You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@uima.apache.org by cw...@apache.org on 2018/02/21 19:56:58 UTC
svn commit: r1824997 - in /uima/uima-ducc/trunk:
uima-ducc-cli/src/main/java/org/apache/uima/ducc/cli/
uima-ducc-cli/src/main/java/org/apache/uima/ducc/cli/aio/
uima-ducc-user/src/main/java/org/apache/uima/ducc/user/common/
uima-ducc-user/src/main/java...
Author: cwiklik
Date: Wed Feb 21 19:56:58 2018
New Revision: 1824997
URL: http://svn.apache.org/viewvc?rev=1824997&view=rev
Log:
UIMA-5731 removed use of XMLUtils. The method calls are only valid if UIMA 2.10.2 is used. For older version of UIMA these calls fail with NoSuchMethod errors. Replace XMLUtils calls with direct XML object instantiation and adding secure parameters.
Modified:
uima/uima-ducc/trunk/uima-ducc-cli/src/main/java/org/apache/uima/ducc/cli/DuccUiUtilities.java
uima/uima-ducc/trunk/uima-ducc-cli/src/main/java/org/apache/uima/ducc/cli/aio/DDParser.java
uima/uima-ducc/trunk/uima-ducc-user/src/main/java/org/apache/uima/ducc/user/common/DuccUimaSerializer.java
uima/uima-ducc/trunk/uima-ducc-user/src/main/java/org/apache/uima/ducc/user/dgen/DeployableGenerator.java
Modified: uima/uima-ducc/trunk/uima-ducc-cli/src/main/java/org/apache/uima/ducc/cli/DuccUiUtilities.java
URL: http://svn.apache.org/viewvc/uima/uima-ducc/trunk/uima-ducc-cli/src/main/java/org/apache/uima/ducc/cli/DuccUiUtilities.java?rev=1824997&r1=1824996&r2=1824997&view=diff
==============================================================================
--- uima/uima-ducc/trunk/uima-ducc-cli/src/main/java/org/apache/uima/ducc/cli/DuccUiUtilities.java (original)
+++ uima/uima-ducc/trunk/uima-ducc-cli/src/main/java/org/apache/uima/ducc/cli/DuccUiUtilities.java Wed Feb 21 19:56:58 2018
@@ -20,6 +20,8 @@ package org.apache.uima.ducc.cli;
import java.io.File;
import java.io.IOException;
+import java.lang.reflect.InvocationTargetException;
+import java.lang.reflect.Method;
import java.net.MalformedURLException;
import java.net.URL;
import java.net.URLClassLoader;
@@ -36,7 +38,10 @@ import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
+import org.apache.uima.UIMAFramework;
import org.apache.uima.ducc.common.IDuccUser;
import org.apache.uima.ducc.common.TcpStreamHandler;
import org.apache.uima.ducc.common.utils.DuccPropertiesResolver;
@@ -44,7 +49,7 @@ import org.apache.uima.ducc.transport.ev
import org.apache.uima.ducc.user.common.PrivateClassLoader;
import org.apache.uima.ducc.user.common.QuotedOptions;
import org.apache.uima.ducc.user.common.UimaUtils;
-import org.apache.uima.internal.util.XMLUtils;
+import org.apache.uima.util.Level;
import org.apache.uima.util.XMLInputSource;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
@@ -52,7 +57,9 @@ import org.w3c.dom.NodeList;
public class DuccUiUtilities {
-
+ private static final String DISALLOW_DOCTYPE_DECL = "http://apache.org/xml/features/disallow-doctype-decl";
+ private static final String LOAD_EXTERNAL_DTD = "http://apache.org/xml/features/nonvalidating/load-external-dtd";
+
public static String getUser() {
String user = System.getProperty("user.name");
String runmode = DuccPropertiesResolver.get(DuccPropertiesResolver.ducc_runmode);
@@ -143,7 +150,25 @@ public class DuccUiUtilities {
}
return "http://" + host + ":" + port + "/" + server.substring(0, 2);
}
+ private static void secureDocumentBuilderFactory(DocumentBuilderFactory documentBuilderFactory) {
+ try {
