X.XXX.X (XXXX-XX-XX)
* Split entity resolver from resource resolver to prevent XXE vulnerability.
* Make Schema-factory safe to prevent XXE vulnerability.
+ * Move out xml-xsd info from resolver.
3.121.2 (2019-06-06)
・DatatypeIo is public now, for replacing JAXB.
*/
public final class SchemaUtil {
+
+ /** XML Schema. */
+ public static final String SCHEMA_XML =
+ "http://www.w3.org/2001/xml.xsd";
+
+ /** XSD namespace. */
+ public static final String NS_XSD =
+ "http://www.w3.org/2001/XMLSchema-instance";
+
+ private static final String LOCAL_SCHEMA_XML =
+ "resources/xmlspace.xsd";
+
+ private static final URI URI_XSD_ORIG;
+ private static final URI URI_XSD_LOCAL;
+
private static final String ALLOWED_USCHEMA = "http";
+ private static final Class<?> THISCLASS = SchemaUtil.class;
+
+
+ static{
+ URL redirectRes = THISCLASS.getResource(LOCAL_SCHEMA_XML);
+ String redirectResName = redirectRes.toString();
+
+ URI_XSD_ORIG = URI.create(SCHEMA_XML);
+ URI_XSD_LOCAL = URI.create(redirectResName);
+
+ assert ALLOWED_USCHEMA.equalsIgnoreCase(URI_XSD_ORIG.getScheme());
+ }
+
/**
* 隠しコンストラクタ。
/**
+ * build xml.xsd redirection info.
+ *
+ * @return resolver
+ */
+ public static XmlResourceResolver buildXmlXsdResolver(){
+ XmlResourceResolver result = new XmlResourceResolver();
+ result.putRedirected(URI_XSD_ORIG, URI_XSD_LOCAL);
+ return result;
+ }
+
+ /**
* Build SchemaFactory for XML Schema but safety.
*
* <p>Includes some considerations for XXE vulnerabilities.
public class XmlResourceResolver
implements LSResourceResolver{
- /** XML Schema. */
- public static final String SCHEMA_XML =
- "http://www.w3.org/2001/xml.xsd";
-
- /** XSD名前空間。 */
- public static final String NS_XSD =
- "http://www.w3.org/2001/XMLSchema-instance";
-
- private static final String LOCAL_SCHEMA_XML =
- "resources/xmlspace.xsd";
-
private static final URI EMPTY_URI = URI.create("");
- private static final Class<?> THISCLASS = XmlResourceResolver.class;
-
private final Map<URI, URI> uriMap;
public XmlResourceResolver(){
super();
- assert this.getClass().equals(THISCLASS);
-
Map<URI, URI> map;
map = new HashMap<>();
map = Collections.synchronizedMap(map);
this.uriMap = map;
- URL redirectRes = THISCLASS.getResource(LOCAL_SCHEMA_XML);
- String redirectResName = redirectRes.toString();
-
- URI originalURI = URI.create(SCHEMA_XML);
- URI redirectURI = URI.create(redirectResName);
-
- putRedirectedImpl(originalURI, redirectURI);
-
return;
}