List of usage examples for javax.xml.parsers DocumentBuilderFactory setXIncludeAware
public void setXIncludeAware(final boolean state)
From source file:org.apache.solr.core.Config.java
/** * Builds a config:// www.j a v a 2 s .com * <p> * Note that the 'name' parameter is used to obtain a valid input stream if no valid one is provided through 'is'. * If no valid stream is provided, a valid SolrResourceLoader instance should be provided through 'loader' so * the resource can be opened (@see SolrResourceLoader#openResource); if no SolrResourceLoader instance is provided, a default one * will be created. * </p> * <p> * Consider passing a non-null 'name' parameter in all use-cases since it is used for logging & exception reporting. * </p> * @param loader the resource loader used to obtain an input stream if 'is' is null * @param name the resource name used if the input stream 'is' is null * @param is the resource as a SAX InputSource * @param prefix an optional prefix that will be preprended to all non-absolute xpath expressions * @throws javax.xml.parsers.ParserConfigurationException * @throws java.io.IOException * @throws org.xml.sax.SAXException */ public Config(SolrResourceLoader loader, String name, InputSource is, String prefix) throws ParserConfigurationException, IOException, SAXException { if (loader == null) { loader = new SolrResourceLoader(null); } this.loader = loader; this.name = name; this.prefix = (prefix != null && !prefix.endsWith("/")) ? prefix + '/' : prefix; try { javax.xml.parsers.DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); if (is == null) { is = new InputSource(loader.openConfig(name)); is.setSystemId(SystemIdResolver.createSystemIdFromResourceName(name)); } // only enable xinclude, if a SystemId is available if (is.getSystemId() != null) { try { dbf.setXIncludeAware(true); dbf.setNamespaceAware(true); } catch (UnsupportedOperationException e) { log.warn(name + " XML parser doesn't support XInclude option"); } } final DocumentBuilder db = dbf.newDocumentBuilder(); db.setEntityResolver(new SystemIdResolver(loader)); db.setErrorHandler(xmllog); try { doc = db.parse(is); } finally { // some XML parsers are broken and don't close the byte stream (but they should according to spec) IOUtils.closeQuietly(is.getByteStream()); } DOMUtil.substituteProperties(doc, loader.getCoreProperties()); } catch (ParserConfigurationException e) { SolrException.log(log, "Exception during parsing file: " + name, e); throw e; } catch (SAXException e) { SolrException.log(log, "Exception during parsing file: " + name, e); throw e; } catch (SolrException e) { SolrException.log(log, "Error in " + name, e); throw e; } }
From source file:org.apache.solr.handler.dataimport.DataImporter.java
public DIHConfiguration loadDataConfig(InputSource configFile) { DIHConfiguration dihcfg = null;/*from w w w . j a va 2s . c o m*/ try { DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); // only enable xinclude, if a a SolrCore and SystemId is present (makes no sense otherwise) if (core != null && configFile.getSystemId() != null) { try { dbf.setXIncludeAware(true); dbf.setNamespaceAware(true); } catch (UnsupportedOperationException e) { LOG.warn("XML parser doesn't support XInclude option"); } } DocumentBuilder builder = dbf.newDocumentBuilder(); if (core != null) builder.setEntityResolver(new SystemIdResolver(core.getResourceLoader())); builder.setErrorHandler(XMLLOG); Document document; try { document = builder.parse(configFile); } finally { // some XML parsers are broken and don't close the byte stream (but they should according to spec) IOUtils.closeQuietly(configFile.getByteStream()); } dihcfg = readFromXml(document); LOG.info("Data Configuration loaded successfully"); } catch (Exception e) { throw new DataImportHandlerException(SEVERE, "Data Config problem: " + e.getMessage(), e); } for (Entity e : dihcfg.getEntities()) { if (e.getAllAttributes().containsKey(SqlEntityProcessor.DELTA_QUERY)) { isDeltaImportSupported = true; break; } } return dihcfg; }
From source file:org.apache.tuscany.sca.implementation.bpel.ode.TuscanyProcessConfImpl.java
