private static SchemaFactory buildSchemaFactory() { SchemaFactory schemaFactory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI); try { schemaFactory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "all"); schemaFactory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "all"); } catch (Exception e) { new MockServerLogger(XmlSchemaValidator.class).error("exception configuring schema factory", e); } return schemaFactory; }
public static SchemaFactory allowExternalAccess(SchemaFactory sf, String value, boolean disableSecureProcessing) { // if xml security (feature secure processing) disabled, nothing to do, no restrictions applied if (isXMLSecurityDisabled(disableSecureProcessing)) { if (LOGGER.isLoggable(Level.FINE)) { LOGGER.log(Level.FINE, Messages.JAXP_XML_SECURITY_DISABLED.format()); } return sf; } if (System.getProperty("javax.xml.accessExternalSchema") != null) { if (LOGGER.isLoggable(Level.FINE)) { LOGGER.log(Level.FINE, Messages.JAXP_EXTERNAL_ACCESS_CONFIGURED.format()); } return sf; } try { sf.setProperty(ACCESS_EXTERNAL_SCHEMA, value); if (LOGGER.isLoggable(Level.FINE)) { LOGGER.log(Level.FINE, Messages.JAXP_SUPPORTED_PROPERTY.format(ACCESS_EXTERNAL_SCHEMA)); } } catch (SAXException ignored) { // nothing to do; support depends on version JDK or SAX implementation if (LOGGER.isLoggable(Level.CONFIG)) { LOGGER.log(Level.CONFIG, Messages.JAXP_UNSUPPORTED_PROPERTY.format(ACCESS_EXTERNAL_SCHEMA), ignored); } } return sf; }
public static SchemaFactory allowExternalDTDAccess(SchemaFactory sf, String value, boolean disableSecureProcessing) { // if xml security (feature secure processing) disabled, nothing to do, no restrictions applied if (isXMLSecurityDisabled(disableSecureProcessing)) { if (LOGGER.isLoggable(Level.FINE)) { LOGGER.log(Level.FINE, Messages.JAXP_XML_SECURITY_DISABLED.format()); } return sf; } if (System.getProperty("javax.xml.accessExternalDTD") != null) { if (LOGGER.isLoggable(Level.FINE)) { LOGGER.log(Level.FINE, Messages.JAXP_EXTERNAL_ACCESS_CONFIGURED.format()); } return sf; } try { sf.setProperty(ACCESS_EXTERNAL_DTD, value); if (LOGGER.isLoggable(Level.FINE)) { LOGGER.log(Level.FINE, Messages.JAXP_SUPPORTED_PROPERTY.format(ACCESS_EXTERNAL_DTD)); } } catch (SAXException ignored) { // nothing to do; support depends on version JDK or SAX implementation if (LOGGER.isLoggable(Level.CONFIG)) { LOGGER.log(Level.CONFIG, Messages.JAXP_UNSUPPORTED_PROPERTY.format(ACCESS_EXTERNAL_DTD), ignored); } } return sf; }
public static SchemaFactory allowExternalDTDAccess(SchemaFactory sf, String value, boolean disableSecureProcessing) { // if xml security (feature secure processing) disabled, nothing to do, no restrictions applied if (isXMLSecurityDisabled(disableSecureProcessing)) { if (LOGGER.isLoggable(Level.FINE)) { LOGGER.log(Level.FINE, Messages.JAXP_XML_SECURITY_DISABLED.format()); } return sf; } if (System.getProperty("javax.xml.accessExternalDTD") != null) { if (LOGGER.isLoggable(Level.FINE)) { LOGGER.log(Level.FINE, Messages.JAXP_EXTERNAL_ACCESS_CONFIGURED.format()); } return sf; } try { sf.setProperty(ACCESS_EXTERNAL_DTD, value); if (LOGGER.isLoggable(Level.FINE)) { LOGGER.log(Level.FINE, Messages.JAXP_SUPPORTED_PROPERTY.format(ACCESS_EXTERNAL_DTD)); } } catch (SAXException ignored) { // nothing to do; support depends on version JDK or SAX implementation if (LOGGER.isLoggable(Level.CONFIG)) { LOGGER.log(Level.CONFIG, Messages.JAXP_UNSUPPORTED_PROPERTY.format(ACCESS_EXTERNAL_DTD), ignored); } } return sf; }
