/** * Creates an instance of {@link SAXParserFactory} class with enabled {@link XMLConstants#FEATURE_SECURE_PROCESSING} property. * Enabling this feature prevents from some XXE attacks (e.g. XML bomb) * * @throws ParserConfigurationException if a parser cannot * be created which satisfies the requested configuration. * * @throws SAXNotRecognizedException When the underlying XMLReader does * not recognize the property name. * * @throws SAXNotSupportedException When the underlying XMLReader * recognizes the property name but doesn't support the * property. */ public static SAXParserFactory createSecureSAXParserFactory() throws SAXNotSupportedException, SAXNotRecognizedException, ParserConfigurationException { SAXParserFactory factory = SAXParserFactory.newInstance(); factory.setFeature( XMLConstants.FEATURE_SECURE_PROCESSING, true ); factory.setFeature( "http://xml.org/sax/features/external-general-entities", false ); factory.setFeature( "http://xml.org/sax/features/external-parameter-entities", false ); factory.setFeature( "http://apache.org/xml/features/nonvalidating/load-external-dtd", false ); return factory; }
/** Creates a new instance of BinaryInputArchive */ public XmlInputArchive(InputStream in) throws ParserConfigurationException, SAXException, IOException { valList = new ArrayList<Value>(); DefaultHandler handler = new XMLParser(valList); SAXParserFactory factory = SAXParserFactory.newInstance(); factory.setFeature(javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE); factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); SAXParser parser = factory.newSAXParser(); parser.parse(in, handler); vLen = valList.size(); vIdx = 0; }
public static XMLReader createSafeSaxReader(SAXParserFactory saxParserFactory, ContentHandler contentHandler) throws SAXException, ParserConfigurationException { if (saxParserFactory == null) { throw new IllegalArgumentException("The provided SAX parser factory cannot be null"); } if (contentHandler == null) { throw new IllegalArgumentException("The provided SAX content handler cannot be null"); } saxParserFactory.setFeature("http://xml.org/sax/features/external-general-entities", false); saxParserFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); SAXParser saxParser = saxParserFactory.newSAXParser(); XMLReader xmlReader = saxParser.getXMLReader(); xmlReader.setContentHandler(contentHandler); return xmlReader; } }
/** * Setups the XML parser with validation. * * @throws Exception * any error */ @BeforeClass public static void init() throws Exception { saxParserFactory = SAXParserFactory.newInstance(); saxParserFactory.setValidating(true); saxParserFactory.setNamespaceAware(true); // Hope we're using Xerces, or this may not work! // Note: Features are listed here // http://xerces.apache.org/xerces2-j/features.html saxParserFactory.setFeature("http://xml.org/sax/features/validation", true); saxParserFactory.setFeature("http://apache.org/xml/features/validation/schema", true); saxParserFactory.setFeature("http://apache.org/xml/features/validation/schema-full-checking", true); validateDefaultHandler = new ValidateDefaultHandler(); saxParser = saxParserFactory.newSAXParser(); }
/** * Returns properly configured (e.g. security features) parser factory * - namespaceAware == true * - securityProcessing == is set based on security processing property, default is true */ public static SAXParserFactory createParserFactory(boolean disableSecureProcessing) throws IllegalStateException { try { SAXParserFactory factory = SAXParserFactory.newInstance(); if (LOGGER.isLoggable(Level.FINE)) { LOGGER.log(Level.FINE, "SAXParserFactory instance: {0}", factory); } factory.setNamespaceAware(true); factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, !isXMLSecurityDisabled(disableSecureProcessing)); return factory; } catch (ParserConfigurationException ex) { LOGGER.log(Level.SEVERE, null, ex); throw new IllegalStateException( ex); } catch (SAXNotRecognizedException ex) { LOGGER.log(Level.SEVERE, null, ex); throw new IllegalStateException( ex); } catch (SAXNotSupportedException ex) { LOGGER.log(Level.SEVERE, null, ex); throw new IllegalStateException( ex); } catch (AbstractMethodError er) { LOGGER.log(Level.SEVERE, null, er); throw new IllegalStateException(Messages.INVALID_JAXP_IMPLEMENTATION.format(), er); } }
SAXParserFactory spf = SAXParserFactoryImpl.newInstance(); spf.setNamespaceAware(true); spf.setValidating(false); spf.setFeature("http://xml.org/sax/features/validation", false); spf.setFeature("http://apache.org/xml/features/nonvalidating/load-dtd-grammar", false); spf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); SAXParser sp = spf.newSAXParser() ; Source src = new SAXSource ( sp.getXMLReader(), new InputSource( input.getAbsolutePath() ) ) ; String resultFileName = input.getAbsolutePath().replaceAll(".xml$", ".cooked.xml" ) ; Result result = new StreamResult( new File (resultFileName) ) ; TransformerFactory tf = TransformerFactory.newInstance(); Source xsltSource = new StreamSource( new File ( COOKER_XSL ) ); xsl = tf.newTransformer( xsltSource ) ; xsl.setParameter( "srcDocumentName", input.getName() ) ; xsl.setParameter( "srcDocumentPath", input.getAbsolutePath() ) ; xsl.transform(src, result );
