Refine search
/** * Disables certain dangerous features that attempt to automatically fetch DTDs * * See <a href="https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet">OWASP XXE Cheat Sheet</a> */ private static XMLInputFactory createXmlInputFactory() { XMLInputFactory factory = XMLInputFactory.newInstance(); factory.setProperty(XMLInputFactory.SUPPORT_DTD, false); factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false); return factory; }
private static SMInputFactory initStax() { XMLInputFactory xmlFactory = XMLInputFactory.newInstance(); xmlFactory.setProperty(XMLInputFactory.IS_COALESCING, Boolean.TRUE); xmlFactory.setProperty(XMLInputFactory.IS_NAMESPACE_AWARE, Boolean.FALSE); // just so it won't try to load DTD in if there's DOCTYPE xmlFactory.setProperty(XMLInputFactory.SUPPORT_DTD, Boolean.FALSE); xmlFactory.setProperty(XMLInputFactory.IS_VALIDATING, Boolean.FALSE); return new SMInputFactory(xmlFactory); }
private static SMInputFactory initStax() { XMLInputFactory xmlFactory = XMLInputFactory.newInstance(); xmlFactory.setProperty(XMLInputFactory.IS_COALESCING, Boolean.TRUE); xmlFactory.setProperty(XMLInputFactory.IS_NAMESPACE_AWARE, Boolean.FALSE); // just so it won't try to load DTD in if there's DOCTYPE xmlFactory.setProperty(XMLInputFactory.SUPPORT_DTD, Boolean.FALSE); xmlFactory.setProperty(XMLInputFactory.IS_VALIDATING, Boolean.FALSE); return new SMInputFactory(xmlFactory); }
private static SMInputFactory initStax() { XMLInputFactory xmlFactory = XMLInputFactory.newInstance(); xmlFactory.setProperty(XMLInputFactory.IS_COALESCING, Boolean.TRUE); xmlFactory.setProperty(XMLInputFactory.IS_NAMESPACE_AWARE, Boolean.FALSE); // just so it won't try to load DTD in if there's DOCTYPE xmlFactory.setProperty(XMLInputFactory.SUPPORT_DTD, Boolean.FALSE); xmlFactory.setProperty(XMLInputFactory.IS_VALIDATING, Boolean.FALSE); return new SMInputFactory(xmlFactory); }
public static XMLInputFactory createXmlInputFactory() { XMLInputFactory xmlInputFactory = XMLInputFactory.newInstance(); xmlInputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false); xmlInputFactory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false); return xmlInputFactory; } }
/** * @since 1.4 */ protected XMLInputFactory createInputFactory() { final XMLInputFactory instance = XMLInputFactory.newInstance(); instance.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, Boolean.FALSE); return instance; }
@Override protected XMLInputFactory createXmlInputFactory() { XMLInputFactory inputFactory = XMLInputFactory.newInstance(); inputFactory.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES, true); return inputFactory; } };
@Override public XMLInputFactory get() { XMLInputFactory factory = XMLInputFactory.newInstance(); if (!isXmlSecurityDisabled()) { factory.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES, Boolean.FALSE); } return factory; } }
/** * 'safe' is here reflecting: * http://activiti.org/userguide/index.html#advanced.safe.bpmn.xml */ public static XMLInputFactory createSafeXmlInputFactory() { XMLInputFactory xif = XMLInputFactory.newInstance(); if (xif.isPropertySupported(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES)) { xif.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES, false); } if (xif.isPropertySupported(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES)) { xif.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false); } if (xif.isPropertySupported(XMLInputFactory.SUPPORT_DTD)) { xif.setProperty(XMLInputFactory.SUPPORT_DTD, false); } return xif; } }
private Source readStAXSource(InputStream body, HttpInputMessage inputMessage) { try { XMLInputFactory inputFactory = XMLInputFactory.newInstance(); inputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, isSupportDtd()); inputFactory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, isProcessExternalEntities()); if (!isProcessExternalEntities()) { inputFactory.setXMLResolver(NO_OP_XML_RESOLVER); } XMLStreamReader streamReader = inputFactory.createXMLStreamReader(body); return new StAXSource(streamReader); } catch (XMLStreamException ex) { throw new HttpMessageNotReadableException( "Could not parse document: " + ex.getMessage(), ex, inputMessage); } }
public static void main(String[] args) throws Exception { // Result format Writer diffxResult = new StringWriter(); // Run the diff try { XMLInputFactory inputFactory = XMLInputFactory.newInstance(); inputFactory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false); inputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false); // a DTD is merely ignored, its presence doesn't cause an exception //java.io.InputStream is = new java.io.ByteArrayInputStream(naive.getBytes("UTF-8")); String simplified = combineAdjacent( inputFactory.createXMLStreamReader(new FileInputStream(new File("tmp_adj.xml"))) ); System.out.println("Done"); } catch (Exception exc) { exc.printStackTrace(); diffxResult = null; } }
