[camel] branch main updated: CAMEL-18825: Make XmlHelper more secure

Mon, 19 Dec 2022 02:06:35 -0800 

This is an automated email from the ASF dual-hosted git repository.

davsclaus pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel.git


The following commit(s) were added to refs/heads/main by this push:
     new 4e2797a02bd CAMEL-18825: Make XmlHelper more secure
4e2797a02bd is described below

commit 4e2797a02bd381fd3574e569ff0e3cc29181f5d5
Author: Claus Ibsen <[email protected]>
AuthorDate: Mon Dec 19 11:05:13 2022 +0100

    CAMEL-18825: Make XmlHelper more secure
---
 .../component/spring/ws/bean/CamelEndpointMapping.java | 10 ++++++++++
 .../spring/ws/filter/impl/BasicMessageFilter.java      | 11 +----------
 .../filter/impl/HeaderTransformationMessageFilter.java | 18 +++++++++++++-----
 3 files changed, 24 insertions(+), 15 deletions(-)

diff --git 
a/components/camel-spring-ws/src/main/java/org/apache/camel/component/spring/ws/bean/CamelEndpointMapping.java
 
b/components/camel-spring-ws/src/main/java/org/apache/camel/component/spring/ws/bean/CamelEndpointMapping.java
index 22bd170d270..645d8d83480 100644
--- 
a/components/camel-spring-ws/src/main/java/org/apache/camel/component/spring/ws/bean/CamelEndpointMapping.java
+++ 
b/components/camel-spring-ws/src/main/java/org/apache/camel/component/spring/ws/bean/CamelEndpointMapping.java
@@ -247,6 +247,16 @@ public class CamelEndpointMapping extends 
AbstractEndpointMapping
         if (transformerFactory == null) {
             transformerFactory = TransformerFactory.newInstance();
             
transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, 
Boolean.TRUE);
+            try {
+                
transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+            } catch (IllegalArgumentException e) {
+                // ignore
+            }
+            try {
+                
transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+            } catch (IllegalArgumentException e) {
+                // ignore
+            }
         }
     }
 
diff --git 
a/components/camel-spring-ws/src/main/java/org/apache/camel/component/spring/ws/filter/impl/BasicMessageFilter.java
 
b/components/camel-spring-ws/src/main/java/org/apache/camel/component/spring/ws/filter/impl/BasicMessageFilter.java
index ceea7f4d9a4..0f79fa3ec86 100644
--- 
a/components/camel-spring-ws/src/main/java/org/apache/camel/component/spring/ws/filter/impl/BasicMessageFilter.java
+++ 
b/components/camel-spring-ws/src/main/java/org/apache/camel/component/spring/ws/filter/impl/BasicMessageFilter.java
@@ -60,9 +60,6 @@ public class BasicMessageFilter implements MessageFilter {
 
     /**
      * If applicable this method adds a SOAP headers and attachments.
-     * 
-     * @param inOrOut
-     * @param response
      */
     protected void processHeaderAndAttachments(AttachmentMessage inOrOut, 
WebServiceMessage response) {
 
@@ -75,9 +72,6 @@ public class BasicMessageFilter implements MessageFilter {
 
     /**
      * If applicable this method adds a SOAP header.
-     * 
-     * @param inOrOut
-     * @param soapMessage
      */
     protected void processSoapHeader(AttachmentMessage inOrOut, SoapMessage 
soapMessage) {
         boolean isHeaderAvailable = inOrOut != null && inOrOut.getHeaders() != 
null && !inOrOut.getHeaders().isEmpty();
@@ -107,7 +101,7 @@ public class BasicMessageFilter implements MessageFilter {
         
headerKeySet.remove(SpringWebserviceConstants.SPRING_WS_ADDRESSING_PRODUCER_REPLY_TO);
         
headerKeySet.remove(SpringWebserviceConstants.SPRING_WS_ADDRESSING_CONSUMER_FAULT_ACTION);
         
headerKeySet.remove(SpringWebserviceConstants.SPRING_WS_ADDRESSING_CONSUMER_OUTPUT_ACTION);
-        // This gets repeated again in the below 'for loop' and gets added as 
attribute to soapenv:header. 
+        // This gets repeated in the below 'for loop' and gets added as 
attribute to soapenv:header.
         // This would have already been processed in 
SpringWebserviceProducer/Consumer instance.
         headerKeySet.remove(SpringWebserviceConstants.SPRING_WS_SOAP_HEADER);
 