private static SAXParserFactory createParserFactory() throws ParserConfigurationException { if (saxParserFactory == null) { saxParserFactory = FactorySupport.createSaxParserFactory(); saxParserFactory.setNamespaceAware(true); saxParserFactory.setValidating(false); saxParserFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false); } catch (Exception pce) { saxParserFactory.setFeature("http://xml.org/sax/features/external-general-entities", false); } catch (Exception pce) { saxParserFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false); } catch (Exception pce) { saxParserFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); } catch (Exception e) { saxParserFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-dtd-grammar", false); } catch (Exception e) { saxParserFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); } catch (Exception e) {
/** * Constructs a validating secure SAX Parser. * * @param schemaStream One or more inputStreams with the schema(s) that the * parser should be able to validate the XML against, one InputStream per * schema * @return a SAX Parser * @throws ParserConfigurationException is thrown if there is a parser * configuration exception * @throws SAXNotRecognizedException thrown if there is an unrecognized * feature * @throws SAXNotSupportedException thrown if there is a non-supported * feature * @throws SAXException is thrown if there is a SAXException */ public static SAXParser buildSecureSaxParser(InputStream... schemaStream) throws ParserConfigurationException, SAXNotRecognizedException, SAXNotSupportedException, SAXException { final SAXParserFactory factory = SAXParserFactory.newInstance(); factory.setNamespaceAware(true); factory.setValidating(true); factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); factory.setFeature("http://xml.org/sax/features/external-general-entities", false); //setting the following unfortunately breaks reading the old suppression files (version 1). //factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); final SAXParser saxParser = factory.newSAXParser(); saxParser.setProperty(JAXP_SCHEMA_LANGUAGE, W3C_XML_SCHEMA); saxParser.setProperty(JAXP_SCHEMA_SOURCE, schemaStream); return saxParser; }
/** * Constructs a secure SAX Parser. * * @return a SAX Parser * @throws ParserConfigurationException thrown if there is a parser * configuration exception * @throws SAXNotRecognizedException thrown if there is an unrecognized * feature * @throws SAXNotSupportedException thrown if there is a non-supported * feature * @throws SAXException is thrown if there is a SAXException */ public static SAXParser buildSecureSaxParser() throws ParserConfigurationException, SAXNotRecognizedException, SAXNotSupportedException, SAXException { final SAXParserFactory factory = SAXParserFactory.newInstance(); factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); factory.setFeature("http://xml.org/sax/features/external-general-entities", false); factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); return factory.newSAXParser(); }
SAXParserFactory factory = get(SAXParserFactory.class); if (factory == null) { factory = SAXParserFactory.newInstance(); factory.setNamespaceAware(true); factory.setValidating(false); try { factory.setFeature( XMLConstants.FEATURE_SECURE_PROCESSING, true); } catch (ParserConfigurationException e) {
SAXParserFactory saxfac = SAXParserFactory.newInstance(); saxfac.setValidating(false); try { saxfac.setFeature("http://xml.org/sax/features/validation", false); saxfac.setFeature("http://apache.org/xml/features/nonvalidating/load-dtd-grammar", false); saxfac.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); saxfac.setFeature("http://xml.org/sax/features/external-general-entities", false); saxfac.setFeature("http://xml.org/sax/features/external-parameter-entities", false); } catch (Exception e1) { e1.printStackTrace(); }
public void setSchemaResource(String schemaResource) { SAXParserFactory saxParserFactory = parser.getSaxParserFactory(); saxParserFactory.setNamespaceAware(true); saxParserFactory.setValidating(true); try { saxParserFactory.setFeature("http://xml.org/sax/features/namespace-prefixes", true); } catch (Exception e) { LOG.unableToSetSchemaResource(e); } this.schemaResource = schemaResource; } }
/** * DocumentCache constructor */ public DocumentCache(int size, XSLTCDTMManager dtmManager) throws SAXException { _dtmManager = dtmManager; _count = 0; _current = 0; _size = size; _references = new Hashtable(_size+2); _URIs = new String[_size]; try { // Create a SAX parser and get the XMLReader object it uses final SAXParserFactory factory = SAXParserFactory.newInstance(); try { factory.setFeature(Constants.NAMESPACE_FEATURE,true); } catch (Exception e) { factory.setNamespaceAware(true); } _parser = factory.newSAXParser(); _reader = _parser.getXMLReader(); } catch (ParserConfigurationException e) { BasisLibrary.runTimeError(BasisLibrary.NAMESPACES_SUPPORT_ERR); } }
