Merge pull request #10 from codenvy/xmlSecurity

CLDIDE-2675 Fix vulnerability in xml parsers

everrest-core/src/main/java/org/everrest/core/impl/provider/DOMSourceEntityProvider.java

@@ -35,6 +35,8 @@
 import java.lang.annotation.Annotation;
 import java.lang.reflect.Type;
 
+import static javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING;
+
 /**
  * @author <a href="mailto:andrew00x@gmail.com">Andrey Parfonov</a>
  * @version $Id: DOMSourceEntityProvider.java 285 2009-10-15 16:21:30Z aparfonov
@@ -63,6 +65,12 @@ public DOMSource readFrom(Class<DOMSource> type,
                               InputStream entityStream) throws IOException {
         try {
             DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+            try {
+                factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+                factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+                factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+                factory.setFeature(FEATURE_SECURE_PROCESSING, true);
+            } catch (Throwable ignored) {}
             factory.setNamespaceAware(true);
             Document d = factory.newDocumentBuilder().parse(entityStream);
             return new DOMSource(d);
@@ -102,7 +110,9 @@ public void writeTo(DOMSource t,
                         OutputStream entityStream) throws IOException {
         StreamResult out = new StreamResult(entityStream);
         try {
-            TransformerFactory.newInstance().newTransformer().transform(t, out);
+            TransformerFactory factory = TransformerFactory.newInstance();
+            factory.setFeature(FEATURE_SECURE_PROCESSING, true); //it's enough there
+            factory.newTransformer().transform(t, out);
         } catch (TransformerConfigurationException e) {
             throw new IOException("Can't write to output stream " + e);
         } catch (TransformerException e) {

everrest-core/src/main/java/org/everrest/core/impl/provider/SAXSourceEntityProvider.java

@@ -30,6 +30,8 @@
 import java.lang.annotation.Annotation;
 import java.lang.reflect.Type;
 
+import static javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING;
+
 /**
  * @author <a href="mailto:andrew00x@gmail.com">Andrey Parfonov</a>
  * @version $Id: SAXSourceEntityProvider.java 285 2009-10-15 16:21:30Z aparfonov
@@ -80,7 +82,9 @@ public void writeTo(SAXSource t,
                         OutputStream entityStream) throws IOException {
         StreamResult out = new StreamResult(entityStream);
         try {
-            TransformerFactory.newInstance().newTransformer().transform(t, out);
+            TransformerFactory factory = TransformerFactory.newInstance();
+            factory.setFeature(FEATURE_SECURE_PROCESSING, true);
+            factory.newTransformer().transform(t, out);
         } catch (TransformerConfigurationException e) {
             throw new IOException("Can't write to output stream " + e);
         } catch (TransformerException e) {

everrest-core/src/main/java/org/everrest/core/impl/provider/StreamSourceEntityProvider.java

@@ -28,6 +28,8 @@
 import java.lang.annotation.Annotation;
 import java.lang.reflect.Type;
 
+import static javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING;
+
 /**
  * @author andrew00x
  */
@@ -75,7 +77,9 @@ public void writeTo(StreamSource t,
                         OutputStream entityStream) throws IOException {
         StreamResult out = new StreamResult(entityStream);
         try {
-            TransformerFactory.newInstance().newTransformer().transform(t, out);
+            TransformerFactory factory = TransformerFactory.newInstance();
+            factory.setFeature(FEATURE_SECURE_PROCESSING, true);
+            factory.newTransformer().transform(t, out);
         } catch (TransformerException | TransformerFactoryConfigurationError e) {
             throw new IOException("Can't write to output stream " + e);
         }

everrest-core/src/main/java/org/everrest/core/impl/provider/XSLTTemplatesContextResolver.java

@@ -30,6 +30,8 @@
 import java.util.HashMap;
 import java.util.Map;
 
+import static javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING;
+
 /**
  * Provide cache for transformation templates.
  *
@@ -86,6 +88,7 @@ public void addAsTemplate(String name, Source source) throws IOException, SAXExc
         }
         synchronized (templates) {
             SAXTransformerFactory factory = (SAXTransformerFactory)SAXTransformerFactory.newInstance();
+            factory.setFeature(FEATURE_SECURE_PROCESSING, true);
             TemplatesHandler templateHandler = factory.newTemplatesHandler();
             XMLReader xmlReader = XMLReaderFactory.createXMLReader();
             if (resolver != null) {

everrest-core/src/main/java/org/everrest/core/tools/ErrorPages.java

@@ -30,6 +30,8 @@
 import java.util.HashMap;
 import java.util.Map;
 
+import static javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING;
+
 /**
  * Describes error-page references for web application in web.xml file.
  *
@@ -58,8 +60,14 @@ protected void loadErrorPages(ServletContext servletContext, Map<Integer, String
             return;
         }
         try {
-            DocumentBuilder documentBuilder = DocumentBuilderFactory.newInstance().newDocumentBuilder();
-            Document dom = documentBuilder.parse(input);
+            DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+            try {
+                factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+                factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+                factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+                factory.setFeature(FEATURE_SECURE_PROCESSING, true);
+            } catch (Throwable ignored) {}
+            Document dom = factory.newDocumentBuilder().parse(input);
             XPathFactory xpathFactory = XPathFactory.newInstance();
             XPath xpath = xpathFactory.newXPath();
             NodeList all = (NodeList)xpath.evaluate("/web-app/error-page", dom, XPathConstants.NODESET);

everrest-core/src/main/java/org/everrest/core/tools/WebApplicationDeclaredRoles.java

@@ -29,6 +29,8 @@
 import java.util.LinkedHashSet;
 import java.util.Set;
 
+import static javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING;
+
 /**
  * Describes roles declared for web application in web.xml file.
  *
@@ -48,8 +50,14 @@ protected Set<String> loadRoles(ServletContext servletContext) throws UnhandledE
             return Collections.emptySet();
         }
         try {
-            DocumentBuilder documentBuilder = DocumentBuilderFactory.newInstance().newDocumentBuilder();
-            Document dom = documentBuilder.parse(input);
+            DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+            try {
+                factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+                factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+                factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+                factory.setFeature(FEATURE_SECURE_PROCESSING, true);
+            } catch (Throwable ignored) {}
+            Document dom = factory.newDocumentBuilder().parse(input);
             XPathFactory xpathFactory = XPathFactory.newInstance();
             XPath xpath = xpathFactory.newXPath();
             NodeList all = (NodeList)xpath.evaluate("/web-app/security-role/role-name", dom, XPathConstants.NODESET);