+ documentBuilderFactory.setFeature(DISALLOW_DOCTYPE_DECL, true);
+ } catch (ParserConfigurationException e1) {
+ UIMAFramework.getLogger().log(Level.WARNING,
+ "DocumentBuilderFactory didn't recognize setting feature " + DISALLOW_DOCTYPE_DECL);
+ }
+
+ try {
+ documentBuilderFactory.setFeature(LOAD_EXTERNAL_DTD, false);
+ } catch (ParserConfigurationException e) {
+ UIMAFramework.getLogger().log(Level.WARNING,
+ "DocumentBuilderFactory doesn't support feature " + LOAD_EXTERNAL_DTD);
+ }
+
+ documentBuilderFactory.setXIncludeAware(false);
+ documentBuilderFactory.setExpandEntityReferences(false);
+ }
/**
* Extract the endpoint from the deployment descriptor, resolving names and placeholders against
* the same environment as that of the JVM that will deploy the service
@@ -169,9 +194,10 @@ public class DuccUiUtilities {
} else {
xmlin = UimaUtils.getXMLInputSource(process_DD);
}
- DocumentBuilder db =
- XMLUtils.createDocumentBuilderFactory().newDocumentBuilder();
- //DocumentBuilder db = DocumentBuilderFactory.newInstance().newDocumentBuilder();
+ DocumentBuilder db = null;
+ DocumentBuilderFactory f = DocumentBuilderFactory.newInstance();
+ secureDocumentBuilderFactory(f);
+ db = f.newDocumentBuilder();
doc = db.parse(xmlin.getInputStream());
} catch (Throwable t) {
t.printStackTrace();
Modified: uima/uima-ducc/trunk/uima-ducc-cli/src/main/java/org/apache/uima/ducc/cli/aio/DDParser.java
URL: http://svn.apache.org/viewvc/uima/uima-ducc/trunk/uima-ducc-cli/src/main/java/org/apache/uima/ducc/cli/aio/DDParser.java?rev=1824997&r1=1824996&r2=1824997&view=diff
==============================================================================
--- uima/uima-ducc/trunk/uima-ducc-cli/src/main/java/org/apache/uima/ducc/cli/aio/DDParser.java (original)
+++ uima/uima-ducc/trunk/uima-ducc-cli/src/main/java/org/apache/uima/ducc/cli/aio/DDParser.java Wed Feb 21 19:56:58 2018
@@ -21,18 +21,26 @@ package org.apache.uima.ducc.cli.aio;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
+import java.lang.reflect.InvocationTargetException;
+import java.lang.reflect.Method;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory;
-import org.apache.uima.internal.util.XMLUtils;
+import org.apache.uima.UIMAFramework;
+import org.apache.uima.util.Level;
import org.xml.sax.Attributes;
import org.xml.sax.SAXException;
+import org.xml.sax.SAXNotRecognizedException;
+import org.xml.sax.SAXNotSupportedException;
import org.xml.sax.helpers.DefaultHandler;
public class DDParser extends DefaultHandler {
+ private static final String DISALLOW_DOCTYPE_DECL = "http://apache.org/xml/features/disallow-doctype-decl";
+ private static final String LOAD_EXTERNAL_DTD = "http://apache.org/xml/features/nonvalidating/load-external-dtd";
+
private File file = null;
private FileInputStream fis = null;
private SAXParser parser = null;
@@ -48,14 +56,40 @@ public class DDParser extends DefaultHan
this.file = file;
parse();
}
-
+ private void secureFactory(SAXParserFactory f) {
+ try {
+ f.setFeature(DISALLOW_DOCTYPE_DECL, true);
+ } catch (SAXNotRecognizedException e) {
+ UIMAFramework.getLogger().log(Level.WARNING,
+ "SAXParserFactory didn't recognize feature " + DISALLOW_DOCTYPE_DECL);
+ } catch (SAXNotSupportedException e) {
+ UIMAFramework.getLogger().log(Level.WARNING,
+ "SAXParserFactory doesn't support feature " + DISALLOW_DOCTYPE_DECL);
+ } catch (ParserConfigurationException e) {
+ UIMAFramework.getLogger().log(Level.WARNING,
