This is an automated email from the ASF dual-hosted git repository. davsclaus pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/camel.git
commit 5db23502f131a265b8909bd8ce4113962d1c556f Author: Claus Ibsen <[email protected]> AuthorDate: Mon Dec 19 09:54:57 2022 +0100 CAMEL-18825: Make XmlHelper more secure --- .../org/apache/camel/maven/RouteCoverageMojo.java | 30 ++++++++++++++++------ .../camel/parser/helper/XmlLineNumberParser.java | 9 ++++++- .../management/mbean/RouteCoverageXmlParser.java | 24 ++++++++++++++--- .../apache/camel/util/xml/XmlLineNumberParser.java | 8 ++++++ 4 files changed, 59 insertions(+), 12 deletions(-) diff --git a/catalog/camel-report-maven-plugin/src/main/java/org/apache/camel/maven/RouteCoverageMojo.java b/catalog/camel-report-maven-plugin/src/main/java/org/apache/camel/maven/RouteCoverageMojo.java index f64279bd1a8..4d62ba89326 100644 --- a/catalog/camel-report-maven-plugin/src/main/java/org/apache/camel/maven/RouteCoverageMojo.java +++ b/catalog/camel-report-maven-plugin/src/main/java/org/apache/camel/maven/RouteCoverageMojo.java @@ -34,6 +34,7 @@ import java.util.concurrent.atomic.AtomicBoolean; import java.util.concurrent.atomic.AtomicInteger; import java.util.stream.Collectors; +import javax.xml.XMLConstants; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.ParserConfigurationException; @@ -564,19 +565,32 @@ public class RouteCoverageMojo extends AbstractExecMojo { } private static Document createDocument() throws ParserConfigurationException { - DocumentBuilderFactory documentFactory = DocumentBuilderFactory.newInstance(); - documentFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl";, true); - documentFactory.setFeature(javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, true); - - DocumentBuilder documentBuilder = documentFactory.newDocumentBuilder(); + DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); + // turn off validator and loading external dtd + dbf.setValidating(false); + dbf.setNamespaceAware(true); + dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); + dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl";, true); + dbf.setFeature("http://xml.org/sax/features/namespaces";, false); + dbf.setFeature("http://xml.org/sax/features/validation";, false); + dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-dtd-grammar";, false); + dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd";, false); + dbf.setFeature("http://xml.org/sax/features/external-parameter-entities";, false); + dbf.setFeature("http://xml.org/sax/features/external-general-entities";, false); + dbf.setXIncludeAware(false); + dbf.setExpandEntityReferences(false); + + DocumentBuilder documentBuilder = dbf.newDocumentBuilder(); return documentBuilder.newDocument(); } private static void createJacocoXmlFile(Document document, File file) throws TransformerException { String xmlFilePath = file.toString() + "/xmlJacoco.xml"; - TransformerFactory transformerFactory = TransformerFactory.newInstance(); - transformerFactory.setFeature(javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, true); - Transformer transformer = transformerFactory.newTransformer(); + TransformerFactory factory = TransformerFactory.newInstance(); + factory.setFeature(javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, true); + factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + Transformer transformer = factory.newTransformer(); DOMSource domSource = new DOMSource(document); StreamResult streamResult = new StreamResult(new File(xmlFilePath)); diff --git a/catalog/camel-route-parser/src/main/java/org/apache/camel/parser/helper/XmlLineNumberParser.java b/catalog/camel-route-parser/src/main/java/org/apache/camel/parser/helper/XmlLineNumberParser.java index 5b3ef8ed1e0..0c40aad68a4 100644 --- a/catalog/camel-route-parser/src/main/java/org/apache/camel/parser/helper/XmlLineNumberParser.java +++ b/catalog/camel-route-parser/src/main/java/org/apache/camel/parser/helper/XmlLineNumberParser.java @@ -96,13 +96,20 @@ public final class XmlLineNumberParser { final SAXParserFactory factory = SAXParserFactory.newInstance(); try { factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); - + factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl";, true); + factory.setFeature("http://xml.org/sax/features/namespaces";, false); + factory.setFeature("http://xml.org/sax/features/validation";, false); + factory.setFeature("http://apache.org/xml/features/nonvalidating/load-dtd-grammar";, false); + factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd";, false); + factory.setFeature("http://xml.org/sax/features/external-parameter-entities";, false); + factory.setFeature("http://xml.org/sax/features/external-general-entities";, false); parser = factory.newSAXParser(); final DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); // turn off validator and loading external dtd dbf.setValidating(false); dbf.setNamespaceAware(true); dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); + dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl";, true); dbf.setFeature("http://xml.org/sax/features/namespaces";, false); dbf.setFeature("http://xml.org/sax/features/validation";, false); dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-dtd-grammar";, false); diff --git a/core/camel-management/src/main/java/org/apache/camel/management/mbean/RouteCoverageXmlParser.java b/core/camel-management/src/main/java/org/apache/camel/management/mbean/RouteCoverageXmlParser.java index 87dfca7965a..70c087eb049 100644 --- a/core/camel-management/src/main/java/org/apache/camel/management/mbean/RouteCoverageXmlParser.java +++ b/core/camel-management/src/main/java/org/apache/camel/management/mbean/RouteCoverageXmlParser.java @@ -65,10 +65,28 @@ public final class RouteCoverageXmlParser { public static Document parseXml(final CamelContext camelContext, final InputStream is) throws Exception { final SAXParserFactory factory = SAXParserFactory.newInstance(); factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE); + factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl";, true); + factory.setFeature("http://xml.org/sax/features/namespaces";, false); + factory.setFeature("http://xml.org/sax/features/validation";, false); + factory.setFeature("http://apache.org/xml/features/nonvalidating/load-dtd-grammar";, false); + factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd";, false); + factory.setFeature("http://xml.org/sax/features/external-parameter-entities";, false); + factory.setFeature("http://xml.org/sax/features/external-general-entities";, false); final SAXParser parser = factory.newSAXParser(); - final DocumentBuilderFactory docBuilderFactory = DocumentBuilderFactory.newInstance(); - docBuilderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE); - final DocumentBuilder docBuilder = docBuilderFactory.newDocumentBuilder(); + final DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); + dbf.setValidating(false); + dbf.setNamespaceAware(true); + dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); + dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl";, true); + dbf.setFeature("http://xml.org/sax/features/namespaces";, false); + dbf.setFeature("http://xml.org/sax/features/validation";, false); + dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-dtd-grammar";, false); + dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd";, false); + dbf.setFeature("http://xml.org/sax/features/external-parameter-entities";, false); + dbf.setFeature("http://xml.org/sax/features/external-general-entities";, false); + dbf.setXIncludeAware(false); + dbf.setExpandEntityReferences(false); + final DocumentBuilder docBuilder = dbf.newDocumentBuilder(); final Document doc = docBuilder.newDocument(); final Stack<Element> elementStack = new Stack<>(); diff --git a/core/camel-xml-jaxp/src/main/java/org/apache/camel/util/xml/XmlLineNumberParser.java b/core/camel-xml-jaxp/src/main/java/org/apache/camel/util/xml/XmlLineNumberParser.java index 214e9146319..b5a87e51a57 100644 --- a/core/camel-xml-jaxp/src/main/java/org/apache/camel/util/xml/XmlLineNumberParser.java +++ b/core/camel-xml-jaxp/src/main/java/org/apache/camel/util/xml/XmlLineNumberParser.java @@ -116,12 +116,20 @@ public final class XmlLineNumberParser { SAXParser parser; final SAXParserFactory factory = SAXParserFactory.newInstance(); factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); + factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl";, true); + factory.setFeature("http://xml.org/sax/features/namespaces";, false); + factory.setFeature("http://xml.org/sax/features/validation";, false); + factory.setFeature("http://apache.org/xml/features/nonvalidating/load-dtd-grammar";, false); + factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd";, false); + factory.setFeature("http://xml.org/sax/features/external-parameter-entities";, false); + factory.setFeature("http://xml.org/sax/features/external-general-entities";, false); parser = factory.newSAXParser(); final DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); // turn off validator and loading external dtd dbf.setValidating(false); dbf.setNamespaceAware(true); dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); + dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl";, true); dbf.setFeature("http://xml.org/sax/features/namespaces";, false); dbf.setFeature("http://xml.org/sax/features/validation";, false); dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-dtd-grammar";, false);