public static SchemaFactory allowExternalAccess(SchemaFactory sf, String value, boolean disableSecureProcessing) { // if xml security (feature secure processing) disabled, nothing to do, no restrictions applied if (isXMLSecurityDisabled(disableSecureProcessing)) { if (LOGGER.isLoggable(Level.FINE)) { LOGGER.log(Level.FINE, Messages.JAXP_XML_SECURITY_DISABLED.format()); } return sf; } if (System.getProperty("javax.xml.accessExternalSchema") != null) { if (LOGGER.isLoggable(Level.FINE)) { LOGGER.log(Level.FINE, Messages.JAXP_EXTERNAL_ACCESS_CONFIGURED.format()); } return sf; } try { sf.setProperty(ACCESS_EXTERNAL_SCHEMA, value); if (LOGGER.isLoggable(Level.FINE)) { LOGGER.log(Level.FINE, Messages.JAXP_SUPPORTED_PROPERTY.format(ACCESS_EXTERNAL_SCHEMA)); } } catch (SAXException ignored) { // nothing to do; support depends on version JDK or SAX implementation if (LOGGER.isLoggable(Level.CONFIG)) { LOGGER.log(Level.CONFIG, Messages.JAXP_UNSUPPORTED_PROPERTY.format(ACCESS_EXTERNAL_SCHEMA), ignored); } } return sf; }
private Schema loadSchema(String theVersion, String theSchemaName) { String key = theVersion + "-" + theSchemaName; synchronized (myKeyToSchema) { Schema schema = myKeyToSchema.get(key); if (schema != null) { return schema; } Source baseSource = loadXml(null, theSchemaName); SchemaFactory schemaFactory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI); schemaFactory.setResourceResolver(new MyResourceResolver()); try { try { /* * See https://github.com/jamesagnew/hapi-fhir/issues/339 * https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing */ schemaFactory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, ""); }catch (SAXNotRecognizedException snex){ ourLog.warn("Jaxp 1.5 Support not found.",snex); } schema = schemaFactory.newSchema(new Source[] { baseSource }); } catch (SAXException e) { throw new ConfigurationException("Could not load/parse schema file: " + theSchemaName, e); } myKeyToSchema.put(key, schema); return schema; } }
@Override public Void answer(InvocationOnMock invocation) { String name = (String) invocation.getArguments()[0]; Object value = invocation.getArguments()[1]; try { if (propertySetter instanceof SchemaFactory) { ((SchemaFactory) propertySetter).setProperty(name, value); } else if (propertySetter instanceof Validator) { ((Validator) propertySetter).setProperty(name, value); } else if (propertySetter instanceof TransformerFactory) { ((TransformerFactory) propertySetter).setAttribute(name, value); } else { throw new IllegalArgumentException("Invalid property setter."); } } catch (Exception e) { exception = e; } return null; } }
@Test public void schemaFactoryProperties() throws Exception { SetPropertyAnswer setPropertyAnswer = new SetPropertyAnswer(schemaFactory); doAnswer(setPropertyAnswer).when(schemaFactoryWrapper).setProperty(anyString(), anyObject()); defaultXMLSecureFactories.configureSchemaFactory(schemaFactoryWrapper); assertThat(setPropertyAnswer.exception, is(nullValue())); for (String property : SCHEMA_FACTORY_PROPERTIES) { verify(schemaFactoryWrapper).setProperty(property, ""); } }
public void setProperty(String name, Object object) throws SAXNotRecognizedException, SAXNotSupportedException { actual.setProperty(name, object); }
SchemaFactory.setProperty("http://saxon.sf.net/feature/xsd-version", "1.1")
public void configureSchemaFactory(SchemaFactory factory) { if (!externalEntities && !expandEntities) { try { factory.setProperty(ACCESS_EXTERNAL_STYLESHEET, ""); factory.setProperty(ACCESS_EXTERNAL_DTD, ""); } catch (Exception e) { logConfigurationWarning("SchemaFactory", factory.getClass().getName(), e); } } }