private void parseXmlSource(InputStream inputStream) { InputSource sheetSource = new InputSource(inputStream); try { SAXParserFactory saxFactory = SAXParserFactory.newInstance(); saxFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); saxFactory.setFeature("http://xml.org/sax/features/external-general-entities", false); saxFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false); SAXParser saxParser = saxFactory.newSAXParser(); XMLReader xmlReader = saxParser.getXMLReader(); ContentHandler handler = new XlsxRowHandler(this, sharedStringsTable, analysisContext); xmlReader.setContentHandler(handler); xmlReader.parse(sheetSource); inputStream.close(); } catch (Exception e) { e.printStackTrace(); throw new ExcelAnalysisException(e); } }
/** * Returns properly configured (e.g. security features) parser factory * - namespaceAware == true * - securityProcessing == is set based on security processing property, default is true */ public static SAXParserFactory createParserFactory(boolean disableSecureProcessing) throws IllegalStateException { try { SAXParserFactory factory = SAXParserFactory.newInstance(); if (LOGGER.isLoggable(Level.FINE)) { LOGGER.log(Level.FINE, "SAXParserFactory instance: {0}", factory); } factory.setNamespaceAware(true); factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, !isXMLSecurityDisabled(disableSecureProcessing)); return factory; } catch (ParserConfigurationException ex) { LOGGER.log(Level.SEVERE, null, ex); throw new IllegalStateException( ex); } catch (SAXNotRecognizedException ex) { LOGGER.log(Level.SEVERE, null, ex); throw new IllegalStateException( ex); } catch (SAXNotSupportedException ex) { LOGGER.log(Level.SEVERE, null, ex); throw new IllegalStateException( ex); } catch (AbstractMethodError er) { LOGGER.log(Level.SEVERE, null, er); throw new IllegalStateException(Messages.INVALID_JAXP_IMPLEMENTATION.format(), er); } }
/** * Creates an instance of {@link SAXParserFactory} class with enabled {@link XMLConstants#FEATURE_SECURE_PROCESSING} property. * Enabling this feature prevents from some XXE attacks (e.g. XML bomb) * * @throws ParserConfigurationException if a parser cannot * be created which satisfies the requested configuration. * * @throws SAXNotRecognizedException When the underlying XMLReader does * not recognize the property name. * * @throws SAXNotSupportedException When the underlying XMLReader * recognizes the property name but doesn't support the * property. */ public static SAXParserFactory createSecureSAXParserFactory() throws SAXNotSupportedException, SAXNotRecognizedException, ParserConfigurationException { SAXParserFactory factory = SAXParserFactory.newInstance(); factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); factory.setFeature("http://xml.org/sax/features/external-general-entities", false); factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false); factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); return factory; }
public void setSchemaResource(String schemaResource) { SAXParserFactory saxParserFactory = parser.getSaxParserFactory(); saxParserFactory.setNamespaceAware(true); saxParserFactory.setValidating(true); try { saxParserFactory.setFeature("http://xml.org/sax/features/namespace-prefixes", true); } catch (Exception e) { LOG.unableToSetSchemaResource(e); } this.schemaResource = schemaResource; } }
private void createParent() throws SAXException { XMLReader parent = null; try { SAXParserFactory pfactory = SAXParserFactory.newInstance(); pfactory.setNamespaceAware(true); if (_transformer.isSecureProcessing()) { try { pfactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); } catch (SAXException e) {} } SAXParser saxparser = pfactory.newSAXParser(); parent = saxparser.getXMLReader(); } catch (ParserConfigurationException e) { throw new SAXException(e); } catch (FactoryConfigurationError e) { throw new SAXException(e.toString()); } if (parent == null) { parent = XMLReaderFactory.createXMLReader(); } // make this XMLReader the parent of this filter setParent(parent); }
SAXParserFactory spf = SAXParserFactory.newInstance(); spf.setFeature("http://xml.org/sax/features/external-general-entities", false); spf.setFeature("http://xml.org/sax/features/external-parameter-entities", false); spf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); Source xmlSource = new SAXSource(spf.newSAXParser().getXMLReader(), new InputSource(reader)); Unmarshaller unmarshaller = JAXB_CONTEXT_MAP.get(clazz).createUnmarshaller(); return (T) unmarshaller.unmarshal(xmlSource);
public static SAXParserFactory getSAXParserFactory() throws ParserConfigurationException, SAXException { if (_saxParserFactory == null) { _saxParserFactory = SAXParserFactory.newInstance(); _saxParserFactory.setFeature(NAMESPACE_FEATURE, true); _saxParserFactory.setFeature(PREFIX_FEATURE, true); _saxParserFactory.setNamespaceAware(true); } return _saxParserFactory; }