Split entity resolver from resource resolver to prevent XXE vulnerability.

author Olyutorskii <olyutorskii@users.osdn.me>

Sun, 23 Jun 2019 14:32:12 +0000 (23:32 +0900)

committer Olyutorskii <olyutorskii@users.osdn.me>

Sun, 23 Jun 2019 14:32:12 +0000 (23:32 +0900)
author Olyutorskii <olyutorskii@users.osdn.me>
Sun, 23 Jun 2019 14:32:12 +0000 (23:32 +0900)
committer Olyutorskii <olyutorskii@users.osdn.me>
Sun, 23 Jun 2019 14:32:12 +0000 (23:32 +0900)
diff --git a/CHANGELOG.txt b/CHANGELOG.txt

index 8577d10..0dec860 100644 (file)
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -4,6 +4,9 @@
  TogaGem 変更履歴
  
  
  TogaGem 変更履歴
  
  
+X.XXX.X (XXXX-XX-XX)
+    * Split entity resolver from resource resolver to prevent XXE vulnerability.
+
  3.121.2 (2019-06-06)
      ・DatatypeIo is public now, for replacing JAXB.
  
  3.121.2 (2019-06-06)
      ・DatatypeIo is public now, for replacing JAXB.
  
diff --git a/src/main/java/jp/sfjp/mikutoga/xml/NoopEntityResolver.java b/src/main/java/jp/sfjp/mikutoga/xml/NoopEntityResolver.java

new file mode 100644 (file)

index 0000000..7048e0e
--- /dev/null
+++ b/src/main/java/jp/sfjp/mikutoga/xml/NoopEntityResolver.java
@@ -0,0 +1,58 @@
+/*
+ * No-operation Entity Resolver for XML.
+ *
+ * License : The MIT License
+ * Copyright(c) 2019 olyutorskii
+ */
+
+package jp.sfjp.mikutoga.xml;
+
+import java.io.Reader;
+import java.io.StringReader;
+import org.xml.sax.EntityResolver;
+import org.xml.sax.InputSource;
+
+/**
+ * No-operation Entity Resolver implementation for preventing XXE.
+ *
+ * @see <a href="https://en.wikipedia.org/wiki/XML_external_entity_attack">
+ *     XML external entity attack (Wikipedia)
+ *     </a>
+ */
+public final class NoopEntityResolver implements EntityResolver{
+
+    /** Singleton resolver. */
+    public static final EntityResolver NOOP_RESOLVER =
+            new NoopEntityResolver();
+
+
+    /**
+     * Constructor.
+     */
+    private NoopEntityResolver(){
+        super();
+        return;
+    }
+
+
+    /**
+     * {@inheritDoc}
+     *
+     * <p>Prevent any external entity reference XXE.
+     *
+     * @param publicId {@inheritDoc}
+     * @param systemId {@inheritDoc}
+     * @return empty input source
+     */
+    @Override
+    public InputSource resolveEntity(String publicId, String systemId){
+        Reader emptyReader = new StringReader("");
+        InputSource source = new InputSource(emptyReader);
+
+        source.setPublicId(publicId);
+        source.setSystemId(systemId);
+
+        return source;
+    }
+
+}
diff --git a/src/main/java/jp/sfjp/mikutoga/xml/XmlResourceResolver.java b/src/main/java/jp/sfjp/mikutoga/xml/XmlResourceResolver.java

index 196a900..e3c5a53 100644 (file)
--- a/src/main/java/jp/sfjp/mikutoga/xml/XmlResourceResolver.java
+++ b/src/main/java/jp/sfjp/mikutoga/xml/XmlResourceResolver.java
@@ -18,9 +18,6 @@ import java.util.HashMap;
  import java.util.Map;
  import org.w3c.dom.ls.LSInput;
  import org.w3c.dom.ls.LSResourceResolver;
  import java.util.Map;
  import org.w3c.dom.ls.LSInput;
  import org.w3c.dom.ls.LSResourceResolver;
-import org.xml.sax.EntityResolver;
-import org.xml.sax.InputSource;
-import org.xml.sax.SAXException;
  
  /**
   * URL変換マップに従い、XML文書からの外部参照をリダイレクトする。
  
  /**
   * URL変換マップに従い、XML文書からの外部参照をリダイレクトする。
@@ -28,7 +25,7 @@ import org.xml.sax.SAXException;
   * 主な用途は外部スキーマのリソース化など。
   */
  public class XmlResourceResolver
   * 主な用途は外部スキーマのリソース化など。
   */
  public class XmlResourceResolver
-        implements LSResourceResolver, EntityResolver {
+        implements LSResourceResolver{
  
      /** XML Schema. */
      public static final String SCHEMA_XML =
  
      /** XML Schema. */
      public static final String SCHEMA_XML =
@@ -103,7 +100,7 @@ public class XmlResourceResolver
          }else{
              relativeURI = EMPTY_URI;
          }
          }else{
              relativeURI = EMPTY_URI;
          }
-        
+
          URI result = buildBaseRelativeURI(baseURI, relativeURI);
          return result;
      }
          URI result = buildBaseRelativeURI(baseURI, relativeURI);
          return result;
      }
@@ -278,36 +275,6 @@ public class XmlResourceResolver
          return input;
      }
  
          return input;
      }
  
-    /**
-     * {@inheritDoc}
-     * URL変換したあとの入力ソースを返す。
-     * @param publicId {@inheritDoc}
-     * @param systemId {@inheritDoc}
-     * @return {@inheritDoc}
-     * @throws org.xml.sax.SAXException {@inheritDoc}
-     * @throws java.io.IOException {@inheritDoc}
-     */
-    @Override
-    public InputSource resolveEntity(String publicId, String systemId)
-            throws SAXException, IOException{
-        if(systemId == null) return null;
-
-        URI originalUri;
-        try{
-            originalUri = new URI(systemId);
-        }catch(URISyntaxException e){
-            return null;
-        }
-
-        InputStream is = getXMLResourceAsStream(originalUri);
-        if(is == null) return null;
-
-        InputSource source = new InputSource(is);
-        source.setPublicId(publicId);
-        source.setSystemId(systemId);
-
-        return source;
-    }
  
      /**
       * JRE1.5用LSInput実装。
  
      /**
       * JRE1.5用LSInput実装。
author	Olyutorskii <olyutorskii@users.osdn.me>
	Sun, 23 Jun 2019 14:32:12 +0000 (23:32 +0900)
committer	Olyutorskii <olyutorskii@users.osdn.me>
	Sun, 23 Jun 2019 14:32:12 +0000 (23:32 +0900)
CHANGELOG.txt		patch \| blob \| history
src/main/java/jp/sfjp/mikutoga/xml/NoopEntityResolver.java	[new file with mode: 0644]	patch \| blob
src/main/java/jp/sfjp/mikutoga/xml/XmlResourceResolver.java		patch \| blob \| history