/** * Disables {@link XMLConstants#ACCESS_EXTERNAL_DTD} and {@link XMLConstants#ACCESS_EXTERNAL_DTD} features if * {@link DefaultXMLSecureFactories#externalEntities} and {@link DefaultXMLSecureFactories#expandEntities} are false. * * @see SchemaFactory#setProperty(String, Object) for more information about supported properties. * * @param factory the {@link SchemaFactory} to configure. */ public void configureSchemaFactory(SchemaFactory factory) { if (!externalEntities && !expandEntities) { try { factory.setProperty(ACCESS_EXTERNAL_SCHEMA, ""); factory.setProperty(ACCESS_EXTERNAL_DTD, ""); } catch (Exception e) { logConfigurationWarning(SchemaFactory.class.getName(), factory.getClass().getName(), e); } } }
private SchemaFactory newSchemaFactory() { if (installedSchemaFactory != null) { return installedSchemaFactory; } else { String schemaFactoryClass = System.getProperty(SCHEMA_FACTORY); if (schemaFactoryClass != null) { try { return (SchemaFactory) ClassUtil.forName(schemaFactoryClass, getClass()).newInstance(); } catch (Exception e) { throw new IllegalStateException("Failed to create an instance of SchemaFactory '" + schemaFactoryClass + "'.", e); } } else { SchemaFactory schemaFactory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI); try { schemaFactory.setProperty("http://apache.org/xml/properties/security-manager", null); // Need to turn this thing off, otherwise it throws stupid errors. } catch (SAXException e) { // Ignore... } return schemaFactory; } } } }
private SchemaFactory newSchemaFactory() { if (installedSchemaFactory != null) { return installedSchemaFactory; } else { String schemaFactoryClass = System.getProperty(SCHEMA_FACTORY); if (schemaFactoryClass != null) { try { return (SchemaFactory) ClassUtil.forName(schemaFactoryClass, getClass()).newInstance(); } catch (Exception e) { throw new IllegalStateException("Failed to create an instance of SchemaFactory '" + schemaFactoryClass + "'.", e); } } else { SchemaFactory schemaFactory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI); try { schemaFactory.setProperty("http://apache.org/xml/properties/security-manager", null); // Need to turn this thing off, otherwise it throws stupid errors. } catch (SAXException e) { // Ignore... } return schemaFactory; } } } }
private Schema createSchema(List<InputSource> xsdsInJar, String[] schemas) throws SAXException, IOException { SchemaFactory sf = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI); sf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE); sf.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "file"); SchemaResourceResolver resourceResolver = new SchemaResourceResolver(); sf.setResourceResolver(resourceResolver); List<Source> sources = new ArrayList<>(); for (InputSource is : xsdsInJar) { Message msg = new Message("CREATE_SCHEMA_LOADED_FROM_JAR", LOG, is.getSystemId()); LOG.log(Level.FINE, msg.toString()); Document doc = docBuilder.parse(is.getByteStream()); DOMSource stream = new DOMSource(doc, is.getSystemId()); stream.setSystemId(is.getSystemId()); sources.add(stream); } if (schemas != null) { for (int i = 0; i < schemas.length; i++) { Document doc = docBuilder.parse(schemas[i]); DOMSource stream = new DOMSource(doc, schemas[i]); sources.add(stream); } } Source[] args = new Source[sources.size()]; sources.toArray(args); return sf.newSchema(args); }
