From 60ffbb04ecde2d7bef2ca508f3a6951f198821bf Mon Sep 17 00:00:00 2001 From: Olyutorskii Date: Sun, 23 Jun 2019 23:32:12 +0900 Subject: [PATCH] Split entity resolver from resource resolver to prevent XXE vulnerability. --- CHANGELOG.txt | 3 ++ .../jp/sfjp/mikutoga/xml/NoopEntityResolver.java | 58 ++++++++++++++++++++++ .../jp/sfjp/mikutoga/xml/XmlResourceResolver.java | 37 +------------- 3 files changed, 63 insertions(+), 35 deletions(-) create mode 100644 src/main/java/jp/sfjp/mikutoga/xml/NoopEntityResolver.java diff --git a/CHANGELOG.txt b/CHANGELOG.txt index 8577d10..0dec860 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -4,6 +4,9 @@ TogaGem 変更履歴 +X.XXX.X (XXXX-XX-XX) + * Split entity resolver from resource resolver to prevent XXE vulnerability. + 3.121.2 (2019-06-06) ・DatatypeIo is public now, for replacing JAXB. diff --git a/src/main/java/jp/sfjp/mikutoga/xml/NoopEntityResolver.java b/src/main/java/jp/sfjp/mikutoga/xml/NoopEntityResolver.java new file mode 100644 index 0000000..7048e0e --- /dev/null +++ b/src/main/java/jp/sfjp/mikutoga/xml/NoopEntityResolver.java @@ -0,0 +1,58 @@ +/* + * No-operation Entity Resolver for XML. + * + * License : The MIT License + * Copyright(c) 2019 olyutorskii + */ + +package jp.sfjp.mikutoga.xml; + +import java.io.Reader; +import java.io.StringReader; +import org.xml.sax.EntityResolver; +import org.xml.sax.InputSource; + +/** + * No-operation Entity Resolver implementation for preventing XXE. + * + * @see + * XML external entity attack (Wikipedia) + * + */ +public final class NoopEntityResolver implements EntityResolver{ + + /** Singleton resolver. */ + public static final EntityResolver NOOP_RESOLVER = + new NoopEntityResolver(); + + + /** + * Constructor. + */ + private NoopEntityResolver(){ + super(); + return; + } + + + /** + * {@inheritDoc} + * + *

Prevent any external entity reference XXE. + * + * @param publicId {@inheritDoc} + * @param systemId {@inheritDoc} + * @return empty input source + */ + @Override + public InputSource resolveEntity(String publicId, String systemId){ + Reader emptyReader = new StringReader(""); + InputSource source = new InputSource(emptyReader); + + source.setPublicId(publicId); + source.setSystemId(systemId); + + return source; + } + +} diff --git a/src/main/java/jp/sfjp/mikutoga/xml/XmlResourceResolver.java b/src/main/java/jp/sfjp/mikutoga/xml/XmlResourceResolver.java index 196a900..e3c5a53 100644 --- a/src/main/java/jp/sfjp/mikutoga/xml/XmlResourceResolver.java +++ b/src/main/java/jp/sfjp/mikutoga/xml/XmlResourceResolver.java @@ -18,9 +18,6 @@ import java.util.HashMap; import java.util.Map; import org.w3c.dom.ls.LSInput; import org.w3c.dom.ls.LSResourceResolver; -import org.xml.sax.EntityResolver; -import org.xml.sax.InputSource; -import org.xml.sax.SAXException; /** * URL変換マップに従い、XML文書からの外部参照をリダイレクトする。 @@ -28,7 +25,7 @@ import org.xml.sax.SAXException; * 主な用途は外部スキーマのリソース化など。 */ public class XmlResourceResolver - implements LSResourceResolver, EntityResolver { + implements LSResourceResolver{ /** XML Schema. */ public static final String SCHEMA_XML = @@ -103,7 +100,7 @@ public class XmlResourceResolver }else{ relativeURI = EMPTY_URI; } - + URI result = buildBaseRelativeURI(baseURI, relativeURI); return result; } @@ -278,36 +275,6 @@ public class XmlResourceResolver return input; } - /** - * {@inheritDoc} - * URL変換したあとの入力ソースを返す。 - * @param publicId {@inheritDoc} - * @param systemId {@inheritDoc} - * @return {@inheritDoc} - * @throws org.xml.sax.SAXException {@inheritDoc} - * @throws java.io.IOException {@inheritDoc} - */ - @Override - public InputSource resolveEntity(String publicId, String systemId) - throws SAXException, IOException{ - if(systemId == null) return null; - - URI originalUri; - try{ - originalUri = new URI(systemId); - }catch(URISyntaxException e){ - return null; - } - - InputStream is = getXMLResourceAsStream(originalUri); - if(is == null) return null; - - InputSource source = new InputSource(is); - source.setPublicId(publicId); - source.setSystemId(systemId); - - return source; - } /** * JRE1.5用LSInput実装。 -- 2.11.0