Set secure parameter for xslt transformation

veraPDF · Mar 18, 2024 · 49a1221 · 49a1221
1 parent b1ccf72
commit 49a1221
Show file tree

Hide file tree

Showing 3 changed files with 48 additions and 6 deletions.
diff --git a/core/src/main/java/org/verapdf/policy/PolicyChecker.java b/core/src/main/java/org/verapdf/policy/PolicyChecker.java
@@ -20,15 +20,15 @@
 import org.verapdf.core.VeraPDFException;
 import org.verapdf.core.utils.FileUtils;
 
-import javax.xml.transform.Templates;
-import javax.xml.transform.Transformer;
-import javax.xml.transform.TransformerException;
-import javax.xml.transform.TransformerFactory;
+import javax.xml.XMLConstants;
+import javax.xml.transform.*;
 import javax.xml.transform.stream.StreamResult;
 import javax.xml.transform.stream.StreamSource;
 import java.io.*;
 import java.util.Arrays;
 import java.util.List;
+import java.util.logging.Level;
+import java.util.logging.Logger;
 
 /**
  * The veraPDF policy checker which is simply an abstraction that makes applying
@@ -39,6 +39,9 @@
  * @version 0.1 Created 12 Dec 2016:17:51:12
  */
 public final class PolicyChecker {
+
+	private static final Logger LOGGER = Logger.getLogger(PolicyChecker.class.getCanonicalName());
+
 	private static final TransformerFactory factory = TransformerFactory.newInstance();
 	public static final String SCHEMA_EXT = "sch"; //$NON-NLS-1$
 	public static final String XSL_EXT = "xsl"; //$NON-NLS-1$
@@ -60,6 +63,15 @@ public final class PolicyChecker {
 	private static final String mergeXsl = resourcePath + "MergeMrrPolicy" + '.' + XSL_EXT; //$NON-NLS-1$
 	private static final Templates cachedMergeXsl = SchematronPipeline.createCachedTransform(mergeXsl);
 
+	static {
+		try {
+			factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+			factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "file");
+		} catch (TransformerConfigurationException ignored) {
+			LOGGER.log(Level.WARNING, "Unable to secure xsl transformer");
+		}
+	}
+
 	private PolicyChecker() {
 
 	}

diff --git a/core/src/main/java/org/verapdf/policy/SchematronPipeline.java b/core/src/main/java/org/verapdf/policy/SchematronPipeline.java
@@ -17,6 +17,7 @@
  */
 package org.verapdf.policy;
 
+import javax.xml.XMLConstants;
 import javax.xml.transform.*;
 import javax.xml.transform.stream.StreamResult;
 import javax.xml.transform.stream.StreamSource;
@@ -31,8 +32,7 @@
  */
 
 final class SchematronPipeline {
-	private static final Logger LOGGER = Logger
-			.getLogger(SchematronPipeline.class.getName());
+	private static final Logger LOGGER = Logger.getLogger(SchematronPipeline.class.getName());
 
 	static final ClassLoader cl = SchematronPipeline.class.getClassLoader();
 	private static final TransformerFactory factory = getTransformerFactory();
@@ -45,6 +45,15 @@ final class SchematronPipeline {
 	private static final Templates cachedExpXsl = createCachedTransform(isoExpXsl);
 	private static final Templates cachedIsoSvrlXsl = createCachedTransform(isoSvrlXsl);
 
+	static {
+		try {
+			factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+			factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "file");
+		} catch (TransformerConfigurationException ignored) {
+			LOGGER.log(Level.WARNING, "Unable to secure xsl transformer");
+		}
+	}
+
 	private SchematronPipeline() {
 	}
 
@@ -85,6 +94,11 @@ private static File createTempFileResult(final Transformer transformer, final St
 
 	private static TransformerFactory getTransformerFactory() {
 		TransformerFactory fact = TransformerFactory.newInstance();
+		try {
+			fact.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+			fact.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "file");
+		} catch (TransformerConfigurationException ignored) {
+		}
 		fact.setURIResolver(new ClasspathResourceURIResolver());
 		return fact;
 	}

diff --git a/core/src/main/java/org/verapdf/report/XsltTransformer.java b/core/src/main/java/org/verapdf/report/XsltTransformer.java
@@ -23,8 +23,12 @@
 import java.io.InputStream;
 import java.io.PrintWriter;
 import java.util.Map;
+import java.util.logging.Level;
+import java.util.logging.Logger;
 
+import javax.xml.XMLConstants;
 import javax.xml.transform.Transformer;
+import javax.xml.transform.TransformerConfigurationException;
 import javax.xml.transform.TransformerException;
 import javax.xml.transform.TransformerFactory;
 import javax.xml.transform.stream.StreamResult;
@@ -34,8 +38,20 @@
  * @author Maksim Bezrukov
  */
 public final class XsltTransformer {
+
+	private static final Logger LOGGER = Logger.getLogger(XsltTransformer.class.getCanonicalName());
+
 	private static final TransformerFactory factory = TransformerFactory.newInstance();
 
+	static {
+		try {
+			factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+			factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "file");
+		} catch (TransformerConfigurationException ignored) {
+			LOGGER.log(Level.WARNING, "Unable to secure xslt transformer");
+		}
+	}
+
 	private XsltTransformer() {
 	}