This is an automated email from the ASF dual-hosted git repository. reta pushed a commit to branch more.schema.factory in repository https://gitbox.apache.org/repos/asf/cxf.git
commit 9e09d7ccedef6f940b095a7d6544c8b94915273b Author: Andriy Redko <[email protected]> AuthorDate: Fri May 29 23:55:41 2026 -0400 More SchemaFactory hardenings --- .../org/apache/cxf/aegis/type/XMLTypeCreator.java | 10 ++++++++++ .../apache/cxf/jaxrs/utils/schemas/SchemaHandler.java | 19 ++++++++++++++++++- .../main/java/org/apache/cxf/ws/rm/RMEndpoint.java | 11 +++++++++++ .../cxf/tools/common/dom/ExtendedDocumentBuilder.java | 11 +++++++++++ .../wsdlto/databinding/jaxb/JAXBDataBinding.java | 8 ++++++++ 5 files changed, 58 insertions(+), 1 deletion(-) diff --git a/rt/databinding/aegis/src/main/java/org/apache/cxf/aegis/type/XMLTypeCreator.java b/rt/databinding/aegis/src/main/java/org/apache/cxf/aegis/type/XMLTypeCreator.java index 85c26c8ade7..b107f355da5 100644 --- a/rt/databinding/aegis/src/main/java/org/apache/cxf/aegis/type/XMLTypeCreator.java +++ b/rt/databinding/aegis/src/main/java/org/apache/cxf/aegis/type/XMLTypeCreator.java @@ -51,6 +51,8 @@ import org.w3c.dom.NodeList; import org.xml.sax.ErrorHandler; import org.xml.sax.SAXException; +import org.xml.sax.SAXNotRecognizedException; +import org.xml.sax.SAXNotSupportedException; import org.xml.sax.SAXParseException; import org.apache.cxf.aegis.DatabindingException; @@ -126,6 +128,14 @@ public class XMLTypeCreator extends AbstractTypeCreator { try (InputStream is = XMLTypeCreator.class.getResourceAsStream(path)) { if (is != null) { SchemaFactory schemaFactory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI); + schemaFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE); + try { + schemaFactory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + schemaFactory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); + } catch (SAXNotRecognizedException | SAXNotSupportedException e) { + LOG.log(Level.WARNING, "The properties '" + XMLConstants.ACCESS_EXTERNAL_DTD + + "', '" + XMLConstants.ACCESS_EXTERNAL_SCHEMA + "' are not supported."); + } Schema aegisSchema = schemaFactory.newSchema(new StreamSource(is)); AEGIS_DOCUMENT_BUILDER_FACTORY.setSchema(aegisSchema); } diff --git a/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/utils/schemas/SchemaHandler.java b/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/utils/schemas/SchemaHandler.java index a8f4bf17b9f..14c19ba4fce 100644 --- a/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/utils/schemas/SchemaHandler.java +++ b/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/utils/schemas/SchemaHandler.java @@ -29,7 +29,10 @@ import java.nio.charset.StandardCharsets; import java.util.ArrayList; import java.util.Collections; import java.util.List; +import java.util.logging.Level; +import java.util.logging.Logger; +import javax.xml.XMLConstants; import javax.xml.transform.Source; import javax.xml.transform.stream.StreamSource; import javax.xml.validation.Schema; @@ -38,17 +41,21 @@ import javax.xml.validation.SchemaFactory; import org.w3c.dom.ls.LSInput; import org.w3c.dom.ls.LSResourceResolver; +import org.xml.sax.SAXNotRecognizedException; +import org.xml.sax.SAXNotSupportedException; + import org.apache.cxf.Bus; import org.apache.cxf.BusFactory; import org.apache.cxf.catalog.OASISCatalogManager; +import org.apache.cxf.common.logging.LogUtils; import org.apache.cxf.common.util.ClasspathScanner; import org.apache.cxf.common.xmlschema.LSInputImpl; import org.apache.cxf.jaxrs.utils.ResourceUtils; import org.apache.ws.commons.schema.constants.Constants; public class SchemaHandler { - static final String DEFAULT_CATALOG_LOCATION = "classpath:META-INF/jax-rs-catalog.xml"; + private static final Logger LOG = LogUtils.getL7dLogger(SchemaHandler.class); private Schema schema; private Bus bus; @@ -83,6 +90,16 @@ public class SchemaHandler { public static Schema createSchema(List<String> locations, String catalogLocation, final Bus bus) { SchemaFactory factory = SchemaFactory.newInstance(Constants.URI_2001_SCHEMA_XSD); + try { + factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE); + factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); + } catch (SAXNotRecognizedException | SAXNotSupportedException e) { + LOG.log(Level.WARNING, "The properties '" + XMLConstants.FEATURE_SECURE_PROCESSING + + "', '" + XMLConstants.ACCESS_EXTERNAL_DTD + "', '" + XMLConstants.ACCESS_EXTERNAL_SCHEMA + + "' are not supported."); + } + try { List<Source> sources = new ArrayList<>(); for (String loc : locations) { diff --git a/rt/ws/rm/src/main/java/org/apache/cxf/ws/rm/RMEndpoint.java b/rt/ws/rm/src/main/java/org/apache/cxf/ws/rm/RMEndpoint.java index 76ecd7aa30a..3f44f9357ab 100644 --- a/rt/ws/rm/src/main/java/org/apache/cxf/ws/rm/RMEndpoint.java +++ b/rt/ws/rm/src/main/java/org/apache/cxf/ws/rm/RMEndpoint.java @@ -42,6 +42,9 @@ import javax.xml.transform.stream.StreamSource; import javax.xml.validation.Schema; import javax.xml.validation.SchemaFactory; +import org.xml.sax.SAXNotRecognizedException; +import org.xml.sax.SAXNotSupportedException; + import jakarta.xml.bind.JAXBContext; import jakarta.xml.bind.JAXBException; import org.apache.cxf.binding.soap.SoapVersion; @@ -385,6 +388,14 @@ public class RMEndpoint { if (rmSchema == null) { try { SchemaFactory factory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI); + factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE); + try { + factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); + } catch (SAXNotRecognizedException | SAXNotSupportedException e) { + LOG.log(Level.WARNING, "The properties '" + XMLConstants.ACCESS_EXTERNAL_DTD + + "', '" + XMLConstants.ACCESS_EXTERNAL_SCHEMA + "' are not supported."); + } javax.xml.transform.Source ad = new StreamSource(RMEndpoint.class .getResource("/schemas/wsdl/addressing.xsd") .openStream(), diff --git a/tools/common/src/main/java/org/apache/cxf/tools/common/dom/ExtendedDocumentBuilder.java b/tools/common/src/main/java/org/apache/cxf/tools/common/dom/ExtendedDocumentBuilder.java index 747acf1fa59..f1d6807a7e8 100644 --- a/tools/common/src/main/java/org/apache/cxf/tools/common/dom/ExtendedDocumentBuilder.java +++ b/tools/common/src/main/java/org/apache/cxf/tools/common/dom/ExtendedDocumentBuilder.java @@ -38,6 +38,8 @@ import javax.xml.validation.SchemaFactory; import org.w3c.dom.Document; import org.xml.sax.SAXException; +import org.xml.sax.SAXNotRecognizedException; +import org.xml.sax.SAXNotSupportedException; import org.apache.cxf.common.logging.LogUtils; import org.apache.cxf.staxutils.StaxUtils; @@ -65,6 +67,15 @@ public class ExtendedDocumentBuilder { public void setValidating(boolean validate) { if (validate) { this.schemaFactory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI); + try { + schemaFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE); + schemaFactory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + schemaFactory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); + } catch (SAXNotRecognizedException | SAXNotSupportedException e) { + LOG.log(Level.WARNING, "The properties '" + XMLConstants.FEATURE_SECURE_PROCESSING + "', '" + + XMLConstants.ACCESS_EXTERNAL_DTD + "', '" + XMLConstants.ACCESS_EXTERNAL_SCHEMA + + "' are not supported."); + } try { this.schema = schemaFactory.newSchema(new StreamSource(getSchemaLocation())); } catch (SAXException e) { diff --git a/tools/wsdlto/databinding/jaxb/src/main/java/org/apache/cxf/tools/wsdlto/databinding/jaxb/JAXBDataBinding.java b/tools/wsdlto/databinding/jaxb/src/main/java/org/apache/cxf/tools/wsdlto/databinding/jaxb/JAXBDataBinding.java index c2c371395db..fc9d8c0fb53 100644 --- a/tools/wsdlto/databinding/jaxb/src/main/java/org/apache/cxf/tools/wsdlto/databinding/jaxb/JAXBDataBinding.java +++ b/tools/wsdlto/databinding/jaxb/src/main/java/org/apache/cxf/tools/wsdlto/databinding/jaxb/JAXBDataBinding.java @@ -67,6 +67,8 @@ import org.xml.sax.Attributes; import org.xml.sax.InputSource; import org.xml.sax.Locator; import org.xml.sax.SAXException; +import org.xml.sax.SAXNotRecognizedException; +import org.xml.sax.SAXNotSupportedException; import org.xml.sax.SAXParseException; import org.xml.sax.helpers.XMLFilterImpl; @@ -1065,6 +1067,12 @@ public class JAXBDataBinding implements DataBindingProfile { final OASISCatalogManager catalog, final SchemaCollection schemaCollection) throws ToolException { SchemaFactory schemaFact = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI); + try { + schemaFact.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE); + } catch (SAXNotRecognizedException | SAXNotSupportedException e) { + LOG.log(Level.WARNING, "The property '" + XMLConstants.FEATURE_SECURE_PROCESSING + + "' is not supported."); + } schemaFact.setResourceResolver(new LSResourceResolver() { public LSInput resolveResource(String type, String namespaceURI,