+ "SAXParserFactory doesn't support feature " + DISALLOW_DOCTYPE_DECL);
+ }
+
+ try {
+ f.setFeature(LOAD_EXTERNAL_DTD, false);
+ } catch (SAXNotRecognizedException e) {
+ UIMAFramework.getLogger().log(Level.WARNING,
+ "SAXParserFactory didn't recognize feature " + LOAD_EXTERNAL_DTD);
+ } catch (SAXNotSupportedException e) {
+ UIMAFramework.getLogger().log(Level.WARNING,
+ "SAXParserFactory doesn't support feature " + LOAD_EXTERNAL_DTD);
+ } catch (ParserConfigurationException e) {
+ UIMAFramework.getLogger().log(Level.WARNING,
+ "SAXParserFactory doesn't support feature " + LOAD_EXTERNAL_DTD);
+ }
+ f.setXIncludeAware(false);
+ }
private void parse() throws ParserConfigurationException, SAXException, IOException {
fis = new FileInputStream(file);
- //TransformerFactory tFactory =
- SAXParserFactory f =
- XMLUtils.createSAXParserFactory();
- parser = f.newSAXParser();
-// parser = SAXParserFactory.newInstance().newSAXParser();
+
+ SAXParserFactory f = SAXParserFactory.newInstance();
+ secureFactory(f);
+ parser = f.newSAXParser();
parser.parse(fis, this);
}
Modified: uima/uima-ducc/trunk/uima-ducc-user/src/main/java/org/apache/uima/ducc/user/common/DuccUimaSerializer.java
URL: http://svn.apache.org/viewvc/uima/uima-ducc/trunk/uima-ducc-user/src/main/java/org/apache/uima/ducc/user/common/DuccUimaSerializer.java?rev=1824997&r1=1824996&r2=1824997&view=diff
==============================================================================
--- uima/uima-ducc/trunk/uima-ducc-user/src/main/java/org/apache/uima/ducc/user/common/DuccUimaSerializer.java (original)
+++ uima/uima-ducc/trunk/uima-ducc-user/src/main/java/org/apache/uima/ducc/user/common/DuccUimaSerializer.java Wed Feb 21 19:56:58 2018
@@ -24,26 +24,31 @@ import java.io.Reader;
import java.io.StringReader;
import java.io.StringWriter;
import java.io.Writer;
+import java.lang.reflect.InvocationTargetException;
+import java.lang.reflect.Method;
import javax.xml.parsers.FactoryConfigurationError;
import javax.xml.parsers.ParserConfigurationException;
+import org.apache.uima.UIMAFramework;
import org.apache.uima.cas.CAS;
import org.apache.uima.cas.impl.XmiCasDeserializer;
import org.apache.uima.cas.impl.XmiCasSerializer;
-import org.apache.uima.internal.util.XMLUtils;
+import org.apache.uima.util.Level;
import org.apache.uima.util.XMLSerializer;
import org.xml.sax.ContentHandler;
import org.xml.sax.InputSource;
import org.xml.sax.SAXException;
+import org.xml.sax.SAXNotRecognizedException;
+import org.xml.sax.SAXNotSupportedException;
import org.xml.sax.XMLReader;
+import org.xml.sax.helpers.XMLReaderFactory;
-//import com.thoughtworks.xstream.XStream;
-//import com.thoughtworks.xstream.io.xml.DomDriver;
-//import java.util.concurrent.ConcurrentHashMap;
public class DuccUimaSerializer {
-
+ private static final String LOAD_EXTERNAL_DTD = "http://apache.org/xml/features/nonvalidating/load-external-dtd";
+ private static final String EXTERNAL_GENERAL_ENTITIES = "http://xml.org/sax/features/external-general-entities";
+ private static final String EXTERNAL_PARAMETER_ENTITIES = "http://xml.org/sax/features/external-parameter-entities";
/**
* Utility method for serializing a CAS to an XMI String
*/
@@ -61,7 +66,38 @@ public class DuccUimaSerializer {
writer.close();
}
}
+ private void secureXmlReader(XMLReader xmlReader) {
+ try {
+ xmlReader.setFeature(EXTERNAL_GENERAL_ENTITIES, false);
+ } catch (SAXNotRecognizedException e) {
