Java Code Examples for javax.xml.parsers.DocumentBuilderFactory#setFeature()

The following examples show how to use javax.xml.parsers.DocumentBuilderFactory#setFeature() . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: B2BParserHelper.java    From kfs with GNU Affero General Public License v3.0 6 votes vote down vote up
private B2BParserHelper(){
    
    DocumentBuilderFactory builderFactory = DocumentBuilderFactory.newInstance();
    builderFactory.setValidating(false); // It's not needed to validate here
    builderFactory.setIgnoringElementContentWhitespace(true); 

    try {
        // This is a funky one. Without setting this "load-external-dtd" feature, even though we're
        // explicitly setting non-validating, the parser will still reach out and retrieve that DTD. If
        // the xml.cxml.org site happens to be down, it'll hang or fail on that dependency.
        //
        // http://xerces.apache.org/xerces2-j/features.html#nonvalidating.load-external-dtd
        builderFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
        
        builder = builderFactory.newDocumentBuilder(); // Create the parser
    } catch(ParserConfigurationException e) {
        throw new RuntimeException(e);
    } 
    
}
 
Example 2
Source File: XmlUtils.java    From cs-actions with Apache License 2.0 6 votes vote down vote up
public static DocumentBuilder getDocumentBuilder(boolean secure) throws ParserConfigurationException {
    String feature;
    DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();

    feature = "http://xml.org/sax/features/external-general-entities";
    factory.setFeature(feature, false);
    feature = "http://xml.org/sax/features/external-parameter-entities";
    factory.setFeature(feature, false);
    feature = "http://apache.org/xml/features/nonvalidating/load-external-dtd";
    factory.setFeature(feature, false);
    feature = "http://apache.org/xml/features/disallow-doctype-decl";
    factory.setFeature(feature, true);
    factory.setXIncludeAware(false);
    factory.setExpandEntityReferences(false);
    factory.setNamespaceAware(true);
    factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, secure);
    return factory.newDocumentBuilder();
}
 
Example 3
Source File: XSLTTransformer.java    From micro-integrator with Apache License 2.0 6 votes vote down vote up
/**
 * This method provides a secured document builder which will secure XXE attacks.
 *
 * @param setIgnoreComments whether to set setIgnoringComments in DocumentBuilderFactory.
 * @return DocumentBuilder
 * @throws ParserConfigurationException
 */
private static DocumentBuilder getSecuredDocumentBuilder(boolean setIgnoreComments) throws
                                                                                    ParserConfigurationException {
    DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
    documentBuilderFactory.setIgnoringComments(setIgnoreComments);
    documentBuilderFactory.setNamespaceAware(true);
    documentBuilderFactory.setXIncludeAware(false);
    documentBuilderFactory.setExpandEntityReferences(false);
    documentBuilderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
    DocumentBuilder documentBuilder = documentBuilderFactory.newDocumentBuilder();
    SecurityManager securityManager = new SecurityManager();
    securityManager.setEntityExpansionLimit(0);
    documentBuilderFactory.setAttribute(Constants.XERCES_PROPERTY_PREFIX +
            Constants.SECURITY_MANAGER_PROPERTY, securityManager);
    documentBuilder.setEntityResolver(new EntityResolver() {
        @Override
        public InputSource resolveEntity(String publicId, String systemId) throws SAXException, IOException {
            throw new SAXException("Possible XML External Entity (XXE) attack. Skip resolving entity");
        }
    });
    return documentBuilder;
}
 
Example 4
Source File: RsPrettyXml.java    From takes with MIT License 6 votes vote down vote up
/**
 * Parses the input stream and returns DocumentType built without loading
 * any external DTD schemas.
 * @param body The body to be parsed.
 * @return The documents DocumentType.
 * @throws IOException if something goes wrong.
 */
private static DocumentType getDocType(final InputStream body)
    throws IOException {
    final DocumentBuilderFactory factory =
        DocumentBuilderFactory.newInstance();
    try {
        factory.setFeature(RsPrettyXml.LOAD_EXTERNAL_DTD, false);
        final DocumentBuilder builder = factory.newDocumentBuilder();
        return builder.parse(body).getDoctype();
    } catch (final ParserConfigurationException | SAXException ex) {
        throw new IOException(ex);
    }
}
 
