Examples with SecurityManager - org.apache.xerces.util.SecurityManager

Example 6 with SecurityManager

use of org.apache.xerces.util.SecurityManager in project carbon-apimgt by wso2.

the class RegistryLCManager method getSecuredDocumentBuilder.

/**
 * Returns a secured DocumentBuilderFactory instance
 *
 * @return DocumentBuilderFactory
 */
public static DocumentBuilderFactory getSecuredDocumentBuilder() {
    org.apache.xerces.impl.Constants Constants = null;
    DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
    dbf.setNamespaceAware(true);
    dbf.setXIncludeAware(false);
    dbf.setExpandEntityReferences(false);
    try {
        dbf.setFeature(Constants.SAX_FEATURE_PREFIX + Constants.EXTERNAL_GENERAL_ENTITIES_FEATURE, false);
        dbf.setFeature(Constants.SAX_FEATURE_PREFIX + Constants.EXTERNAL_PARAMETER_ENTITIES_FEATURE, false);
        dbf.setFeature(Constants.XERCES_FEATURE_PREFIX + Constants.LOAD_EXTERNAL_DTD_FEATURE, false);
    } catch (ParserConfigurationException e) {
        log.error("Failed to load XML Processor Feature " + Constants.EXTERNAL_GENERAL_ENTITIES_FEATURE + " or " + Constants.EXTERNAL_PARAMETER_ENTITIES_FEATURE + " or " + Constants.LOAD_EXTERNAL_DTD_FEATURE);
    }
    SecurityManager securityManager = new SecurityManager();
    securityManager.setEntityExpansionLimit(ENTITY_EXPANSION_LIMIT);
    dbf.setAttribute(Constants.XERCES_PROPERTY_PREFIX + Constants.SECURITY_MANAGER_PROPERTY, securityManager);
    return dbf;
}

Also used : DocumentBuilderFactory(javax.xml.parsers.DocumentBuilderFactory) SecurityManager(org.apache.xerces.util.SecurityManager) ParserConfigurationException(javax.xml.parsers.ParserConfigurationException)

Example 7 with SecurityManager

use of org.apache.xerces.util.SecurityManager in project carbon-apimgt by wso2.

the class AbstractWSDLProcessor method getSecuredDocumentBuilder.

/**
 * Returns a secured document builder to avoid XXE attacks
 *
 * @return secured document builder to avoid XXE attacks
 */
private DocumentBuilderFactory getSecuredDocumentBuilder() {
    DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
    dbf.setNamespaceAware(true);
    dbf.setXIncludeAware(false);
    dbf.setExpandEntityReferences(false);
    try {
        dbf.setFeature(Constants.SAX_FEATURE_PREFIX + Constants.EXTERNAL_GENERAL_ENTITIES_FEATURE, false);
        dbf.setFeature(Constants.SAX_FEATURE_PREFIX + Constants.EXTERNAL_PARAMETER_ENTITIES_FEATURE, false);
        dbf.setFeature(Constants.XERCES_FEATURE_PREFIX + Constants.LOAD_EXTERNAL_DTD_FEATURE, false);
        dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
    } catch (ParserConfigurationException e) {
        // Skip throwing the error as this exception doesn't break actual DocumentBuilderFactory creation
        log.error("Failed to load XML Processor Feature " + Constants.EXTERNAL_GENERAL_ENTITIES_FEATURE + " or " + Constants.EXTERNAL_PARAMETER_ENTITIES_FEATURE + " or " + Constants.LOAD_EXTERNAL_DTD_FEATURE, e);
    }
    SecurityManager securityManager = new SecurityManager();
    securityManager.setEntityExpansionLimit(ENTITY_EXPANSION_LIMIT);
    dbf.setAttribute(Constants.XERCES_PROPERTY_PREFIX + Constants.SECURITY_MANAGER_PROPERTY, securityManager);
    return dbf;
}

Example 8 with SecurityManager

use of org.apache.xerces.util.SecurityManager in project carbon-apimgt by wso2.

the class APIUtil method getSecuredDocumentBuilder.

