TogaGem 変更履歴
+X.XXX.X (XXXX-XX-XX)
+ * Split entity resolver from resource resolver to prevent XXE vulnerability.
+
3.121.2 (2019-06-06)
・DatatypeIo is public now, for replacing JAXB.
--- /dev/null
+/*
+ * No-operation Entity Resolver for XML.
+ *
+ * License : The MIT License
+ * Copyright(c) 2019 olyutorskii
+ */
+
+package jp.sfjp.mikutoga.xml;
+
+import java.io.Reader;
+import java.io.StringReader;
+import org.xml.sax.EntityResolver;
+import org.xml.sax.InputSource;
+
+/**
+ * No-operation Entity Resolver implementation for preventing XXE.
+ *
+ * @see <a href="https://en.wikipedia.org/wiki/XML_external_entity_attack">
+ * XML external entity attack (Wikipedia)
+ * </a>
+ */
+public final class NoopEntityResolver implements EntityResolver{
+
+ /** Singleton resolver. */
+ public static final EntityResolver NOOP_RESOLVER =
+ new NoopEntityResolver();
+
+
+ /**
+ * Constructor.
+ */
+ private NoopEntityResolver(){
+ super();
+ return;
+ }
+
+
+ /**
+ * {@inheritDoc}
+ *
+ * <p>Prevent any external entity reference XXE.
+ *
+ * @param publicId {@inheritDoc}
+ * @param systemId {@inheritDoc}
+ * @return empty input source
+ */
+ @Override
+ public InputSource resolveEntity(String publicId, String systemId){
+ Reader emptyReader = new StringReader("");
+ InputSource source = new InputSource(emptyReader);
+
+ source.setPublicId(publicId);
+ source.setSystemId(systemId);
+
+ return source;
+ }
+
+}
import java.util.Map;
import org.w3c.dom.ls.LSInput;
import org.w3c.dom.ls.LSResourceResolver;
-import org.xml.sax.EntityResolver;
-import org.xml.sax.InputSource;
-import org.xml.sax.SAXException;
/**
* URL変換マップに従い、XML文書からの外部参照をリダイレクトする。
* 主な用途は外部スキーマのリソース化など。
*/
public class XmlResourceResolver
- implements LSResourceResolver, EntityResolver {
+ implements LSResourceResolver{
/** XML Schema. */
public static final String SCHEMA_XML =
}else{
relativeURI = EMPTY_URI;
}
-
+
URI result = buildBaseRelativeURI(baseURI, relativeURI);
return result;
}
return input;
}
- /**
- * {@inheritDoc}
- * URL変換したあとの入力ソースを返す。
- * @param publicId {@inheritDoc}
- * @param systemId {@inheritDoc}
- * @return {@inheritDoc}
- * @throws org.xml.sax.SAXException {@inheritDoc}
- * @throws java.io.IOException {@inheritDoc}
- */
- @Override
- public InputSource resolveEntity(String publicId, String systemId)
- throws SAXException, IOException{
- if(systemId == null) return null;
-
- URI originalUri;
- try{
- originalUri = new URI(systemId);
- }catch(URISyntaxException e){
- return null;
- }
-
- InputStream is = getXMLResourceAsStream(originalUri);
- if(is == null) return null;
-
- InputSource source = new InputSource(is);
- source.setPublicId(publicId);
- source.setSystemId(systemId);
-
- return source;
- }
/**
* JRE1.5用LSInput実装。