diff --git a/src/main/java/uk/co/jbuncle/hnapclient/util/xml/XMLUtility.java b/src/main/java/uk/co/jbuncle/hnapclient/util/xml/XMLUtility.java index ad6be10..6f9f021 100644 --- a/src/main/java/uk/co/jbuncle/hnapclient/util/xml/XMLUtility.java +++ b/src/main/java/uk/co/jbuncle/hnapclient/util/xml/XMLUtility.java @@ -8,6 +8,7 @@ import java.io.StringWriter; import java.util.LinkedList; import java.util.List; +import javax.xml.XMLConstants; import javax.xml.bind.JAXBContext; import javax.xml.bind.JAXBException; import javax.xml.bind.Marshaller; @@ -16,6 +17,7 @@ import javax.xml.parsers.ParserConfigurationException; import javax.xml.transform.OutputKeys; import javax.xml.transform.Transformer; +import javax.xml.transform.TransformerConfigurationException; import javax.xml.transform.TransformerException; import javax.xml.transform.TransformerFactory; import javax.xml.transform.dom.DOMSource; @@ -37,7 +39,7 @@ public class XMLUtility { public static String toString(final Node node) throws XMLException { try { - final TransformerFactory tf = TransformerFactory.newInstance(); + final TransformerFactory tf = newSecureTransformerFactory(); final Transformer transformer = tf.newTransformer(); transformer.setOutputProperty(OutputKeys.OMIT_XML_DECLARATION, "yes"); final StringWriter writer = new StringWriter(); @@ -51,7 +53,7 @@ public static String toString(final Node node) throws XMLException { public static Document loadXML(final String xml) throws XMLException { try { - final DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + final DocumentBuilderFactory factory = newSecureDocumentBuilderFactory(); final DocumentBuilder builder = factory.newDocumentBuilder(); final InputSource is = new InputSource(new StringReader(xml)); return builder.parse(is); @@ -92,7 +94,7 @@ public static Document marshall(final Object object) throws XMLException { final Marshaller m = jaxbContext.createMarshaller(); m.setProperty(Marshaller.JAXB_ENCODING, "UTF-8"); - final DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); + final DocumentBuilderFactory dbf = newSecureDocumentBuilderFactory(); dbf.setNamespaceAware(true); final DocumentBuilder db = dbf.newDocumentBuilder(); final Document doc = db.newDocument(); @@ -106,6 +108,28 @@ public static Document marshall(final Object object) throws XMLException { } } + private static DocumentBuilderFactory newSecureDocumentBuilderFactory() throws ParserConfigurationException { + final DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); + factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + factory.setFeature("http://xml.org/sax/features/external-general-entities", false); + factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false); + factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); + factory.setXIncludeAware(false); + factory.setExpandEntityReferences(false); + factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); + return factory; + } + + private static TransformerFactory newSecureTransformerFactory() throws TransformerConfigurationException { + final TransformerFactory transformerFactory = TransformerFactory.newInstance(); + transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); + transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + return transformerFactory; + } + public static List getChildElements(final Node element) { final List childElements = new LinkedList<>(); final NodeList childNodes = element.getChildNodes();