You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@knox.apache.org by kr...@apache.org on 2019/11/17 18:39:52 UTC

[knox] branch master updated: KNOX-2053 - Ensure secure XML processing

This is an automated email from the ASF dual-hosted git repository.

krisden pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/knox.git


The following commit(s) were added to refs/heads/master by this push:
     new 90559a4  KNOX-2053 - Ensure secure XML processing
90559a4 is described below

commit 90559a40c2c5f412bcc1ad1825e48aff89a6929a
Author: Kevin Risden <kr...@apache.org>
AuthorDate: Sun Nov 17 09:39:10 2019 -0500

    KNOX-2053 - Ensure secure XML processing
    
    Signed-off-by: Kevin Risden <kr...@apache.org>
---
 .../gateway/topology/validation/TopologyValidator.java     | 14 +++++++-------
 .../definition/UrlRewriteRulesDescriptorAdapter.java       |  5 ++++-
 2 files changed, 11 insertions(+), 8 deletions(-)

diff --git a/gateway-server/src/main/java/org/apache/knox/gateway/topology/validation/TopologyValidator.java b/gateway-server/src/main/java/org/apache/knox/gateway/topology/validation/TopologyValidator.java
index 5561087..8ea9440 100644
--- a/gateway-server/src/main/java/org/apache/knox/gateway/topology/validation/TopologyValidator.java
+++ b/gateway-server/src/main/java/org/apache/knox/gateway/topology/validation/TopologyValidator.java
@@ -15,7 +15,6 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-
 package org.apache.knox.gateway.topology.validation;
 
 import java.io.File;
@@ -55,25 +54,26 @@ public class TopologyValidator {
   public boolean validateTopology() {
     errors = new LinkedList<>();
     try {
-      SchemaFactory fact = SchemaFactory
-          .newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
+      SchemaFactory schemaFactory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
       URL schemaUrl = getClass().getResource( "/conf/topology-v1.xsd" );
-      Schema s = fact.newSchema( schemaUrl );
+      Schema s = schemaFactory.newSchema( schemaUrl );
       Validator validator = s.newValidator();
+      validator.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+      validator.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
       final List<SAXParseException> exceptions = new LinkedList<>();
       validator.setErrorHandler(new ErrorHandler() {
         @Override
-        public void warning(SAXParseException exception) throws SAXException {
+        public void warning(SAXParseException exception) {
           exceptions.add(exception);
         }
 
         @Override
-        public void fatalError(SAXParseException exception) throws SAXException {
+        public void fatalError(SAXParseException exception) {
           exceptions.add(exception);
         }
 
         @Override
-        public void error(SAXParseException exception) throws SAXException {
+        public void error(SAXParseException exception) {
           exceptions.add(exception);
         }
       });
diff --git a/gateway-spi/src/main/java/org/apache/knox/gateway/service/definition/UrlRewriteRulesDescriptorAdapter.java b/gateway-spi/src/main/java/org/apache/knox/gateway/service/definition/UrlRewriteRulesDescriptorAdapter.java
index 8acdf89..a4ba66b 100644
--- a/gateway-spi/src/main/java/org/apache/knox/gateway/service/definition/UrlRewriteRulesDescriptorAdapter.java
+++ b/gateway-spi/src/main/java/org/apache/knox/gateway/service/definition/UrlRewriteRulesDescriptorAdapter.java
@@ -25,6 +25,7 @@ import java.io.StringWriter;
 import java.io.Writer;
 import java.nio.charset.StandardCharsets;
 
+import javax.xml.XMLConstants;
 import javax.xml.bind.annotation.adapters.XmlAdapter;
 import javax.xml.transform.TransformerFactory;
 import javax.xml.transform.dom.DOMSource;
@@ -53,7 +54,9 @@ public class UrlRewriteRulesDescriptorAdapter extends XmlAdapter<Object, UrlRewr
 
   private static InputStream nodeToInputStream(Node node) throws Exception {
     try (ByteArrayOutputStream outputStream = new ByteArrayOutputStream()) {
-      TransformerFactory.newInstance().newTransformer().transform(new DOMSource(node), new StreamResult(outputStream));
+      TransformerFactory transformerFactory = TransformerFactory.newInstance();
+      transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+      transformerFactory.newTransformer().transform(new DOMSource(node), new StreamResult(outputStream));
       return new ByteArrayInputStream(outputStream.toByteArray());
     }
   }