/**
 * Returns a secured DocumentBuilderFactory instance
 *
 * @return DocumentBuilderFactory
 */
public static DocumentBuilderFactory getSecuredDocumentBuilder() {
    org.apache.xerces.impl.Constants Constants = null;
    DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
    dbf.setNamespaceAware(true);
    dbf.setXIncludeAware(false);
    dbf.setExpandEntityReferences(false);
    try {
        dbf.setFeature(Constants.SAX_FEATURE_PREFIX + Constants.EXTERNAL_GENERAL_ENTITIES_FEATURE, false);
        dbf.setFeature(Constants.SAX_FEATURE_PREFIX + Constants.EXTERNAL_PARAMETER_ENTITIES_FEATURE, false);
        dbf.setFeature(Constants.XERCES_FEATURE_PREFIX + Constants.LOAD_EXTERNAL_DTD_FEATURE, false);
    } catch (ParserConfigurationException e) {
        log.error("Failed to load XML Processor Feature " + Constants.EXTERNAL_GENERAL_ENTITIES_FEATURE + " or " + Constants.EXTERNAL_PARAMETER_ENTITIES_FEATURE + " or " + Constants.LOAD_EXTERNAL_DTD_FEATURE);
    }
    SecurityManager securityManager = new SecurityManager();
    securityManager.setEntityExpansionLimit(ENTITY_EXPANSION_LIMIT);
    dbf.setAttribute(Constants.XERCES_PROPERTY_PREFIX + Constants.SECURITY_MANAGER_PROPERTY, securityManager);
    return dbf;
}

Example 9 with SecurityManager

use of org.apache.xerces.util.SecurityManager in project iaf by ibissource.

the class MyErrorHandler method getValidatorHandler.

@Override
public ValidatorHandler getValidatorHandler(PipeLineSession session, ValidationContext context) throws ConfigurationException {
    ValidatorHandler validatorHandler;
    try {
        javax.xml.validation.Schema schemaObject;
        if (isXmlSchema1_0()) {
            XMLSchemaFactory schemaFactory = new XMLSchemaFactory();
            schemaObject = schemaFactory.newSchema(((XercesValidationContext) context).getGrammarPool());
        } else {
            XMLSchema11Factory schemaFactory = new XMLSchema11Factory();
            schemaObject = schemaFactory.newSchema(((XercesValidationContext) context).getGrammarPool());
        }
        validatorHandler = schemaObject.newValidatorHandler();
    } catch (SAXException e) {
        throw new ConfigurationException(logPrefix + "Cannot create schema", e);
    }
    try {
        // validatorHandler.setFeature(NAMESPACES_FEATURE_ID, true);
        validatorHandler.setFeature(VALIDATION_FEATURE_ID, true);
        validatorHandler.setFeature(SCHEMA_VALIDATION_FEATURE_ID, true);
        validatorHandler.setFeature(SCHEMA_FULL_CHECKING_FEATURE_ID, isFullSchemaChecking());
        validatorHandler.setFeature(DISSALLOW_DOCTYPE_DECL_FEATURE_ID, true);
        SecurityManager securityManager = new SecurityManager();
        securityManager.setEntityExpansionLimit(entityExpansionLimit);
        validatorHandler.setProperty(SECURITY_MANAGER_PROPERTY_ID, securityManager);
        validatorHandler.setContentHandler(context.getContentHandler());
        validatorHandler.setErrorHandler(context.getErrorHandler());
    } catch (SAXNotRecognizedException e) {
        throw new ConfigurationException(logPrefix + "ValidatorHandler does not recognize necessary feature", e);
    } catch (SAXNotSupportedException e) {
        throw new ConfigurationException(logPrefix + "ValidatorHandler does not support necessary feature", e);
    }
    return validatorHandler;
}

Also used : SAXNotSupportedException(org.xml.sax.SAXNotSupportedException) ValidatorHandler(javax.xml.validation.ValidatorHandler) SecurityManager(org.apache.xerces.util.SecurityManager) ConfigurationException(nl.nn.adapterframework.configuration.ConfigurationException) XMLSchemaFactory(org.apache.xerces.jaxp.validation.XMLSchemaFactory) SAXNotRecognizedException(org.xml.sax.SAXNotRecognizedException) XMLSchema11Factory(org.apache.xerces.jaxp.validation.XMLSchema11Factory) SAXException(org.xml.sax.SAXException)

Aggregations

SecurityManager (org.apache.xerces.util.SecurityManager)9 DocumentBuilderFactory (javax.xml.parsers.DocumentBuilderFactory)6 ParserConfigurationException (javax.xml.parsers.ParserConfigurationException)6 XMLConfigurationException (org.apache.xerces.xni.parser.XMLConfigurationException)2 SAXNotRecognizedException (org.xml.sax.SAXNotRecognizedException)2 SAXNotSupportedException (org.xml.sax.SAXNotSupportedException)2 ValidatorHandler (javax.xml.validation.ValidatorHandler)1 ConfigurationException (nl.nn.adapterframework.configuration.ConfigurationException)1 XMLSchema11Factory (org.apache.xerces.jaxp.validation.XMLSchema11Factory)1 XMLSchemaFactory (org.apache.xerces.jaxp.validation.XMLSchemaFactory)1 SAXException (org.xml.sax.SAXException)1