From d5314cbdf4e058e0716f80dbdad2dbd8d96e6bfe Mon Sep 17 00:00:00 2001 From: Maxim Date: Tue, 12 Mar 2024 12:34:37 +0300 Subject: [PATCH] Set secure parameter for xslt transformation --- .../org/verapdf/policy/PolicyChecker.java | 24 +++++++++++++++---- .../verapdf/policy/SchematronPipeline.java | 10 ++++++-- .../org/verapdf/report/XsltTransformer.java | 20 +++++++++++++++- 3 files changed, 46 insertions(+), 8 deletions(-) diff --git a/core/src/main/java/org/verapdf/policy/PolicyChecker.java b/core/src/main/java/org/verapdf/policy/PolicyChecker.java index 6f6e3d255..4f23e928c 100644 --- a/core/src/main/java/org/verapdf/policy/PolicyChecker.java +++ b/core/src/main/java/org/verapdf/policy/PolicyChecker.java @@ -20,15 +20,15 @@ import org.verapdf.core.VeraPDFException; import org.verapdf.core.utils.FileUtils; -import javax.xml.transform.Templates; -import javax.xml.transform.Transformer; -import javax.xml.transform.TransformerException; -import javax.xml.transform.TransformerFactory; +import javax.xml.XMLConstants; +import javax.xml.transform.*; import javax.xml.transform.stream.StreamResult; import javax.xml.transform.stream.StreamSource; import java.io.*; import java.util.Arrays; import java.util.List; +import java.util.logging.Level; +import java.util.logging.Logger; /** * The veraPDF policy checker which is simply an abstraction that makes applying @@ -39,7 +39,10 @@ * @version 0.1 Created 12 Dec 2016:17:51:12 */ public final class PolicyChecker { - private static final TransformerFactory factory = TransformerFactory.newInstance(); + + private static final Logger LOGGER = Logger.getLogger(PolicyChecker.class.getCanonicalName()); + + private static final TransformerFactory factory = getTransformerFactory(); public static final String SCHEMA_EXT = "sch"; //$NON-NLS-1$ public static final String XSL_EXT = "xsl"; //$NON-NLS-1$ public static final String XSLT_EXT = "xslt"; //$NON-NLS-1$ @@ -204,4 +207,15 @@ private static void applySchematronXsl(final InputStream schematronXsl, final In Transformer transformer = factory.newTransformer(new StreamSource(schematronXsl)); transformer.transform(new StreamSource(xmlReport), new StreamResult(policyReport)); } + + private static TransformerFactory getTransformerFactory() { + TransformerFactory fact = TransformerFactory.newInstance(); + try { + fact.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); + fact.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "file"); + } catch (TransformerConfigurationException e) { + LOGGER.log(Level.WARNING, "Unable to secure xsl transformer"); + } + return fact; + } } diff --git a/core/src/main/java/org/verapdf/policy/SchematronPipeline.java b/core/src/main/java/org/verapdf/policy/SchematronPipeline.java index 663e77bc5..f3114f1bf 100644 --- a/core/src/main/java/org/verapdf/policy/SchematronPipeline.java +++ b/core/src/main/java/org/verapdf/policy/SchematronPipeline.java @@ -17,6 +17,7 @@ */ package org.verapdf.policy; +import javax.xml.XMLConstants; import javax.xml.transform.*; import javax.xml.transform.stream.StreamResult; import javax.xml.transform.stream.StreamSource; @@ -31,8 +32,7 @@ */ final class SchematronPipeline { - private static final Logger LOGGER = Logger - .getLogger(SchematronPipeline.class.getName()); + private static final Logger LOGGER = Logger.getLogger(SchematronPipeline.class.getName()); static final ClassLoader cl = SchematronPipeline.class.getClassLoader(); private static final TransformerFactory factory = getTransformerFactory(); @@ -85,6 +85,12 @@ private static File createTempFileResult(final Transformer transformer, final St private static TransformerFactory getTransformerFactory() { TransformerFactory fact = TransformerFactory.newInstance(); + try { + fact.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); + fact.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "file"); + } catch (TransformerConfigurationException e) { + LOGGER.log(Level.WARNING, "Unable to secure xsl transformer"); + } fact.setURIResolver(new ClasspathResourceURIResolver()); return fact; } diff --git a/core/src/main/java/org/verapdf/report/XsltTransformer.java b/core/src/main/java/org/verapdf/report/XsltTransformer.java index 4da53c9f4..dfb14b327 100644 --- a/core/src/main/java/org/verapdf/report/XsltTransformer.java +++ b/core/src/main/java/org/verapdf/report/XsltTransformer.java @@ -23,8 +23,12 @@ import java.io.InputStream; import java.io.PrintWriter; import java.util.Map; +import java.util.logging.Level; +import java.util.logging.Logger; +import javax.xml.XMLConstants; import javax.xml.transform.Transformer; +import javax.xml.transform.TransformerConfigurationException; import javax.xml.transform.TransformerException; import javax.xml.transform.TransformerFactory; import javax.xml.transform.stream.StreamResult; @@ -34,8 +38,11 @@ * @author Maksim Bezrukov */ public final class XsltTransformer { - private static final TransformerFactory factory = TransformerFactory.newInstance(); + private static final Logger LOGGER = Logger.getLogger(XsltTransformer.class.getCanonicalName()); + + private static final TransformerFactory factory = getTransformerFactory(); + private XsltTransformer() { } @@ -68,4 +75,15 @@ public static void transform(InputStream source, InputStream xslt, PrintWriter d transformer.transform(new StreamSource(source), new StreamResult(destination)); } + + private static TransformerFactory getTransformerFactory() { + TransformerFactory fact = TransformerFactory.newInstance(); + try { + fact.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); + fact.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "file"); + } catch (TransformerConfigurationException e) { + LOGGER.log(Level.WARNING, "Unable to secure xsl transformer"); + } + return fact; + } }