Example 5
Source File: DOM4Parser.java    From netcdf-java with BSD 3-Clause "New" or "Revised" License 6 votes vote down vote up
public boolean parse(String input) throws SAXException {
  try {
    DocumentBuilderFactory domfactory = DocumentBuilderFactory.newInstance();
    domfactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
    DocumentBuilder dombuilder = domfactory.newDocumentBuilder();
    StringReader rdr = new StringReader(input);
    InputSource src = new InputSource(rdr);
    Document doc = dombuilder.parse(src);
    doc.getDocumentElement().normalize();
    rdr.close();
    parseresponse(doc.getDocumentElement());
    return true;
  } catch (ParserConfigurationException | IOException e) {
    throw new SAXException(e);
  }
}
 
Example 6
Source File: JRXmlUtils.java    From jasperreports with GNU Lesser General Public License v3.0 6 votes vote down vote up
/**
 * Creates a XML document builder.
 * 
 * @return a XML document builder
 * @throws JRException
 */
public static DocumentBuilder createDocumentBuilder(boolean isNamespaceAware) throws JRException
{
	DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
	dbf.setValidating(false);
	dbf.setIgnoringComments(true);
	dbf.setNamespaceAware(isNamespaceAware);
	try
	{
		if (!allowDoctype())
		{
			dbf.setFeature(FEATURE_DISALLOW_DOCTYPE, true);
		}
		
		return dbf.newDocumentBuilder();
	}
	catch (ParserConfigurationException e)
	{
		throw 
		new JRException(
			EXCEPTION_MESSAGE_KEY_DOCUMENT_BUILDER_FACTORY_CREATION_FAILURE,
			null,
			e);
	}
}
 
Example 7
Source File: SpringBootStarterMojo.java    From camel-spring-boot with Apache License 2.0 6 votes vote down vote up
private void fixAdditionalRepositories(Document pom) throws Exception {
    if (project.getFile() != null) {
        DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
        dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
        dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
        DocumentBuilder builder = dbf.newDocumentBuilder();
        Document originalPom = builder.parse(project.getFile());

        XPath xpath = XPathFactory.newInstance().newXPath();
        Node repositories = (Node) xpath.compile("/project/repositories").evaluate(originalPom, XPathConstants.NODE);
        if (repositories != null) {
            pom.getDocumentElement().appendChild(pom.createComment(GENERATED_SECTION_START));
            pom.getDocumentElement().appendChild(pom.importNode(repositories, true));
            pom.getDocumentElement().appendChild(pom.createComment(GENERATED_SECTION_END));
        }
    } else {
        getLog().warn("Cannot access the project pom file to retrieve repositories");
    }
}
 
Example 8
Source File: XmlCoverageProvider.java    From phabricator-jenkins-plugin with MIT License 6 votes vote down vote up
public XmlCoverageProvider(Set<File> coverageReports, Set<String> includeFiles) {
    super(includeFiles);
    this.coverageReports = coverageReports;
    this.xmlCoverageHandlers = Arrays.asList(new CoberturaXmlCoverageHandler(),
            new CloverXmlCoverageHandler(),
            new JacocoXmlCoverageHandler());

    DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
    dbf.setValidating(false);
    dbf.setNamespaceAware(true);
    DocumentBuilder localDb = null;
    try {
        dbf.setFeature("http://xml.org/sax/features/namespaces", false);
        dbf.setFeature("http://xml.org/sax/features/validation", false);
        dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-dtd-grammar", false);
        dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
        localDb = dbf.newDocumentBuilder();
    } catch (ParserConfigurationException e) {
        e.printStackTrace();
    }
    db = localDb;
    cc = new CoverageCounters();
}
 
Example 9
Source File: XmlUtil.java    From hottub with GNU General Public License v2.0 5 votes vote down vote up
public static DocumentBuilderFactory newDocumentBuilderFactory(boolean secureXmlProcessing) {
    DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
    try {
        factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, isXMLSecurityDisabled(secureXmlProcessing));
    } catch (ParserConfigurationException e) {
        LOGGER.log(Level.WARNING, "Factory [{0}] doesn't support secure xml processing!", new Object[] { factory.getClass().getName() } );
    }
    return factory;
}
 
Example 10
Source File: NDataSourceHelper.java    From carbon-commons with Apache License 2.0 5 votes vote down vote up
public static Element stringToElement(String xml) {
	if (xml == null || xml.trim().length() == 0) {
		return null;
	}
	try {
		DocumentBuilderFactory docFactory = DocumentBuilderFactory.newInstance();
		docFactory.setNamespaceAware(false);
		docFactory.setXIncludeAware(false);
		docFactory.setExpandEntityReferences(false);

		docFactory.setFeature(Constants.SAX_FEATURE_PREFIX + Constants.EXTERNAL_GENERAL_ENTITIES_FEATURE, false);

		docFactory.setFeature(Constants.SAX_FEATURE_PREFIX + Constants.EXTERNAL_PARAMETER_ENTITIES_FEATURE, false);

		docFactory.setFeature(Constants.XERCES_FEATURE_PREFIX + Constants.LOAD_EXTERNAL_DTD_FEATURE, false);

