From 49a12211d7f01a3da3fc494de67dc2aaf1ec7d4a Mon Sep 17 00:00:00 2001 From: Maxim Date: Tue, 12 Mar 2024 12:34:37 +0300 Subject: [PATCH] Set secure parameter for xslt transformation --- .../org/verapdf/policy/PolicyChecker.java | 20 +++++++++++++++---- .../verapdf/policy/SchematronPipeline.java | 18 +++++++++++++++-- .../org/verapdf/report/XsltTransformer.java | 16 +++++++++++++++ 3 files changed, 48 insertions(+), 6 deletions(-) diff --git a/core/src/main/java/org/verapdf/policy/PolicyChecker.java b/core/src/main/java/org/verapdf/policy/PolicyChecker.java index 113da8d3a..85059d037 100644 --- a/core/src/main/java/org/verapdf/policy/PolicyChecker.java +++ b/core/src/main/java/org/verapdf/policy/PolicyChecker.java @@ -20,15 +20,15 @@ import org.verapdf.core.VeraPDFException; import org.verapdf.core.utils.FileUtils; -import javax.xml.transform.Templates; -import javax.xml.transform.Transformer; -import javax.xml.transform.TransformerException; -import javax.xml.transform.TransformerFactory; +import javax.xml.XMLConstants; +import javax.xml.transform.*; import javax.xml.transform.stream.StreamResult; import javax.xml.transform.stream.StreamSource; import java.io.*; import java.util.Arrays; import java.util.List; +import java.util.logging.Level; +import java.util.logging.Logger; /** * The veraPDF policy checker which is simply an abstraction that makes applying @@ -39,6 +39,9 @@ * @version 0.1 Created 12 Dec 2016:17:51:12 */ public final class PolicyChecker { + + private static final Logger LOGGER = Logger.getLogger(PolicyChecker.class.getCanonicalName()); + private static final TransformerFactory factory = TransformerFactory.newInstance(); public static final String SCHEMA_EXT = "sch"; //$NON-NLS-1$ public static final String XSL_EXT = "xsl"; //$NON-NLS-1$ @@ -60,6 +63,15 @@ public final class PolicyChecker { private static final String mergeXsl = resourcePath + "MergeMrrPolicy" + '.' + XSL_EXT; //$NON-NLS-1$ private static final Templates cachedMergeXsl = SchematronPipeline.createCachedTransform(mergeXsl); + static { + try { + factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); + factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "file"); + } catch (TransformerConfigurationException ignored) { + LOGGER.log(Level.WARNING, "Unable to secure xsl transformer"); + } + } + private PolicyChecker() { } diff --git a/core/src/main/java/org/verapdf/policy/SchematronPipeline.java b/core/src/main/java/org/verapdf/policy/SchematronPipeline.java index 663e77bc5..d492e9a19 100644 --- a/core/src/main/java/org/verapdf/policy/SchematronPipeline.java +++ b/core/src/main/java/org/verapdf/policy/SchematronPipeline.java @@ -17,6 +17,7 @@ */ package org.verapdf.policy; +import javax.xml.XMLConstants; import javax.xml.transform.*; import javax.xml.transform.stream.StreamResult; import javax.xml.transform.stream.StreamSource; @@ -31,8 +32,7 @@ */ final class SchematronPipeline { - private static final Logger LOGGER = Logger - .getLogger(SchematronPipeline.class.getName()); + private static final Logger LOGGER = Logger.getLogger(SchematronPipeline.class.getName()); static final ClassLoader cl = SchematronPipeline.class.getClassLoader(); private static final TransformerFactory factory = getTransformerFactory(); @@ -45,6 +45,15 @@ final class SchematronPipeline { private static final Templates cachedExpXsl = createCachedTransform(isoExpXsl); private static final Templates cachedIsoSvrlXsl = createCachedTransform(isoSvrlXsl); + static { + try { + factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); + factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "file"); + } catch (TransformerConfigurationException ignored) { + LOGGER.log(Level.WARNING, "Unable to secure xsl transformer"); + } + } + private SchematronPipeline() { } @@ -85,6 +94,11 @@ private static File createTempFileResult(final Transformer transformer, final St private static TransformerFactory getTransformerFactory() { TransformerFactory fact = TransformerFactory.newInstance(); + try { + fact.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); + fact.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "file"); + } catch (TransformerConfigurationException ignored) { + } fact.setURIResolver(new ClasspathResourceURIResolver()); return fact; } diff --git a/core/src/main/java/org/verapdf/report/XsltTransformer.java b/core/src/main/java/org/verapdf/report/XsltTransformer.java index 4da53c9f4..e4018d862 100644 --- a/core/src/main/java/org/verapdf/report/XsltTransformer.java +++ b/core/src/main/java/org/verapdf/report/XsltTransformer.java @@ -23,8 +23,12 @@ import java.io.InputStream; import java.io.PrintWriter; import java.util.Map; +import java.util.logging.Level; +import java.util.logging.Logger; +import javax.xml.XMLConstants; import javax.xml.transform.Transformer; +import javax.xml.transform.TransformerConfigurationException; import javax.xml.transform.TransformerException; import javax.xml.transform.TransformerFactory; import javax.xml.transform.stream.StreamResult; @@ -34,8 +38,20 @@ * @author Maksim Bezrukov */ public final class XsltTransformer { + + private static final Logger LOGGER = Logger.getLogger(XsltTransformer.class.getCanonicalName()); + private static final TransformerFactory factory = TransformerFactory.newInstance(); + static { + try { + factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); + factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "file"); + } catch (TransformerConfigurationException ignored) { + LOGGER.log(Level.WARNING, "Unable to secure xslt transformer"); + } + } + private XsltTransformer() { }