You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@isis.apache.org by ah...@apache.org on 2022/04/11 12:15:14 UTC
[isis] branch master updated: ISIS-2297: harden SAXBuilder (sonar)
This is an automated email from the ASF dual-hosted git repository.
ahuber pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/isis.git
The following commit(s) were added to refs/heads/master by this push:
new f34bb00dfb ISIS-2297: harden SAXBuilder (sonar)
f34bb00dfb is described below
commit f34bb00dfbae231e5d7b5e3985b83252f7e0b031
Author: Andi Huber <ah...@apache.org>
AuthorDate: Mon Apr 11 14:15:07 2022 +0200
ISIS-2297: harden SAXBuilder (sonar)
---
commons/pom.xml | 5 +++++
.../commons/internal/codec/_DocumentFactories.java | 23 +++++++++++++++++-----
subdomains/docx/applib/pom.xml | 11 ++++++-----
.../isis/subdomains/docx/applib/util/Jdom2.java | 4 ++--
subdomains/pom.xml | 7 -------
5 files changed, 31 insertions(+), 19 deletions(-)
diff --git a/commons/pom.xml b/commons/pom.xml
index d40995d9a8..3973f6677e 100644
--- a/commons/pom.xml
+++ b/commons/pom.xml
@@ -73,6 +73,11 @@
<artifactId>jackson-module-jaxb-annotations</artifactId>
</dependency>
+ <dependency>
+ <groupId>org.jdom</groupId>
+ <artifactId>jdom2</artifactId>
+ </dependency>
+
<dependency>
<groupId>org.yaml</groupId>
<artifactId>snakeyaml</artifactId>
diff --git a/commons/src/main/java/org/apache/isis/commons/internal/codec/_DocumentFactories.java b/commons/src/main/java/org/apache/isis/commons/internal/codec/_DocumentFactories.java
index 3240cdcdfe..f6d337435f 100644
--- a/commons/src/main/java/org/apache/isis/commons/internal/codec/_DocumentFactories.java
+++ b/commons/src/main/java/org/apache/isis/commons/internal/codec/_DocumentFactories.java
@@ -27,6 +27,8 @@ import javax.xml.transform.Transformer;
import javax.xml.transform.TransformerConfigurationException;
import javax.xml.transform.TransformerFactory;
+import org.jdom2.input.SAXBuilder;
+
import lombok.val;
import lombok.experimental.UtilityClass;
@@ -44,31 +46,31 @@ import lombok.experimental.UtilityClass;
@UtilityClass
public class _DocumentFactories {
- public static DocumentBuilderFactory documentBuilderFactory() {
+ public DocumentBuilderFactory documentBuilderFactory() {
val df = DocumentBuilderFactory.newInstance();
df.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); // XML parsers should not be vulnerable to XXE attacks
df.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); // XML parsers should not be vulnerable to XXE attacks
return df;
}
- public static DocumentBuilder documentBuilder() throws ParserConfigurationException {
+ public DocumentBuilder documentBuilder() throws ParserConfigurationException {
/*sonar-ignore-on*/
return documentBuilderFactory().newDocumentBuilder();
/*sonar-ignore-off*/
}
- public static TransformerFactory transformerFactory() {
+ public TransformerFactory transformerFactory() {
val tf = TransformerFactory.newInstance();
tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); // XML transformers should be secured
tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); // XML transformers should be secured
return tf;
}
- public static Transformer transformer() throws TransformerConfigurationException {
+ public Transformer transformer() throws TransformerConfigurationException {
return transformerFactory().newTransformer();
}
- public static XMLInputFactory xmlInputFactory() {
+ public XMLInputFactory xmlInputFactory() {
val xmlInputFactory = XMLInputFactory.newInstance();
// disables DTDs entirely
@@ -79,5 +81,16 @@ public class _DocumentFactories {
return xmlInputFactory;
}
+ public SAXBuilder saxBuilder() {
+ /*sonar-ignore-on*/
+ val builder = new SAXBuilder();
+ /*sonar-ignore-off*/
+ builder.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ builder.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
+ return builder;
+ }
+
+
+
}
diff --git a/subdomains/docx/applib/pom.xml b/subdomains/docx/applib/pom.xml
index b184c526f9..7fc6efcfdf 100644
--- a/subdomains/docx/applib/pom.xml
+++ b/subdomains/docx/applib/pom.xml
@@ -35,6 +35,12 @@
</properties>
<dependencies>
+
+ <dependency>
+ <groupId>org.apache.isis.commons</groupId>
+ <artifactId>isis-commons</artifactId>
+ </dependency>
+
<dependency>
<groupId>org.apache.isis.core</groupId>
<artifactId>isis-applib</artifactId>
@@ -59,11 +65,6 @@
</exclusions>
</dependency>
- <dependency>
- <groupId>org.jdom</groupId>
- <artifactId>jdom2</artifactId>
- </dependency>
-
<dependency>
<groupId>org.apache.isis.testing</groupId>
<artifactId>isis-testing-unittestsupport-applib</artifactId>
diff --git a/subdomains/docx/applib/src/main/java/org/apache/isis/subdomains/docx/applib/util/Jdom2.java b/subdomains/docx/applib/src/main/java/org/apache/isis/subdomains/docx/applib/util/Jdom2.java
index a1bf6a7688..655b04fcae 100644
--- a/subdomains/docx/applib/src/main/java/org/apache/isis/subdomains/docx/applib/util/Jdom2.java
+++ b/subdomains/docx/applib/src/main/java/org/apache/isis/subdomains/docx/applib/util/Jdom2.java
@@ -29,8 +29,8 @@ import org.jdom2.Document;
import org.jdom2.Element;
import org.jdom2.JDOMException;
import org.jdom2.Text;
-import org.jdom2.input.SAXBuilder;
+import org.apache.isis.commons.internal.codec._DocumentFactories;
import org.apache.isis.subdomains.docx.applib.exceptions.LoadInputException;
import org.apache.isis.subdomains.docx.applib.exceptions.MergeException;
@@ -76,7 +76,7 @@ public final class Jdom2 {
public Document loadInput(final String html) throws LoadInputException {
try {
- return new SAXBuilder().build(new StringReader(html));
+ return _DocumentFactories.saxBuilder().build(new StringReader(html));
} catch (JDOMException e) {
throw new LoadInputException("Unable to parse input", e);
} catch (IOException e) {
diff --git a/subdomains/pom.xml b/subdomains/pom.xml
index c79d30891c..bfb43bf40a 100644
--- a/subdomains/pom.xml
+++ b/subdomains/pom.xml
@@ -33,8 +33,6 @@
<packaging>pom</packaging>
<properties>
- <jdom2.version>2.0.6.1</jdom2.version>
-
<jar-plugin.automaticModuleName>org.apache.isis.subdomains</jar-plugin.automaticModuleName>
<git-plugin.propertiesDir>org/apache/isis/subdomains</git-plugin.propertiesDir>
</properties>
@@ -141,11 +139,6 @@
</dependency>
<!-- 3rd party dependencies -->
- <dependency>
- <groupId>org.jdom</groupId>
- <artifactId>jdom2</artifactId>
- <version>${jdom2.version}</version>
- </dependency>
<dependency>
<groupId>org.docx4j</groupId>