List of usage examples for javax.xml.parsers DocumentBuilderFactory setXIncludeAware
public void setXIncludeAware(final boolean state)
From source file:org.wso2.carbon.jaggeryapp.template.deployer.internal.util.JaggeryappTemplateDeployerHelper.java
public static DocumentBuilderFactory getSecuredDocumentBuilder() { DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance(); documentBuilderFactory.setNamespaceAware(true); documentBuilderFactory.setXIncludeAware(false); documentBuilderFactory.setExpandEntityReferences(false); try {// w w w.j ava 2 s . c o m documentBuilderFactory .setFeature(Constants.SAX_FEATURE_PREFIX + Constants.EXTERNAL_GENERAL_ENTITIES_FEATURE, false); documentBuilderFactory.setFeature( Constants.SAX_FEATURE_PREFIX + Constants.EXTERNAL_PARAMETER_ENTITIES_FEATURE, false); documentBuilderFactory.setFeature(Constants.XERCES_FEATURE_PREFIX + Constants.LOAD_EXTERNAL_DTD_FEATURE, false); } catch (ParserConfigurationException e) { log.error("Failed to load XML Processor Feature " + Constants.EXTERNAL_GENERAL_ENTITIES_FEATURE + " or " + Constants.EXTERNAL_PARAMETER_ENTITIES_FEATURE + " or " + Constants.LOAD_EXTERNAL_DTD_FEATURE); } org.apache.xerces.util.SecurityManager securityManager = new org.apache.xerces.util.SecurityManager(); securityManager.setEntityExpansionLimit(JaggeryappTemplateDeployerConstants.ENTITY_EXPANSION_LIMIT); documentBuilderFactory.setAttribute(Constants.XERCES_PROPERTY_PREFIX + Constants.SECURITY_MANAGER_PROPERTY, securityManager); return documentBuilderFactory; }
From source file:org.wso2.carbon.task.ui.internal.TaskManagementHelper.java
/** * This method provides a secured document builder which will secure XXE attacks. * * @param setIgnoreComments whether to set setIgnoringComments in DocumentBuilderFactory. * @return DocumentBuilder/*from w w w. ja va 2 s . c om*/ * @throws javax.xml.parsers.ParserConfigurationException */ public static DocumentBuilder getSecuredDocumentBuilder(boolean setIgnoreComments) throws ParserConfigurationException { DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance(); documentBuilderFactory.setIgnoringComments(setIgnoreComments); documentBuilderFactory.setNamespaceAware(true); documentBuilderFactory.setExpandEntityReferences(false); documentBuilderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); documentBuilderFactory.setXIncludeAware(false); org.apache.xerces.util.SecurityManager securityManager = new SecurityManager(); securityManager.setEntityExpansionLimit(0); documentBuilderFactory.setAttribute(Constants.XERCES_PROPERTY_PREFIX + Constants.SECURITY_MANAGER_PROPERTY, securityManager); DocumentBuilder documentBuilder = documentBuilderFactory.newDocumentBuilder(); documentBuilder.setEntityResolver(new EntityResolver() { @Override public InputSource resolveEntity(String publicId, String systemId) throws SAXException, IOException { throw new SAXException("Possible XML External Entity (XXE) attack. Skipping entity resolving"); } }); return documentBuilder; }
From source file:org.wso2.identity.integration.common.clients.sso.saml.query.QueryClientUtils.java
/** * This method is used to unmarshall request message * @param xmlString Request message in text format * @return XMLObject Request message as XML *///from w w w.j a v a 2s .c om private static XMLObject unmarshall(String xmlString) { InputStream inputStream; try { doBootstrap(); DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance(); documentBuilderFactory.setNamespaceAware(true); documentBuilderFactory.setXIncludeAware(false); documentBuilderFactory.setExpandEntityReferences(false); DocumentBuilder docBuilder = documentBuilderFactory.newDocumentBuilder(); inputStream = new ByteArrayInputStream(xmlString.trim().getBytes(StandardCharsets.UTF_8)); Document document = docBuilder.parse(inputStream); Element element = document.getDocumentElement(); UnmarshallerFactory unmarshallerFactory = XMLObjectProviderRegistrySupport.getUnmarshallerFactory(); Unmarshaller unmarshaller = unmarshallerFactory.getUnmarshaller(element); return unmarshaller.unmarshall(element); } catch (UnmarshallingException e) { log.error("Unable to unmarshall request message", e); } catch (SAXException e) { log.error("Unable to parse input stream", e); } catch (ParserConfigurationException e) { log.error("Unable to initiate document builder", e); } catch (IOException e) { log.error("Unable to read xml stream", e); } return null; }
