[GitHub] [daffodil] tuxji commented on a change in pull request #560: Verify that we get errors if the files contain a DOCTYPE

Wed, 26 May 2021 06:33:50 -0700 


tuxji commented on a change in pull request #560:
URL: https://github.com/apache/daffodil/pull/560#discussion_r639726148



##########
File path: 
daffodil-japi/src/test/java/org/apache/daffodil/example/TestJavaAPI.java
##########
@@ -48,9 +49,31 @@
 import org.apache.daffodil.japi.logger.ConsoleLogWriter;
 import org.apache.daffodil.japi.logger.LogLevel;
 import org.apache.daffodil.japi.io.InputSourceDataInputStream;
+import org.xml.sax.SAXNotRecognizedException;
+import org.xml.sax.SAXNotSupportedException;
+import org.xml.sax.XMLReader;
+
+import javax.xml.XMLConstants;
 
 public class TestJavaAPI {
 
+    /**
+     * Best practices for XML loading are to turn off anything that could lead 
to
+     * insecurity.
+     *
+     * This is probably unnecessary in the case of these tests, but as these 
tests
+     * are also used to illustrate API usage, this exemplifies best practice.
+     */
+    public static void setSecureDefaults(XMLReader xmlReader)
+            throws SAXNotSupportedException, SAXNotRecognizedException {
+        xmlReader.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+        // since we're not really sure what they mean by secure processing
+        // we make doubly sure by setting these ourselves also.
+        
xmlReader.setFeature("http://apache.org/xml/features/disallow-doctype-decl";, 
true);
+        
xmlReader.setFeature("http://xml.org/sax/features/external-parameter-entities";, 
false);
+        
xmlReader.setFeature("http://xml.org/sax/features/external-general-entities";, 
false);
+    }
+

Review comment:
       I have a slightly different suggestion.  If we ever make secure XML 
loading part of the published API, let's publish DaffodilSAXParserFactory 
instead of XMLUtils.  I know there's also JDOM parsing and so on, but we don't 
have to offer every way to load XML securely in the published API, only the way 
which we recommend as the best way.  When people use DaffodilSAXParserFactory, 
they insure that the SAXParser they get is exactly the Xerces one and its 
XMLReader is secure just by changing their first line of code.  That's the 
easiest way to load XML securely - just a one-line change :).




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to