/** * Reads a BPEL Process file into a DOM Document structure * @param bpelFile - a File object referencing the BPEL process document * @return - a DOM Document structure representing the same BPEL process *///from www . j a va 2 s . c o m private Document readDOMFromProcess(File bpelFile) { try { DocumentBuilderFactory docFactory = DocumentBuilderFactory.newInstance(); docFactory.setNamespaceAware(true); docFactory.setXIncludeAware(true); DocumentBuilder docBuilder = docFactory.newDocumentBuilder(); Document bpelDOM = docBuilder.parse(bpelFile); return bpelDOM; } catch (Exception e) { return null; } // end try }
From source file:org.apache98.hadoop.conf.Configuration.java
private Resource loadResource(Properties properties, Resource wrapper, boolean quiet) { String name = UNKNOWN_RESOURCE; try {// w w w .ja v a 2 s .com Object resource = wrapper.getResource(); name = wrapper.getName(); DocumentBuilderFactory docBuilderFactory = DocumentBuilderFactory.newInstance(); // ignore all comments inside the xml file docBuilderFactory.setIgnoringComments(true); // allow includes in the xml file docBuilderFactory.setNamespaceAware(true); try { docBuilderFactory.setXIncludeAware(true); } catch (UnsupportedOperationException e) { LOG.error("Failed to set setXIncludeAware(true) for parser " + docBuilderFactory + ":" + e, e); } DocumentBuilder builder = docBuilderFactory.newDocumentBuilder(); Document doc = null; Element root = null; boolean returnCachedProperties = false; if (resource instanceof URL) { // an URL resource doc = parse(builder, (URL) resource); } else if (resource instanceof String) { // a CLASSPATH resource URL url = getResource((String) resource); doc = parse(builder, url); } else if (resource instanceof Path) { // a file resource // Can't use FileSystem API or we get an infinite loop // since FileSystem uses Configuration API. Use java.io.File instead. File file = new File(((Path) resource).toUri().getPath()).getAbsoluteFile(); if (file.exists()) { if (!quiet) { LOG.debug("parsing File " + file); } doc = parse(builder, new BufferedInputStream(new FileInputStream(file)), ((Path) resource).toString()); } } else if (resource instanceof InputStream) { doc = parse(builder, (InputStream) resource, null); returnCachedProperties = true; } else if (resource instanceof Properties) { overlay(properties, (Properties) resource); } else if (resource instanceof Element) { root = (Element) resource; } if (root == null) { if (doc == null) { if (quiet) { return null; } throw new RuntimeException(resource + " not found"); } root = doc.getDocumentElement(); } Properties toAddTo = properties; if (returnCachedProperties) { toAddTo = new Properties(); } if (!"configuration".equals(root.getTagName())) { LOG.fatal("bad conf file: top-level element not <configuration>"); } NodeList props = root.getChildNodes(); DeprecationContext deprecations = deprecationContext.get(); for (int i = 0; i < props.getLength(); i++) { Node propNode = props.item(i); if (!(propNode instanceof Element)) { continue; } Element prop = (Element) propNode; if ("configuration".equals(prop.getTagName())) { loadResource(toAddTo, new Resource(prop, name), quiet); continue; } if (!"property".equals(prop.getTagName())) { LOG.warn("bad conf file: element not <property>"); } NodeList fields = prop.getChildNodes(); String attr = null; String value = null; boolean finalParameter = false; LinkedList<String> source = new LinkedList<String>(); for (int j = 0; j < fields.getLength(); j++) { Node fieldNode = fields.item(j); if (!(fieldNode instanceof Element)) { continue; } Element field = (Element) fieldNode; if ("name".equals(field.getTagName()) && field.hasChildNodes()) { attr = StringInterner.weakIntern(((Text) field.getFirstChild()).getData().trim()); } if ("value".equals(field.getTagName()) && field.hasChildNodes()) { value = StringInterner.weakIntern(((Text) field.getFirstChild()).getData()); } if ("final".equals(field.getTagName()) && field.hasChildNodes()) { finalParameter = "true".equals(((Text) field.getFirstChild()).getData()); } if ("source".equals(field.getTagName()) && field.hasChildNodes()) { source.add(StringInterner.weakIntern(((Text) field.getFirstChild()).getData())); } } source.add(name); // Ignore this parameter if it has already been marked as 