From source file:org.wso2.identity.scenarios.commons.SAML2SSOTestBase.java
private XMLObject unmarshall(String saml2SSOString) throws Exception { doBootstrap();//w w w . j a v a 2s. c om DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance(); documentBuilderFactory.setNamespaceAware(true); documentBuilderFactory.setXIncludeAware(false); documentBuilderFactory.setExpandEntityReferences(false); try { documentBuilderFactory .setFeature(Constants.SAX_FEATURE_PREFIX + Constants.EXTERNAL_GENERAL_ENTITIES_FEATURE, false); documentBuilderFactory.setFeature( Constants.SAX_FEATURE_PREFIX + Constants.EXTERNAL_PARAMETER_ENTITIES_FEATURE, false); documentBuilderFactory.setFeature(Constants.XERCES_FEATURE_PREFIX + Constants.LOAD_EXTERNAL_DTD_FEATURE, false); documentBuilderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); } catch (ParserConfigurationException e) { log.error("Failed to load XML Processor Feature " + Constants.EXTERNAL_GENERAL_ENTITIES_FEATURE + " or " + Constants.EXTERNAL_PARAMETER_ENTITIES_FEATURE + " or " + Constants.LOAD_EXTERNAL_DTD_FEATURE + " or secure-processing."); } org.apache.xerces.util.SecurityManager securityManager = new SecurityManager(); securityManager.setEntityExpansionLimit(ENTITY_EXPANSION_LIMIT); documentBuilderFactory.setAttribute(Constants.XERCES_PROPERTY_PREFIX + Constants.SECURITY_MANAGER_PROPERTY, securityManager); documentBuilderFactory.setIgnoringComments(true); Document document = getDocument(documentBuilderFactory, saml2SSOString); if (isSignedWithComments(document)) { documentBuilderFactory.setIgnoringComments(false); document = getDocument(documentBuilderFactory, saml2SSOString); } Element element = document.getDocumentElement(); UnmarshallerFactory unmarshallerFactory = Configuration.getUnmarshallerFactory(); Unmarshaller unmarshaller = unmarshallerFactory.getUnmarshaller(element); return unmarshaller.unmarshall(element); }
From source file:org.xdi.service.XmlService.java
private DocumentBuilderFactory creaeDocumentBuilderFactory() throws ParserConfigurationException { DocumentBuilderFactory fty = DocumentBuilderFactory.newInstance(); fty.setNamespaceAware(true);//from w ww.j a va 2s .c om // Fix XXE vulnerability fty.setXIncludeAware(false); fty.setExpandEntityReferences(false); fty.setFeature("http://xml.org/sax/features/external-parameter-entities", false); fty.setFeature("http://xml.org/sax/features/external-general-entities", false); fty.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); return fty; }
From source file:uk.me.jeffsutton.pojogen.SimplePOJO.java
public Document parse(BufferedReader xml) throws IOException, SAXException, ParserConfigurationException { String file = ""; try {/*from ww w . ja v a 2 s .c o m*/ String str; while ((str = xml.readLine()) != null) { file += str; } } catch (Exception e) { e.printStackTrace(); } file = file.replaceAll("<!DOCTYPE((.|\n|\r)*?)\">", ""); // convert String into InputStream InputStream is = new ByteArrayInputStream(file.getBytes()); DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-dtd-grammar", false); dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); dbf.setFeature("http://xml.org/sax/features/validation", false); dbf.setNamespaceAware(false); dbf.setIgnoringComments(true); dbf.setValidating(false); dbf.setXIncludeAware(true); return dbf.newDocumentBuilder().parse(is); }