		SecurityManager securityManager = new SecurityManager();
		securityManager.setEntityExpansionLimit(0);
		docFactory.setAttribute(Constants.XERCES_PROPERTY_PREFIX + Constants.SECURITY_MANAGER_PROPERTY,
				securityManager);

		DocumentBuilder db = docFactory.newDocumentBuilder();
		return db.parse(new ByteArrayInputStream(xml.getBytes())).getDocumentElement();
	} catch (Exception e) {
		throw new RuntimeException(e.getMessage(), e);
	}
}
 
Example 11
Source File: XPathParse.java    From axelor-open-suite with GNU Affero General Public License v3.0 5 votes vote down vote up
public DocumentBuilderFactory getDocumentBuilderFactory() {
  DocumentBuilderFactory domFactory = DocumentBuilderFactory.newInstance();

  try {
    String feature = "http://apache.org/xml/features/disallow-doctype-decl";
    domFactory.setFeature(feature, true);

    // Disable #external-general-entities
    feature = "http://xml.org/sax/features/external-general-entities";
    domFactory.setFeature(feature, false);

    // Disable #external-parameter-entities
    feature = "http://xml.org/sax/features/external-parameter-entities";
    domFactory.setFeature(feature, false);

    // Disable external DTDs as well
    feature = "http://apache.org/xml/features/nonvalidating/load-external-dtd";
    domFactory.setFeature(feature, false);

    // and these as well
    domFactory.setXIncludeAware(false);
    domFactory.setExpandEntityReferences(false);
    domFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
  } catch (ParserConfigurationException e) {
    LOG.error(e.getMessage());
  }

  return domFactory;
}
 
Example 12
Source File: DocumentBuilderSafeProperty.java    From Android_Code_Arbiter with GNU Lesser General Public License v3.0 5 votes vote down vote up
public static void unsafeManualConfig2() throws ParserConfigurationException, IOException, SAXException {
    DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
    dbf.setFeature("http://xml.org/sax/features/external-general-entities",true);
    //dbf.setFeature("http://xml.org/sax/features/external-parameter-entities",true);
    dbf.setXIncludeAware(false);
    dbf.setExpandEntityReferences(false);
    DocumentBuilder db = dbf.newDocumentBuilder();

    Document doc = db.parse(getInputFile());
    print(doc);
}
 
Example 13
Source File: XmlParserFactoryProducer.java    From hop with Apache License 2.0 5 votes vote down vote up
/**
 * Creates an instance of {@link DocumentBuilderFactory} class with enabled {@link XMLConstants#FEATURE_SECURE_PROCESSING} property.
 * Enabling this feature prevents from some XXE attacks (e.g. XML bomb)
 * See PPP-3506 for more details.
 *
 * @throws ParserConfigurationException if feature can't be enabled
 */
public static DocumentBuilderFactory createSecureDocBuilderFactory() throws ParserConfigurationException {
  DocumentBuilderFactory docBuilderFactory = DocumentBuilderFactory.newInstance();
  docBuilderFactory.setFeature( XMLConstants.FEATURE_SECURE_PROCESSING, true );
  docBuilderFactory.setFeature( "http://apache.org/xml/features/disallow-doctype-decl", true );

  return docBuilderFactory;
}
 
Example 14
Source File: Utils.java    From carbon-device-mgt with Apache License 2.0 5 votes vote down vote up
/**
 * This class build the iot-api-config.xml file.
 *
 * @param file The file object of iot-api-config.xml.
 * @return Document instance of the file
 * @throws APIMCertificateMGTException
 */
private static Document convertToDocument(File file) throws APIMCertificateMGTException {
    DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
    factory.setNamespaceAware(true);
    try {
        factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
        factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
        DocumentBuilder docBuilder = factory.newDocumentBuilder();
        return docBuilder.parse(file);
    } catch (Exception e) {
        throw new APIMCertificateMGTException("Error occurred while parsing file, while converting " +
                "to a org.w3c.dom.Document", e);
    }
}
 
Example 15
Source File: PolicyManagerUtil.java    From carbon-device-mgt with Apache License 2.0 5 votes vote down vote up
public static Document convertToDocument(File file) throws PolicyManagementException {
    DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
    factory.setNamespaceAware(true);
    try {
        factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
        factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
        DocumentBuilder docBuilder = factory.newDocumentBuilder();
        return docBuilder.parse(file);
    } catch (Exception e) {
        throw new PolicyManagementException("Error occurred while parsing file, while converting " +
                "to a org.w3c.dom.Document : " + e.getMessage(), e);
    }
}
 
