This is an automated email from the ASF dual-hosted git repository. grobmeier pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/logging-chainsaw.git
commit 7895e27c76271cba48c1a6fb5cfffbfb67dcda27 Author: Christian Grobmeier <[email protected]> AuthorDate: Wed Dec 20 21:43:30 2023 +0100 prevent access to XSD --- .../log4j/chainsaw/receivers/ReceiversPanel.java | 5 ++++ .../apache/log4j/xml/UtilLoggingXMLDecoder.java | 28 +++++++--------------- src/main/java/org/apache/log4j/xml/XMLDecoder.java | 7 ++++-- 3 files changed, 18 insertions(+), 22 deletions(-) diff --git a/src/main/java/org/apache/log4j/chainsaw/receivers/ReceiversPanel.java b/src/main/java/org/apache/log4j/chainsaw/receivers/ReceiversPanel.java index b71db59..505b120 100644 --- a/src/main/java/org/apache/log4j/chainsaw/receivers/ReceiversPanel.java +++ b/src/main/java/org/apache/log4j/chainsaw/receivers/ReceiversPanel.java @@ -47,6 +47,7 @@ import javax.swing.event.TreeWillExpandListener; import javax.swing.tree.DefaultMutableTreeNode; import javax.swing.tree.ExpandVetoException; import javax.swing.tree.TreePath; +import javax.xml.XMLConstants; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.transform.OutputKeys; @@ -372,6 +373,9 @@ public class ReceiversPanel extends JPanel implements SettingsListener { try { //we programmatically register the ZeroConf plugin in the plugin registry DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + factory.setNamespaceAware(true); DocumentBuilder builder = factory.newDocumentBuilder(); Document document = builder.newDocument(); @@ -403,6 +407,7 @@ public class ReceiversPanel extends JPanel implements SettingsListener { } TransformerFactory transformerFactory = TransformerFactory.newInstance(); + Transformer transformer = transformerFactory.newTransformer(); transformer.setOutputProperty(OutputKeys.INDENT, "yes"); transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount";, "4"); diff --git a/src/main/java/org/apache/log4j/xml/UtilLoggingXMLDecoder.java b/src/main/java/org/apache/log4j/xml/UtilLoggingXMLDecoder.java index 9e3ddfa..4715979 100644 --- a/src/main/java/org/apache/log4j/xml/UtilLoggingXMLDecoder.java +++ b/src/main/java/org/apache/log4j/xml/UtilLoggingXMLDecoder.java @@ -17,6 +17,7 @@ package org.apache.log4j.xml; +import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; import org.apache.log4j.spi.Decoder; import org.w3c.dom.Document; import org.w3c.dom.Node; @@ -24,6 +25,7 @@ import org.w3c.dom.NodeList; import org.xml.sax.InputSource; import javax.swing.*; +import javax.xml.XMLConstants; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.ParserConfigurationException; @@ -82,26 +84,15 @@ public class UtilLoggingXMLDecoder implements Decoder { private static final String ENCODING = "UTF-8"; - /** - * Create new instance. - * - * @param o owner - */ - public UtilLoggingXMLDecoder(final Component o) { - this(); - this.owner = o; - } - /** * Create new instance. */ public UtilLoggingXMLDecoder() { - DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); - dbf.setValidating(false); - try { + DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); + dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); + docBuilder = dbf.newDocumentBuilder(); -// docBuilder.setErrorHandler(new SAXErrorHandler()); docBuilder.setEntityResolver(new UtilLoggingEntityResolver()); } catch (ParserConfigurationException pce) { System.err.println("Unable to get document builder"); @@ -127,6 +118,7 @@ public class UtilLoggingXMLDecoder implements Decoder { * @param data XML fragment * @return dom document */ + @SuppressFBWarnings // applied security practices private Document parse(final String data) { if (docBuilder == null || data == null) { return null; @@ -173,6 +165,7 @@ public class UtilLoggingXMLDecoder implements Decoder { * @return Vector of LoggingEvents * @throws IOException if IO error during processing. */ + @SuppressFBWarnings // TODO: loading files like this is dangerous - at least in web. see if we can do better public Vector<ChainsawLoggingEvent> decode(final URL url) throws IOException { LineNumberReader reader; boolean isZipFile = url.getPath().toLowerCase().endsWith(".zip"); @@ -316,11 +309,10 @@ public class UtilLoggingXMLDecoder implements Decoder { String threadName = null; String message = null; String ndc = null; - String[] exception = null; String className = null; String methodName = null; String fileName = null; - String lineNumber = null; + String lineNumber = "0"; // TODO this is not working Hashtable properties = new Hashtable(); //format of date: 2003-05-04T11:04:52 @@ -389,10 +381,6 @@ public class UtilLoggingXMLDecoder implements Decoder { } } } - if (exceptionList.size() > 0) { - exception = - (String[]) exceptionList.toArray(new String[exceptionList.size()]); - } } } diff --git a/src/main/java/org/apache/log4j/xml/XMLDecoder.java b/src/main/java/org/apache/log4j/xml/XMLDecoder.java index 14aa96b..6f58baa 100644 --- a/src/main/java/org/apache/log4j/xml/XMLDecoder.java +++ b/src/main/java/org/apache/log4j/xml/XMLDecoder.java @@ -17,6 +17,7 @@ package org.apache.log4j.xml; +import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; import org.apache.log4j.spi.Decoder; import org.w3c.dom.Document; import org.w3c.dom.Node; @@ -24,6 +25,7 @@ import org.w3c.dom.NodeList; import org.xml.sax.InputSource; import javax.swing.*; +import javax.xml.XMLConstants; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.ParserConfigurationException; @@ -114,9 +116,10 @@ public class XMLDecoder implements Decoder { */ public XMLDecoder() { DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); - dbf.setValidating(false); - try { + dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); + dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl";, true); + dbf.setValidating(false); docBuilder = dbf.newDocumentBuilder(); // docBuilder.setErrorHandler(new SAXErrorHandler()); docBuilder.setEntityResolver(new Log4jEntityResolver());