+ UIMAFramework.getLogger().log(Level.WARNING,
+ "XMLReader didn't recognize feature " + EXTERNAL_GENERAL_ENTITIES);
+ } catch (SAXNotSupportedException e) {
+ UIMAFramework.getLogger().log(Level.WARNING,
+ "XMLReader doesn't support feature " + EXTERNAL_GENERAL_ENTITIES);
+ }
+
+ try {
+ xmlReader.setFeature(EXTERNAL_PARAMETER_ENTITIES, false);
+ } catch (SAXNotRecognizedException e) {
+ UIMAFramework.getLogger().log(Level.WARNING,
+ "XMLReader didn't recognize feature " + EXTERNAL_PARAMETER_ENTITIES);
+ } catch (SAXNotSupportedException e) {
+ UIMAFramework.getLogger().log(Level.WARNING,
+ "XMLReader doesn't support feature " + EXTERNAL_PARAMETER_ENTITIES);
+ }
+
+ try {
+ xmlReader.setFeature(LOAD_EXTERNAL_DTD,false);
+ } catch (SAXNotRecognizedException e) {
+ UIMAFramework.getLogger().log(Level.WARNING,
+ "XMLReader didn't recognized feature " + LOAD_EXTERNAL_DTD);
+ } catch (SAXNotSupportedException e) {
+ UIMAFramework.getLogger().log(Level.WARNING,
+ "XMLReader doesn't support feature " + LOAD_EXTERNAL_DTD);
+ }
+ }
/**
* Utility method for deserializing a CAS from an XMI String
* Does both processing of requests arriving to this service
@@ -70,10 +106,8 @@ public class DuccUimaSerializer {
public void deserializeCasFromXmi(String anXmlStr, CAS aCAS)
throws FactoryConfigurationError, ParserConfigurationException, SAXException, IOException {
- XMLReader xmlReader =
- XMLUtils.createXMLReader();
-
- //XMLReader xmlReader = XMLReaderFactory.createXMLReader(); // localXmlReader.get();
+ XMLReader xmlReader = XMLReaderFactory.createXMLReader();
+ secureXmlReader(xmlReader);
Reader reader = new StringReader(anXmlStr);
XmiCasDeserializer deser = new XmiCasDeserializer(aCAS.getTypeSystem());
ContentHandler handler = deser.getXmiCasHandler(aCAS);
Modified: uima/uima-ducc/trunk/uima-ducc-user/src/main/java/org/apache/uima/ducc/user/dgen/DeployableGenerator.java
URL: http://svn.apache.org/viewvc/uima/uima-ducc/trunk/uima-ducc-user/src/main/java/org/apache/uima/ducc/user/dgen/DeployableGenerator.java?rev=1824997&r1=1824996&r2=1824997&view=diff
==============================================================================
--- uima/uima-ducc/trunk/uima-ducc-user/src/main/java/org/apache/uima/ducc/user/dgen/DeployableGenerator.java (original)
+++ uima/uima-ducc/trunk/uima-ducc-user/src/main/java/org/apache/uima/ducc/user/dgen/DeployableGenerator.java Wed Feb 21 19:56:58 2018
@@ -23,6 +23,8 @@ import java.io.File;
import java.io.FileOutputStream;
import java.io.FileWriter;
import java.io.StringWriter;
+import java.lang.reflect.InvocationTargetException;
+import java.lang.reflect.Method;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.StandardCopyOption;
@@ -31,22 +33,27 @@ import java.util.List;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
import javax.xml.transform.Transformer;
import javax.xml.transform.TransformerFactory;
import javax.xml.transform.dom.DOMSource;
import javax.xml.transform.stream.StreamResult;
+import org.apache.uima.UIMAFramework;
import org.apache.uima.analysis_engine.AnalysisEngineDescription;
import org.apache.uima.ducc.user.common.UimaUtils;
import org.apache.uima.ducc.user.jp.UimaASProcessContainer;
-import org.apache.uima.internal.util.XMLUtils;
+import org.apache.uima.util.Level;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.NodeList;
public class DeployableGenerator {
-
- private String userLogDir = null;