Example 16
Source File: DeviceManagerUtil.java    From carbon-device-mgt with Apache License 2.0 5 votes vote down vote up
public static Document convertToDocument(File file) throws DeviceManagementException {
    DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
    factory.setNamespaceAware(true);
    try {
        factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
        factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
        DocumentBuilder docBuilder = factory.newDocumentBuilder();
        return docBuilder.parse(file);
    } catch (Exception e) {
        throw new DeviceManagementException("Error occurred while parsing file, while converting " +
                "to a org.w3c.dom.Document", e);
    }
}
 
Example 17
Source File: XmlUtil.java    From openjdk-8 with GNU General Public License v2.0 5 votes vote down vote up
public static DocumentBuilderFactory newDocumentBuilderFactory(boolean secureXmlProcessing) {
    DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
    try {
        factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, isXMLSecurityDisabled(secureXmlProcessing));
    } catch (ParserConfigurationException e) {
        LOGGER.log(Level.WARNING, "Factory [{0}] doesn't support secure xml processing!", new Object[] { factory.getClass().getName() } );
    }
    return factory;
}
 
Example 18
Source File: DocumentBuilderSafeProperty.java    From Android_Code_Arbiter with GNU Lesser General Public License v3.0 5 votes vote down vote up
public static void unsafeManualConfig3() throws ParserConfigurationException, IOException, SAXException {
    DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
    dbf.setFeature("http://xml.org/sax/features/external-general-entities",true);
    dbf.setFeature("http://xml.org/sax/features/external-parameter-entities",true);
    //dbf.setXIncludeAware(false);
    dbf.setExpandEntityReferences(false);
    DocumentBuilder db = dbf.newDocumentBuilder();

    Document doc = db.parse(getInputFile());
    print(doc);
}
 
Example 19
Source File: DocumentFragmentTest.java    From anno4j with Apache License 2.0 5 votes vote down vote up
private Document parse(String xml) throws Exception {
	TransformerFactory factory = TransformerFactory.newInstance();
	DocumentBuilderFactory builder = DocumentBuilderFactory.newInstance();
	builder.setNamespaceAware(true);
	builder.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
	Source source = new StreamSource(new StringReader(xml));
	Document doc = builder.newDocumentBuilder().newDocument();
	DOMResult result = new DOMResult(doc);
	factory.newTransformer().transform(source, result);
	return doc;
}
 
Example 20
Source File: XmlParser.java    From org.hl7.fhir.core with Apache License 2.0 4 votes vote down vote up
public Element parse(InputStream stream) throws Exception {
	Document doc = null;
	try {
		DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
		// xxe protection
		factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
		factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
		factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
		factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
		factory.setXIncludeAware(false);
		factory.setExpandEntityReferences(false);

		factory.setNamespaceAware(true);
		if (policy == ValidationPolicy.EVERYTHING) {
			// use a slower parser that keeps location data
			TransformerFactory transformerFactory = TransformerFactory.newInstance();
			Transformer nullTransformer = transformerFactory.newTransformer();
			DocumentBuilder docBuilder = factory.newDocumentBuilder();
			doc = docBuilder.newDocument();
			DOMResult domResult = new DOMResult(doc);
			SAXParserFactory spf = SAXParserFactory.newInstance();
			spf.setNamespaceAware(true);
			spf.setValidating(false);
			SAXParser saxParser = spf.newSAXParser();
			XMLReader xmlReader = saxParser.getXMLReader();
			// xxe protection
			spf.setFeature("http://xml.org/sax/features/external-general-entities", false);
			spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
			xmlReader.setFeature("http://xml.org/sax/features/external-general-entities", false);
			xmlReader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);

			XmlLocationAnnotator locationAnnotator = new XmlLocationAnnotator(xmlReader, doc);
			InputSource inputSource = new InputSource(stream);
			SAXSource saxSource = new SAXSource(locationAnnotator, inputSource);
			nullTransformer.transform(saxSource, domResult);
		} else {
			DocumentBuilder builder = factory.newDocumentBuilder();
			doc = builder.parse(stream);
		}
	} catch (Exception e) {
		logError(0, 0, "(syntax)", IssueType.INVALID, e.getMessage(), IssueSeverity.FATAL);
		doc = null;
	}
	if (doc == null)
		return null;
	else
		return parse(doc);
}