'final' if (attr != null) { if (deprecations.getDeprecatedKeyMap().containsKey(attr)) { DeprecatedKeyInfo keyInfo = deprecations.getDeprecatedKeyMap().get(attr); keyInfo.clearAccessed(); for (String key : keyInfo.newKeys) { // update new keys with deprecated key's value loadProperty(toAddTo, name, key, value, finalParameter, source.toArray(new String[source.size()])); } } else { loadProperty(toAddTo, name, attr, value, finalParameter, source.toArray(new String[source.size()])); } } } if (returnCachedProperties) { overlay(properties, toAddTo); return new Resource(toAddTo, name); } return null; } catch (IOException e) { LOG.fatal("error parsing conf " + name, e); throw new RuntimeException(e); } catch (DOMException e) { LOG.fatal("error parsing conf " + name, e); throw new RuntimeException(e); } catch (SAXException e) { LOG.fatal("error parsing conf " + name, e); throw new RuntimeException(e); } catch (ParserConfigurationException e) { LOG.fatal("error parsing conf " + name, e); throw new RuntimeException(e); } }
From source file:org.codelibs.robot.transformer.impl.XmlTransformer.java
@Override public ResultData transform(final ResponseData responseData) { if (responseData == null || responseData.getResponseBody() == null) { throw new RobotCrawlAccessException("No response body."); }/*from ww w .j a va2s.com*/ final File tempFile = ResponseDataUtil.createResponseBodyFile(responseData); FileInputStream fis = null; try { fis = new FileInputStream(tempFile); final DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); for (final Map.Entry<String, Object> entry : attributeMap.entrySet()) { factory.setAttribute(entry.getKey(), entry.getValue()); } for (final Map.Entry<String, String> entry : featureMap.entrySet()) { factory.setFeature(entry.getKey(), "true".equalsIgnoreCase(entry.getValue())); } factory.setCoalescing(coalescing); factory.setExpandEntityReferences(expandEntityRef); factory.setIgnoringComments(ignoringComments); factory.setIgnoringElementContentWhitespace(ignoringElementContentWhitespace); factory.setNamespaceAware(namespaceAware); factory.setValidating(validating); factory.setXIncludeAware(includeAware); final DocumentBuilder builder = factory.newDocumentBuilder(); final Document doc = builder.parse(fis); final StringBuilder buf = new StringBuilder(1000); buf.append(getResultDataHeader()); for (final Map.Entry<String, String> entry : fieldRuleMap.entrySet()) { final List<String> nodeStrList = new ArrayList<String>(); try { final NodeList nodeList = getNodeList(doc, entry.getValue()); for (int i = 0; i < nodeList.getLength(); i++) { final Node node = nodeList.item(i); nodeStrList.add(node.getTextContent()); } } catch (final TransformerException e) { logger.warn("Could not parse a value of " + entry.getKey() + ":" + entry.getValue(), e); } if (nodeStrList.size() == 1) { buf.append(getResultDataBody(entry.getKey(), nodeStrList.get(0))); } else if (nodeStrList.size() > 1) { buf.append(getResultDataBody(entry.getKey(), nodeStrList)); } } buf.append(getAdditionalData(responseData, doc)); buf.append(getResultDataFooter()); final ResultData resultData = new ResultData(); resultData.setTransformerName(getName()); try { resultData.setData(buf.toString().getBytes(charsetName)); } catch (final UnsupportedEncodingException e) { if (logger.isInfoEnabled()) { logger.info("Invalid charsetName: " + charsetName + ". Changed to " + Constants.UTF_8, e); } charsetName = Constants.UTF_8_CHARSET.name(); resultData.setData(buf.toString().getBytes(Constants.UTF_8_CHARSET)); } resultData.setEncoding(charsetName); return resultData; } catch (final RobotSystemException e) { throw e; } catch (final Exception e) { throw new RobotSystemException("Could not store data.", e); } finally { IOUtils.closeQuietly(fis); // clean up if (!tempFile.delete()) { logger.warn("Could not delete a temp file: " + tempFile); } } }
From source file:org.cytobank.acs.core.TableOfContents.java
