From: Olyutorskii Date: Sun, 23 Jun 2019 14:48:39 +0000 (+0900) Subject: Make Schema-factory safe to prevent XXE vulnerability. X-Git-Tag: release-3.122.2^2~2^2~9 X-Git-Url: http://git.osdn.net/view?p=mikutoga%2FTogaGem.git;a=commitdiff_plain;h=ebefb7ebac603e37d03d067fce4c5537171faaf4 Make Schema-factory safe to prevent XXE vulnerability. --- diff --git a/CHANGELOG.txt b/CHANGELOG.txt index 0dec860..c8f960d 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -6,6 +6,7 @@ TogaGem 変更履歴 X.XXX.X (XXXX-XX-XX) * Split entity resolver from resource resolver to prevent XXE vulnerability. + * Make Schema-factory safe to prevent XXE vulnerability. 3.121.2 (2019-06-06) ・DatatypeIo is public now, for replacing JAXB. diff --git a/src/main/java/jp/sfjp/mikutoga/xml/SchemaUtil.java b/src/main/java/jp/sfjp/mikutoga/xml/SchemaUtil.java index bd1541e..2b824ff 100644 --- a/src/main/java/jp/sfjp/mikutoga/xml/SchemaUtil.java +++ b/src/main/java/jp/sfjp/mikutoga/xml/SchemaUtil.java @@ -22,12 +22,17 @@ import javax.xml.validation.Schema; import javax.xml.validation.SchemaFactory; import org.w3c.dom.ls.LSResourceResolver; import org.xml.sax.SAXException; +import org.xml.sax.SAXNotRecognizedException; +import org.xml.sax.SAXNotSupportedException; /** * XMLスキーマの各種ビルダ。 */ public final class SchemaUtil { + private static final String ALLOWED_USCHEMA = "http"; + + /** * 隠しコンストラクタ。 */ @@ -38,32 +43,56 @@ public final class SchemaUtil { /** - * XML Schema 用のスキーマファクトリを返す。 - * @return スキーマファクトリ - */ - public static SchemaFactory newSchemaFactory(){ - SchemaFactory result = newSchemaFactory(null); - return result; - } - - /** - * XML Schema 用のスキーマファクトリを返す。 - * @param resolver カスタムリゾルバ。nullも可。 - * @return スキーマファクトリ + * Build SchemaFactory for XML Schema but safety. + * + *

Includes some considerations for XXE vulnerabilities. + * + *

Restrict access to + * External Entity Reference & external DTDs + * in xml schema file. + * + *

Restrict access to External schema file access in xml schema file, + * but HTTP access is allowed. + * This special limit considers access to + * importing http://www.w3.org/2001/xml.xsd + * in top of common xml schema file. + * If HTTP access controll is needed, customize resolver yourself. + * + * @param resolver Custom resolver for reading xml schema. + * Resolve reference to nothing if null. + * @return schema factory */ public static SchemaFactory newSchemaFactory( LSResourceResolver resolver ){ - SchemaFactory schemaFactory = - SchemaFactory.newInstance( - XMLConstants.W3C_XML_SCHEMA_NS_URI - ); + SchemaFactory schemaFactory; + schemaFactory = SchemaFactory.newInstance( + XMLConstants.W3C_XML_SCHEMA_NS_URI); - // schemaFactory.setFeature(name, value); - // schemaFactory.setProperty(name, object); + try{ + // Prevent denial of service attack. + schemaFactory.setFeature( + XMLConstants.FEATURE_SECURE_PROCESSING, true); + }catch(SAXNotRecognizedException | SAXNotSupportedException e){ + // FEATURE MUST BE SUPPORTED + assert false; + } + + try{ + // Disallow external entity reference & external DTD access. + schemaFactory.setProperty( + XMLConstants.ACCESS_EXTERNAL_DTD, ""); + // Allow only HTTP external schema file. + schemaFactory.setProperty( + XMLConstants.ACCESS_EXTERNAL_SCHEMA, ALLOWED_USCHEMA); + }catch(SAXNotRecognizedException | SAXNotSupportedException e){ + // PROPERTY MUST BE SUPPORTED JAXP1.5 or later + assert false; + } - schemaFactory.setErrorHandler(BotherHandler.HANDLER); schemaFactory.setResourceResolver(resolver); + schemaFactory.setErrorHandler(BotherHandler.HANDLER); + return schemaFactory; }