+ private static final String ACCESS_EXTERNAL_STYLESHEET = "http://javax.xml.XMLConstants/property/accessExternalStylesheet";
+ private static final String ACCESS_EXTERNAL_DTD = "http://javax.xml.XMLConstants/property/accessExternalDTD";
+ private static final String DISALLOW_DOCTYPE_DECL = "http://apache.org/xml/features/disallow-doctype-decl";
+ private static final String LOAD_EXTERNAL_DTD = "http://apache.org/xml/features/nonvalidating/load-external-dtd";
+ private String userLogDir = null;
private Document doc;
private String registryURL;
@@ -114,7 +121,24 @@ public class DeployableGenerator {
}
}
}
-
+ private void secureDocumentBuilderFactory(DocumentBuilderFactory documentBuilderFactory) {
+ try {
+ documentBuilderFactory.setFeature(DISALLOW_DOCTYPE_DECL, true);
+ } catch (ParserConfigurationException e1) {
+ UIMAFramework.getLogger().log(Level.WARNING,
+ "DocumentBuilderFactory didn't recognize setting feature " + DISALLOW_DOCTYPE_DECL);
+ }
+
+ try {
+ documentBuilderFactory.setFeature(LOAD_EXTERNAL_DTD, false);
+ } catch (ParserConfigurationException e) {
+ UIMAFramework.getLogger().log(Level.WARNING,
+ "DocumentBuilderFactory doesn't support feature " + LOAD_EXTERNAL_DTD);
+ }
+
+ documentBuilderFactory.setXIncludeAware(false);
+ documentBuilderFactory.setExpandEntityReferences(false);
+ }
/*
* This method is used by the JD to convert a deployment descriptor's inputQueue element
* to make it suitable for the JP's internal broker.
@@ -125,10 +149,10 @@ public class DeployableGenerator {
String location = configuration.getReferenceByName();
org.apache.uima.util.XMLInputSource xmlin = UimaUtils.getXMLInputSource(location); // Reads from FS or classpath
- DocumentBuilderFactory dbFactory = XMLUtils.createDocumentBuilderFactory();
+ DocumentBuilderFactory dbFactory = DocumentBuilderFactory.newInstance();
+ secureDocumentBuilderFactory(dbFactory);
DocumentBuilder db = dbFactory.newDocumentBuilder();
- //DocumentBuilder db = DocumentBuilderFactory.newInstance().newDocumentBuilder();
doc = db.parse(xmlin.getInputStream());
// Create converted descriptor if input is not a file or if endpoint or broker wrong
@@ -207,19 +231,34 @@ public class DeployableGenerator {
public String getRegistryUrl() {
return registryURL;
}
-
+ private void secureTransformerFactory(TransformerFactory transformerFactory) {
+ try {
+ transformerFactory.setAttribute(ACCESS_EXTERNAL_DTD, "");
+ } catch (IllegalArgumentException e) {
+ UIMAFramework.getLogger().log(Level.WARNING,
+ "TransformerFactory didn't recognize setting attribute " + ACCESS_EXTERNAL_DTD);
+ }
+
+ try {
+ transformerFactory.setAttribute(ACCESS_EXTERNAL_STYLESHEET, "");
+ } catch (IllegalArgumentException e) {
+ UIMAFramework.getLogger().log(Level.WARNING,
+ "TransformerFactory didn't recognize setting attribute " + ACCESS_EXTERNAL_STYLESHEET);
+ }
+
+ }
private String xml2String(Document xmlDoc) throws Exception {
StringWriter writer = null;
-
+
DOMSource domSource = new DOMSource(xmlDoc.getDocumentElement());
writer = new StringWriter();
StreamResult streamResult = new StreamResult(writer);
- TransformerFactory factory =
- XMLUtils.createTransformerFactory();
- //TransformerFactory factory = TransformerFactory.newInstance();
+ TransformerFactory factory = TransformerFactory.newInstance();
+ secureTransformerFactory(factory);
+
Transformer transformer = factory.newTransformer();
transformer.transform(domSource, streamResult);