationException e) { log.error("Configuration error: " + e.getMessage()); } catch (SAXException e) { log.error("SAX error: " + e.getMessage()); } catch (FileNotFoundException e) { log.info("User database not found; creating from scratch..."); } catch (IOException e) { log.error("IO error: " + e.getMessage()); } if (c_dom == null) { try { // // Create the DOM from scratch // c_dom = factory.newDocumentBuilder().newDocument(); c_dom.appendChild(c_dom.createElement("users")); } catch (ParserConfigurationException e) { log.fatal("Could not create in-memory DOM"); } } }
From source file:org.cloudfoundry.identity.uaa.provider.SamlIdentityProviderDefinition.java
private boolean validateXml(String xml) { if (xml == null || xml.toUpperCase().contains("<!DOCTYPE")) { return false; }//from w w w . j a v a2 s .c om try { DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); factory.setExpandEntityReferences(false); DocumentBuilder builder = factory.newDocumentBuilder(); builder.parse(new InputSource(new StringReader(xml))); } catch (ParserConfigurationException | SAXException | IOException e) { return false; } return true; }
From source file:org.codelibs.robot.transformer.impl.XmlTransformer.java
@Override public ResultData transform(final ResponseData responseData) { if (responseData == null || responseData.getResponseBody() == null) { throw new RobotCrawlAccessException("No response body."); }/*w ww .j a v a 2 s.c om*/ final File tempFile = ResponseDataUtil.createResponseBodyFile(responseData); FileInputStream fis = null; try { fis = new FileInputStream(tempFile); final DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); for (final Map.Entry<String, Object> entry : attributeMap.entrySet()) { factory.setAttribute(entry.getKey(), entry.getValue()); } for (final Map.Entry<String, String> entry : featureMap.entrySet()) { factory.setFeature(entry.getKey(), "true".equalsIgnoreCase(entry.getValue())); } factory.setCoalescing(coalescing); factory.setExpandEntityReferences(expandEntityRef); factory.setIgnoringComments(ignoringComments); factory.setIgnoringElementContentWhitespace(ignoringElementContentWhitespace); factory.setNamespaceAware(namespaceAware); factory.setValidating(validating); factory.setXIncludeAware(includeAware); final DocumentBuilder builder = factory.newDocumentBuilder(); final Document doc = builder.parse(fis); final StringBuilder buf = new StringBuilder(1000); buf.append(getResultDataHeader()); for (final Map.Entry<String, String> entry : fieldRuleMap.entrySet()) { final List<String> nodeStrList = new ArrayList<String>(); try { final NodeList nodeList = getNodeList(doc, entry.getValue()); for (int i = 0; i < nodeList.getLength(); i++) { final Node node = nodeList.item(i); nodeStrList.add(node.getTextContent()); } } catch (final TransformerException e) { logger.warn("Could not parse a value of " + entry.getKey() + ":" + entry.getValue(), e); } if (nodeStrList.size() == 1) { buf.append(getResultDataBody(entry.getKey(), nodeStrList.get(0))); } else if (nodeStrList.size() > 1) { buf.append(getResultDataBody(entry.getKey(), nodeStrList)); } } buf.append(getAdditionalData(responseData, doc)); buf.append(getResultDataFooter()); final ResultData resultData = new ResultData(); resultData.setTransformerName(getName()); try { resultData.setData(buf.toString().getBytes(charsetName)); } catch (final UnsupportedEncodingException e) { if (logger.isInfoEnabled()) { logger.info("Invalid charsetName: " + charsetName + ". Changed to " + Constants.UTF_8, e); } charsetName = Constants.UTF_8_CHARSET.name(); resultData.setData(buf.toString().getBytes(Constants.UTF_8_CHARSET)); } resultData.setEncoding(charsetName); return resultData; } catch (final RobotSystemException e) { throw e; } catch (final Exception e) { throw new RobotSystemException("Could not store data.", e); } finally { IOUtils.closeQuietly(fis); // clean up if (!tempFile.delete()) { logger.warn("Could not delete a temp file: " + tempFile); } } }