/** * <p>Creates a DocumentBuilder with Cytobank's preferred security settings * applied to it. Specifically turning off external entities and external * DTDs to prevent External Entity Exploits (XXE)</p> * * @throws ParserConfigurationException/* w w w. j ava2 s . co m*/ * @return DocumentBuilder */ protected DocumentBuilder getDocumentBuilder() throws ParserConfigurationException { DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); DocumentBuilder db = null; String FEATURE = null; // This is the PRIMARY defense. If DTDs (doctypes) are disallowed, almost all XML entity attacks are prevented // Xerces 2 only - http://xerces.apache.org/xerces2-j/features.html#disallow-doctype-decl FEATURE = "http://apache.org/xml/features/disallow-doctype-decl"; dbf.setFeature(FEATURE, true); // If you can't completely disable DTDs, then at least do the following: // Xerces 1 - http://xerces.apache.org/xerces-j/features.html#external-general-entities // Xerces 2 - http://xerces.apache.org/xerces2-j/features.html#external-general-entities // JDK7+ - http://xml.org/sax/features/external-general-entities FEATURE = "http://xml.org/sax/features/external-general-entities"; dbf.setFeature(FEATURE, false); // Xerces 1 - http://xerces.apache.org/xerces-j/features.html#external-parameter-entities // Xerces 2 - http://xerces.apache.org/xerces2-j/features.html#external-parameter-entities // JDK7+ - http://xml.org/sax/features/external-parameter-entities FEATURE = "http://xml.org/sax/features/external-parameter-entities"; dbf.setFeature(FEATURE, false); // Disable external DTDs as well FEATURE = "http://apache.org/xml/features/nonvalidating/load-external-dtd"; dbf.setFeature(FEATURE, false); // and these as well, per Timothy Morgan's 2014 paper: "XML Schema, DTD, and Entity Attacks" (see reference below) dbf.setXIncludeAware(false); dbf.setExpandEntityReferences(false); // And, per Timothy Morgan: "If for some reason support for inline DOCTYPEs are a requirement, then // ensure the entity settings are disabled (as shown above) and beware that SSRF attacks // (http://cwe.mitre.org/data/definitions/918.html) and denial // of service attacks (such as billion laughs or decompression bombs via "jar:") are a risk." boolean namespaceAware = true; boolean xsdValidate = false; boolean ignoreWhitespace = false; boolean ignoreComments = false; boolean putCDATAIntoText = false; boolean createEntityRefs = false; dbf.setNamespaceAware(namespaceAware); dbf.setValidating(xsdValidate); dbf.setIgnoringComments(ignoreComments); dbf.setIgnoringElementContentWhitespace(ignoreWhitespace); dbf.setCoalescing(putCDATAIntoText); dbf.setExpandEntityReferences(createEntityRefs); db = dbf.newDocumentBuilder(); return db; }
From source file:org.forgerock.maven.plugins.LinkTester.java
@Override() public void execute() throws MojoExecutionException, MojoFailureException { if (outputFile != null) { if (!outputFile.isAbsolute()) { outputFile = new File(project.getBasedir(), outputFile.getPath()); }/* w w w . ja v a 2s . c om*/ if (outputFile.exists()) { debug("Deleting existing outputFile: " + outputFile); outputFile.delete(); } try { outputFile.createNewFile(); fileWriter = new FileWriter(outputFile); } catch (IOException ioe) { error("Error while creating output file", ioe); } } initializeSkipUrlPatterns(); //Initialize XML parsers and XPath expressions DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); dbf.setNamespaceAware(true); dbf.setExpandEntityReferences(false); dbf.setXIncludeAware(xIncludeAware); if (validating) { SchemaFactory sf = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI); try { Schema schema = sf.newSchema(new URL(DOCBOOK_XSD)); dbf.setSchema(schema); } catch (MalformedURLException murle) { error("Invalid URL provided as schema source", murle); } catch (SAXException saxe) { error("Parsing error occurred while constructing schema for validation", saxe); } } DocumentBuilder db; try { db = dbf.newDocumentBuilder(); db.setErrorHandler(new LoggingErrorHandler(this)); } catch (ParserConfigurationException pce) { throw new MojoExecutionException("Unable to create new DocumentBuilder", pce); } XPathFactory xpf = XPathFactory.newInstance(); XPath xpath = xpf.newXPath(); xpath.setNamespaceContext(new XmlNamespaceContext()); XPathExpression expr; try { expr = xpath.compile("//@xml:id"); } catch (XPathExpressionException xpee) { throw new MojoExecutionException("Unable to compile Xpath expression", xpee); } if (docSources != null) { for (DocSource docSource : docSources) { processDocSource(docSource, db, expr); } } try { if (!skipOlinks) { //we can only check olinks after going through all the documents, otherwise we would see false //positives, because of the not yet processed files for (Map.Entry<String, Collection<String>> entry : (Set<Map.Entry<String, Collection<String>>>) olinks .entrySet()) { for (String val : entry.getValue()) { checkOlink(entry.getKey(), val); } } } if (!failedUrls.isEmpty()) { error("The following files had invalid URLs:\n" + failedUrls.toString()); } if (!timedOutUrls.isEmpty()) { warn("The following files had unavailable URLs (connection or read timed out):\n" + timedOutUrls.toString()); } if (failedUrls.isEmpty() && timedOutUrls.isEmpty() && !failure) { //there are no failed URLs and the parser didn't encounter any errors either info("DocBook links successfully tested, no errors reported."); } } finally { flushReport(); } if (failOnError) { if (failure || !failedUrls.isEmpty()) { throw new MojoFailureException("One or more error occurred during plugin execution"); } } }
From source file:org.gluu.saml.Response.java
public void loadXml(String xml) throws ParserConfigurationException, SAXException, IOException { DocumentBuilderFactory fty = DocumentBuilderFactory.newInstance(); fty.setNamespaceAware(true);//from ww w. j a v a2 s . co m // Fix XXE vulnerability fty.setXIncludeAware(false); fty.setExpandEntityReferences(false); fty.setFeature("http://xml.org/sax/features/external-parameter-entities", false); fty.setFeature("http://xml.org/sax/features/external-general-entities", false); fty.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); DocumentBuilder builder = fty.newDocumentBuilder(); ByteArrayInputStream bais = new ByteArrayInputStream(xml.getBytes()); xmlDoc = builder.parse(bais); }
From source file:org.icatproject.idav.methods.AbstractMethod.java
/** * Return JAXP document builder instance. *//* w w w . jav a2 s . com*/ protected DocumentBuilder getDocumentBuilder() throws ServletException { DocumentBuilder documentBuilder = null; DocumentBuilderFactory documentBuilderFactory = null; try { documentBuilderFactory = DocumentBuilderFactory.newInstance(); documentBuilderFactory.setNamespaceAware(true); // disable XML External Entities to prevent XML XXE attacks as described at: // https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet documentBuilderFactory.setFeature("http://xml.org/sax/features/external-general-entities", false); documentBuilderFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false); documentBuilderFactory.setXIncludeAware(false); documentBuilderFactory.setExpandEntityReferences(false); // documentBuilder = documentBuilderFactory.newDocumentBuilder(); } catch (ParserConfigurationException e) { String msg = "Failed to create an XML DocumentBuilder which satisfies the configuration requested: " + e.getMessage(); LOG.error(msg); throw new ServletException(msg); } return documentBuilder; }
From source file:org.jaggeryjs.modules.sso.common.util.Util.java
/** * Create DocumentBuilderFactory with the XXE prevention measurements * * @return DocumentBuilderFactory instance *///from w w w . j ava 2 s .c om public static DocumentBuilderFactory getSecuredDocumentBuilder() { DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); dbf.setNamespaceAware(true); dbf.setXIncludeAware(false); dbf.setExpandEntityReferences(false); try { dbf.setFeature(Constants.SAX_FEATURE_PREFIX + Constants.EXTERNAL_GENERAL_ENTITIES_FEATURE, false); dbf.setFeature(Constants.SAX_FEATURE_PREFIX + Constants.EXTERNAL_PARAMETER_ENTITIES_FEATURE, false); dbf.setFeature(Constants.XERCES_FEATURE_PREFIX + Constants.LOAD_EXTERNAL_DTD_FEATURE, false); } catch (ParserConfigurationException e) { log.error("Failed to load XML Processor Feature " + Constants.EXTERNAL_GENERAL_ENTITIES_FEATURE + " or " + Constants.EXTERNAL_PARAMETER_ENTITIES_FEATURE + " or " + Constants.LOAD_EXTERNAL_DTD_FEATURE); } SecurityManager securityManager = new SecurityManager(); securityManager.setEntityExpansionLimit(ENTITY_EXPANSION_LIMIT); dbf.setAttribute(Constants.XERCES_PROPERTY_PREFIX + Constants.SECURITY_MANAGER_PROPERTY, securityManager); return dbf; }