Skip to content

Commit

Permalink
Set secure parameter for xslt transformation
Browse files Browse the repository at this point in the history
  • Loading branch information
@MaximPlusov
MaximPlusov authored and Git User committed Mar 18, 2024
1 parent 614ffa4 commit 9386ecb
Show file tree
Hide file tree
Showing 3 changed files with 27 additions and 30 deletions.
23 changes: 13 additions & 10 deletions core/src/main/java/org/verapdf/policy/PolicyChecker.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@ public final class PolicyChecker {

private static final Logger LOGGER = Logger.getLogger(PolicyChecker.class.getCanonicalName());

private static final TransformerFactory factory = TransformerFactory.newInstance();
private static final TransformerFactory factory = getTransformerFactory();
public static final String SCHEMA_EXT = "sch"; //$NON-NLS-1$
public static final String XSL_EXT = "xsl"; //$NON-NLS-1$
public static final String XSLT_EXT = "xslt"; //$NON-NLS-1$
Expand All @@ -63,15 +63,6 @@ public final class PolicyChecker {
private static final String mergeXsl = resourcePath + "MergeMrrPolicy" + '.' + XSL_EXT; //$NON-NLS-1$
private static final Templates cachedMergeXsl = SchematronPipeline.createCachedTransform(mergeXsl);

static {
try {
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "file");
} catch (TransformerConfigurationException ignored) {
LOGGER.log(Level.WARNING, "Unable to secure xsl transformer");
}
}

private PolicyChecker() {

}
Expand All @@ -97,6 +88,7 @@ public static void insertPolicyReport(final File policyReport, final File mrrRep
Transformer transformer = cachedMergeXsl.newTransformer();
transformer.setParameter("policyResultPath", policyReport.getAbsolutePath()); //$NON-NLS-1$
transformer.transform(new StreamSource(mrrReport), new StreamResult(mergedReport));
return;
} catch (TransformerException excep) {
throw new VeraPDFException("Problem merging XML files.", excep); //$NON-NLS-1$
}
Expand Down Expand Up @@ -215,4 +207,15 @@ private static void applySchematronXsl(final InputStream schematronXsl, final In
Transformer transformer = factory.newTransformer(new StreamSource(schematronXsl));
transformer.transform(new StreamSource(xmlReport), new StreamResult(policyReport));
}

private static TransformerFactory getTransformerFactory() {
TransformerFactory fact = TransformerFactory.newInstance();
try {
fact.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
fact.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "file");
} catch (TransformerConfigurationException e) {
LOGGER.log(Level.WARNING, "Unable to secure xsl transformer");
}
return fact;
}
}
12 changes: 2 additions & 10 deletions core/src/main/java/org/verapdf/policy/SchematronPipeline.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,15 +45,6 @@ final class SchematronPipeline {
private static final Templates cachedExpXsl = createCachedTransform(isoExpXsl);
private static final Templates cachedIsoSvrlXsl = createCachedTransform(isoSvrlXsl);

static {
try {
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "file");
} catch (TransformerConfigurationException ignored) {
LOGGER.log(Level.WARNING, "Unable to secure xsl transformer");
}
}

private SchematronPipeline() {
}

Expand Down Expand Up @@ -97,7 +88,8 @@ private static TransformerFactory getTransformerFactory() {
try {
fact.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
fact.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "file");
} catch (TransformerConfigurationException ignored) {
} catch (TransformerConfigurationException e) {
LOGGER.log(Level.WARNING, "Unable to secure xsl transformer");
}
fact.setURIResolver(new ClasspathResourceURIResolver());
return fact;
Expand Down
22 changes: 12 additions & 10 deletions core/src/main/java/org/verapdf/report/XsltTransformer.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,16 +41,7 @@ public final class XsltTransformer {

private static final Logger LOGGER = Logger.getLogger(XsltTransformer.class.getCanonicalName());

private static final TransformerFactory factory = TransformerFactory.newInstance();

static {
try {
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "file");
} catch (TransformerConfigurationException ignored) {
LOGGER.log(Level.WARNING, "Unable to secure xslt transformer");
}
}
private static final TransformerFactory factory = getTransformerFactory();

private XsltTransformer() {
}
Expand Down Expand Up @@ -84,4 +75,15 @@ public static void transform(InputStream source, InputStream xslt, PrintWriter d

transformer.transform(new StreamSource(source), new StreamResult(destination));
}

private static TransformerFactory getTransformerFactory() {
TransformerFactory fact = TransformerFactory.newInstance();
try {
fact.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
fact.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "file");
} catch (TransformerConfigurationException e) {
LOGGER.log(Level.WARNING, "Unable to secure xsl transformer");
}
return fact;
}
}

0 comments on commit 9386ecb

Please sign in to comment.