public static SchemaFactory allowExternalDTDAccess(SchemaFactory sf, String value, boolean disableSecureProcessing) { // if xml security (feature secure processing) disabled, nothing to do, no restrictions applied if (isXMLSecurityDisabled(disableSecureProcessing)) { if (LOGGER.isLoggable(Level.FINE)) { LOGGER.log(Level.FINE, Messages.JAXP_XML_SECURITY_DISABLED.format()); } return sf; } if (System.getProperty("javax.xml.accessExternalDTD") != null) { if (LOGGER.isLoggable(Level.FINE)) { LOGGER.log(Level.FINE, Messages.JAXP_EXTERNAL_ACCESS_CONFIGURED.format()); } return sf; } try { sf.setProperty(ACCESS_EXTERNAL_DTD, value); if (LOGGER.isLoggable(Level.FINE)) { LOGGER.log(Level.FINE, Messages.JAXP_SUPPORTED_PROPERTY.format(ACCESS_EXTERNAL_DTD)); } } catch (SAXException ignored) { // nothing to do; support depends on version JDK or SAX implementation if (LOGGER.isLoggable(Level.CONFIG)) { LOGGER.log(Level.CONFIG, Messages.JAXP_UNSUPPORTED_PROPERTY.format(ACCESS_EXTERNAL_DTD), ignored); } } return sf; }
public static SchemaFactory allowExternalAccess(SchemaFactory sf, String value, boolean disableSecureProcessing) { // if xml security (feature secure processing) disabled, nothing to do, no restrictions applied if (isXMLSecurityDisabled(disableSecureProcessing)) { if (LOGGER.isLoggable(Level.FINE)) { LOGGER.log(Level.FINE, Messages.JAXP_XML_SECURITY_DISABLED.format()); } return sf; } if (System.getProperty("javax.xml.accessExternalSchema") != null) { if (LOGGER.isLoggable(Level.FINE)) { LOGGER.log(Level.FINE, Messages.JAXP_EXTERNAL_ACCESS_CONFIGURED.format()); } return sf; } try { sf.setProperty(ACCESS_EXTERNAL_SCHEMA, value); if (LOGGER.isLoggable(Level.FINE)) { LOGGER.log(Level.FINE, Messages.JAXP_SUPPORTED_PROPERTY.format(ACCESS_EXTERNAL_SCHEMA)); } } catch (SAXException ignored) { // nothing to do; support depends on version JDK or SAX implementation if (LOGGER.isLoggable(Level.CONFIG)) { LOGGER.log(Level.CONFIG, Messages.JAXP_UNSUPPORTED_PROPERTY.format(ACCESS_EXTERNAL_SCHEMA), ignored); } } return sf; }
public static SchemaFactory allowExternalDTDAccess(SchemaFactory sf, String value, boolean disableSecureProcessing) { // if xml security (feature secure processing) disabled, nothing to do, no restrictions applied if (isXMLSecurityDisabled(disableSecureProcessing)) { if (LOGGER.isLoggable(Level.FINE)) { LOGGER.log(Level.FINE, Messages.JAXP_XML_SECURITY_DISABLED.format()); } return sf; } if (System.getProperty("javax.xml.accessExternalDTD") != null) { if (LOGGER.isLoggable(Level.FINE)) { LOGGER.log(Level.FINE, Messages.JAXP_EXTERNAL_ACCESS_CONFIGURED.format()); } return sf; } try { sf.setProperty(ACCESS_EXTERNAL_DTD, value); if (LOGGER.isLoggable(Level.FINE)) { LOGGER.log(Level.FINE, Messages.JAXP_SUPPORTED_PROPERTY.format(ACCESS_EXTERNAL_DTD)); } } catch (SAXException ignored) { // nothing to do; support depends on version JDK or SAX implementation if (LOGGER.isLoggable(Level.CONFIG)) { LOGGER.log(Level.CONFIG, Messages.JAXP_UNSUPPORTED_PROPERTY.format(ACCESS_EXTERNAL_DTD), ignored); } } return sf; }
@Override public Void answer(InvocationOnMock invocation) { String name = (String) invocation.getArguments()[0]; Object value = invocation.getArguments()[1]; try { if (propertySetter instanceof SchemaFactory) { ((SchemaFactory) propertySetter).setProperty(name, value); } else if (propertySetter instanceof Validator) { ((Validator) propertySetter).setProperty(name, value); } else if (propertySetter instanceof TransformerFactory) { ((TransformerFactory) propertySetter).setAttribute(name, value); } else { throw new IllegalArgumentException("Invalid property setter."); } } catch (Exception e) { exception = e; } return null; } }
@Test public void schemaFactoryProperties() throws Exception { SetPropertyAnswer setPropertyAnswer = new SetPropertyAnswer(schemaFactory); doAnswer(setPropertyAnswer).when(schemaFactoryWrapper).setProperty(anyString(), anyObject()); defaultXMLSecureFactories.configureSchemaFactory(schemaFactoryWrapper); assertThat(setPropertyAnswer.exception, is(nullValue())); for (String property : SCHEMA_FACTORY_PROPERTIES) { verify(schemaFactoryWrapper).setProperty(property, ""); } }