/** * Loads rules by reading the XML input stream. The reader is not closed by the method, so it * should be handled by the caller. * @since 4.3 */ public void load(RulesDefinition.NewRepository repo, Reader reader) { XMLInputFactory xmlFactory = XMLInputFactory.newInstance(); xmlFactory.setProperty(XMLInputFactory.IS_COALESCING, Boolean.TRUE); xmlFactory.setProperty(XMLInputFactory.IS_NAMESPACE_AWARE, Boolean.FALSE); // just so it won't try to load DTD in if there's DOCTYPE xmlFactory.setProperty(XMLInputFactory.SUPPORT_DTD, Boolean.FALSE); xmlFactory.setProperty(XMLInputFactory.IS_VALIDATING, Boolean.FALSE); SMInputFactory inputFactory = new SMInputFactory(xmlFactory); try { SMHierarchicCursor rootC = inputFactory.rootElementCursor(reader); rootC.advance(); // <rules> SMInputCursor rulesC = rootC.childElementCursor("rule"); while (rulesC.getNext() != null) { // <rule> processRule(repo, rulesC); } } catch (XMLStreamException e) { throw new IllegalStateException("XML is not valid", e); } }
/** * Stax parser for a given stream handler and iso control chars set awarness to on. * The iso control chars in the xml file will be replaced by simple spaces, usefull for * potentially bogus XML files to parse, this has a small perfs overhead so use it only when necessary * * @param streamHandler the xml stream handler * @param isoControlCharsAwareParser true or false */ public StaxParser(XmlStreamHandler streamHandler, boolean isoControlCharsAwareParser) { this.streamHandler = streamHandler; XMLInputFactory xmlFactory = XMLInputFactory.newInstance(); if (xmlFactory instanceof WstxInputFactory) { WstxInputFactory wstxInputfactory = (WstxInputFactory) xmlFactory; wstxInputfactory.configureForLowMemUsage(); wstxInputfactory.getConfig().setUndeclaredEntityResolver(new UndeclaredEntitiesXMLResolver()); } xmlFactory.setProperty(XMLInputFactory.IS_VALIDATING, false); xmlFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false); xmlFactory.setProperty(XMLInputFactory.IS_NAMESPACE_AWARE, false); this.isoControlCharsAwareParser = isoControlCharsAwareParser; inf = new SMInputFactory(xmlFactory); }
private Source readStAXSource(InputStream body, HttpInputMessage inputMessage) { try { XMLInputFactory inputFactory = XMLInputFactory.newInstance(); inputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, isSupportDtd()); inputFactory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, isProcessExternalEntities()); if (!isProcessExternalEntities()) { inputFactory.setXMLResolver(NO_OP_XML_RESOLVER); } XMLStreamReader streamReader = inputFactory.createXMLStreamReader(body); return new StAXSource(streamReader); } catch (XMLStreamException ex) { throw new HttpMessageNotReadableException( "Could not parse document: " + ex.getMessage(), ex, inputMessage); } }
public List<Rule> parse(Reader reader) { XMLInputFactory xmlFactory = XMLInputFactory.newInstance(); xmlFactory.setProperty(XMLInputFactory.IS_COALESCING, Boolean.TRUE); xmlFactory.setProperty(XMLInputFactory.IS_NAMESPACE_AWARE, Boolean.FALSE); // just so it won't try to load DTD in if there's DOCTYPE xmlFactory.setProperty(XMLInputFactory.SUPPORT_DTD, Boolean.FALSE); xmlFactory.setProperty(XMLInputFactory.IS_VALIDATING, Boolean.FALSE); SMInputFactory inputFactory = new SMInputFactory(xmlFactory); try { SMHierarchicCursor rootC = inputFactory.rootElementCursor(reader); rootC.advance(); // <rules> List<Rule> rules = new ArrayList<>(); SMInputCursor rulesC = rootC.childElementCursor("rule"); while (rulesC.getNext() != null) { // <rule> Rule rule = Rule.create(); rules.add(rule); processRule(rule, rulesC); } return rules; } catch (XMLStreamException e) { throw new SonarException("XML is not valid", e); } }
XMLInputFactory xif = XMLInputFactory.newInstance(); xif.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false); xif.setProperty(XMLInputFactory.SUPPORT_DTD, false); // a DTD is merely ignored, its presence doesn't cause an exception XMLStreamReader xsr = xif.createXMLStreamReader(is);
XMLInputFactory xif = XMLInputFactory.newInstance(); xif.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false); xif.setProperty(XMLInputFactory.SUPPORT_DTD, false); // a DTD is merely ignored, its presence doesn't cause an exception XMLStreamReader xsr = xif.createXMLStreamReader(is);
XMLInputFactory xif = XMLInputFactory.newInstance(); xif.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false); xif.setProperty(XMLInputFactory.SUPPORT_DTD, false); // a DTD is merely ignored, its presence doesn't cause an exception XMLStreamReader xsr = xif.createXMLStreamReader(is);
XMLInputFactory xif = XMLInputFactory.newInstance(); xif.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false); xif.setProperty(XMLInputFactory.SUPPORT_DTD, false); // a DTD is merely ignored, its presence doesn't cause an exception XMLStreamReader xsr = xif.createXMLStreamReader(is);
try { final XMLInputFactory factory = XMLInputFactory.newInstance(); factory.setProperty(XMLInputFactory.SUPPORT_DTD, false); // disable DTDs entirely for that factory factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false); // disable external entities final XMLStreamReader xmlReader; if (charEncoding != null) {