You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@knox.apache.org by kr...@apache.org on 2019/11/17 18:39:52 UTC
[knox] branch master updated: KNOX-2053 - Ensure secure XML
processing
This is an automated email from the ASF dual-hosted git repository.
krisden pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/knox.git
The following commit(s) were added to refs/heads/master by this push:
new 90559a4 KNOX-2053 - Ensure secure XML processing
90559a4 is described below
commit 90559a40c2c5f412bcc1ad1825e48aff89a6929a
Author: Kevin Risden <kr...@apache.org>
AuthorDate: Sun Nov 17 09:39:10 2019 -0500
KNOX-2053 - Ensure secure XML processing
Signed-off-by: Kevin Risden <kr...@apache.org>
---
.../gateway/topology/validation/TopologyValidator.java | 14 +++++++-------
.../definition/UrlRewriteRulesDescriptorAdapter.java | 5 ++++-
2 files changed, 11 insertions(+), 8 deletions(-)
diff --git a/gateway-server/src/main/java/org/apache/knox/gateway/topology/validation/TopologyValidator.java b/gateway-server/src/main/java/org/apache/knox/gateway/topology/validation/TopologyValidator.java
index 5561087..8ea9440 100644
--- a/gateway-server/src/main/java/org/apache/knox/gateway/topology/validation/TopologyValidator.java
+++ b/gateway-server/src/main/java/org/apache/knox/gateway/topology/validation/TopologyValidator.java
@@ -15,7 +15,6 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
-
package org.apache.knox.gateway.topology.validation;
import java.io.File;
@@ -55,25 +54,26 @@ public class TopologyValidator {
public boolean validateTopology() {
errors = new LinkedList<>();
try {
- SchemaFactory fact = SchemaFactory
- .newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
+ SchemaFactory schemaFactory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
URL schemaUrl = getClass().getResource( "/conf/topology-v1.xsd" );
- Schema s = fact.newSchema( schemaUrl );
+ Schema s = schemaFactory.newSchema( schemaUrl );
Validator validator = s.newValidator();
+ validator.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ validator.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
final List<SAXParseException> exceptions = new LinkedList<>();
validator.setErrorHandler(new ErrorHandler() {
@Override
- public void warning(SAXParseException exception) throws SAXException {
+ public void warning(SAXParseException exception) {
exceptions.add(exception);
}
@Override
- public void fatalError(SAXParseException exception) throws SAXException {
+ public void fatalError(SAXParseException exception) {
exceptions.add(exception);
}
@Override
- public void error(SAXParseException exception) throws SAXException {
+ public void error(SAXParseException exception) {
exceptions.add(exception);
}
});
diff --git a/gateway-spi/src/main/java/org/apache/knox/gateway/service/definition/UrlRewriteRulesDescriptorAdapter.java b/gateway-spi/src/main/java/org/apache/knox/gateway/service/definition/UrlRewriteRulesDescriptorAdapter.java
index 8acdf89..a4ba66b 100644
--- a/gateway-spi/src/main/java/org/apache/knox/gateway/service/definition/UrlRewriteRulesDescriptorAdapter.java
+++ b/gateway-spi/src/main/java/org/apache/knox/gateway/service/definition/UrlRewriteRulesDescriptorAdapter.java
@@ -25,6 +25,7 @@ import java.io.StringWriter;
import java.io.Writer;
import java.nio.charset.StandardCharsets;
+import javax.xml.XMLConstants;
import javax.xml.bind.annotation.adapters.XmlAdapter;
import javax.xml.transform.TransformerFactory;
import javax.xml.transform.dom.DOMSource;
@@ -53,7 +54,9 @@ public class UrlRewriteRulesDescriptorAdapter extends XmlAdapter<Object, UrlRewr
private static InputStream nodeToInputStream(Node node) throws Exception {
try (ByteArrayOutputStream outputStream = new ByteArrayOutputStream()) {
- TransformerFactory.newInstance().newTransformer().transform(new DOMSource(node), new StreamResult(outputStream));
+ TransformerFactory transformerFactory = TransformerFactory.newInstance();
+ transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+ transformerFactory.newTransformer().transform(new DOMSource(node), new StreamResult(outputStream));
return new ByteArrayInputStream(outputStream.toByteArray());
}
}