@@ -134,9 +128,6 @@ public class BasicMessageFilter implements MessageFilter {
 
     /**
      * Populate SOAP attachments from in or out exchange message. This the 
convenient method for overriding.
-     * 
-     * @param inOrOut
-     * @param response
      */
     protected void doProcessSoapAttachments(AttachmentMessage inOrOut, 
SoapMessage response) {
         if (inOrOut.hasAttachments()) {
diff --git 
a/components/camel-spring-ws/src/main/java/org/apache/camel/component/spring/ws/filter/impl/HeaderTransformationMessageFilter.java
 
b/components/camel-spring-ws/src/main/java/org/apache/camel/component/spring/ws/filter/impl/HeaderTransformationMessageFilter.java
index 836603286c0..cf6ab345694 100644
--- 
a/components/camel-spring-ws/src/main/java/org/apache/camel/component/spring/ws/filter/impl/HeaderTransformationMessageFilter.java
+++ 
b/components/camel-spring-ws/src/main/java/org/apache/camel/component/spring/ws/filter/impl/HeaderTransformationMessageFilter.java
@@ -43,6 +43,7 @@ import org.springframework.ws.soap.SoapMessage;
  * Message filter that transforms the header of a soap message
  */
 public class HeaderTransformationMessageFilter implements MessageFilter {
+
     private static final String SAXON_TRANSFORMER_FACTORY_CLASS_NAME = 
"net.sf.saxon.TransformerFactoryImpl";
     private static final String SOAP_HEADER_TRANSFORMATION_PROBLEM = "Soap 
header transformation problem";
     private static final Logger LOG = 
LoggerFactory.getLogger(HeaderTransformationMessageFilter.class);
@@ -77,10 +78,6 @@ public class HeaderTransformationMessageFilter implements 
MessageFilter {
 
     /**
      * Transform the header
-     * 
-     * @param context
-     * @param inOrOut
-     * @param webServiceMessage
      */
     private void processHeader(CamelContext context, Message inOrOut, 
WebServiceMessage webServiceMessage) {
         if (webServiceMessage instanceof SoapMessage) {
@@ -92,6 +89,7 @@ public class HeaderTransformationMessageFilter implements 
MessageFilter {
                 TransformerFactory transformerFactory = 
getTransformerFactory(context);
                 Transformer transformer = 
transformerFactory.newTransformer(stylesheetResource);
 
+
                 addParameters(inOrOut, transformer);
 
                 transformer.transform(soapMessage.getSoapHeader().getSource(), 
soapMessage.getSoapHeader().getResult());
@@ -126,7 +124,7 @@ public class HeaderTransformationMessageFilter implements 
MessageFilter {
      * @return {@link TransformerFactory}
      */
     private TransformerFactory getTransformerFactory(CamelContext context) {
-        TransformerFactory transformerFactory = null;
+        TransformerFactory transformerFactory;
         if (saxon) {
             transformerFactory = getSaxonTransformerFactory(context);
         } else {
@@ -142,6 +140,16 @@ public class HeaderTransformationMessageFilter implements 
MessageFilter {
         } catch (TransformerConfigurationException ex) {
             // ignore
         }
+        try {
+            transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, 
"");
+        } catch (IllegalArgumentException e) {
+            // ignore
+        }
+        try {
+            
transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+        } catch (IllegalArgumentException e) {
+            // ignore
+        }
 
         transformerFactory.setErrorListener(new ErrorListener() {

Reply via email to