ARTEMIS-4077 Add an option to disable XML external entity processing

apache · Nov 15, 2022 · 3a13a78 · 3a13a78
1 parent 4f79eb4
commit 3a13a78
Show file tree

Hide file tree

Showing 19 changed files with 569 additions and 65 deletions.
diff --git a/...cli/src/main/java/org/apache/activemq/artemis/cli/commands/tools/xml/XmlDataImporter.java b/...cli/src/main/java/org/apache/activemq/artemis/cli/commands/tools/xml/XmlDataImporter.java
@@ -16,13 +16,9 @@
  */
 package org.apache.activemq.artemis.cli.commands.tools.xml;
 
-import javax.xml.XMLConstants;
-import javax.xml.stream.XMLInputFactory;
 import javax.xml.stream.XMLStreamConstants;
 import javax.xml.stream.XMLStreamReader;
 import javax.xml.transform.stax.StAXSource;
-import javax.xml.validation.Schema;
-import javax.xml.validation.SchemaFactory;
 import javax.xml.validation.Validator;
 import java.io.File;
 import java.io.FileInputStream;
@@ -63,6 +59,7 @@
 import org.apache.activemq.artemis.core.server.ActiveMQServerLogger;
 import org.apache.activemq.artemis.utils.ClassloadingUtil;
 import org.apache.activemq.artemis.utils.ListUtil;
+import org.apache.activemq.artemis.utils.XmlProvider;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import java.lang.invoke.MethodHandles;
@@ -175,7 +172,7 @@ public void process(InputStream inputStream, ClientSession session) throws Excep
    public void process(InputStream inputStream,
                        ClientSession session,
                        ClientSession managementSession) throws Exception {
-      reader = XMLInputFactory.newInstance().createXMLStreamReader(inputStream);
+      reader = XmlProvider.createXMLStreamReader(inputStream);
       messageReader = new XMLMessageImporter(reader, session);
       messageReader.setOldPrefixTranslation(oldPrefixTranslation);
 
@@ -219,11 +216,8 @@ public void validate(String fileName) throws Exception {
    }
 
    public void validate(InputStream inputStream) throws Exception {
-      XMLStreamReader reader = XMLInputFactory.newInstance().createXMLStreamReader(inputStream);
-      SchemaFactory factory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
-      Schema schema = factory.newSchema(XmlDataImporter.findResource("schema/artemis-import-export.xsd"));
-
-      Validator validator = schema.newValidator();
+      XMLStreamReader reader = XmlProvider.createXMLStreamReader(inputStream);
+      Validator validator = XmlProvider.newValidator(XmlDataImporter.findResource("schema/artemis-import-export.xsd"));
       validator.validate(new StAXSource(reader));
       reader.close();
    }

diff --git a/...src/main/java/org/apache/activemq/artemis/cli/factory/serialize/XMLMessageSerializer.java b/...src/main/java/org/apache/activemq/artemis/cli/factory/serialize/XMLMessageSerializer.java
@@ -18,7 +18,6 @@
 
 import javax.jms.Message;
 import javax.jms.Session;
-import javax.xml.stream.XMLInputFactory;
 import javax.xml.stream.XMLOutputFactory;
 import javax.xml.stream.XMLStreamReader;
 import javax.xml.stream.XMLStreamWriter;
@@ -36,6 +35,7 @@
 import org.apache.activemq.artemis.cli.commands.tools.xml.XmlDataExporter;
 import org.apache.activemq.artemis.jms.client.ActiveMQMessage;
 import org.apache.activemq.artemis.jms.client.ActiveMQSession;
+import org.apache.activemq.artemis.utils.XmlProvider;
 
 public class XMLMessageSerializer implements MessageSerializer {
 
@@ -87,7 +87,7 @@ public void setOutput(OutputStream outputStream) throws Exception {
 
    @Override
    public void setInput(InputStream inputStream, Session session) throws Exception {
-      XMLStreamReader streamReader = XMLInputFactory.newInstance().createXMLStreamReader(inputStream);
+      XMLStreamReader streamReader = XmlProvider.createXMLStreamReader(inputStream);
       this.clientSession = ((ActiveMQSession) session).getCoreSession();
       this.reader = new XMLMessageImporter(streamReader, clientSession);
    }

diff --git a/artemis-cli/src/test/java/org/apache/activemq/cli/test/ArtemisTest.java b/artemis-cli/src/test/java/org/apache/activemq/cli/test/ArtemisTest.java
@@ -29,10 +29,8 @@
 import org.apache.activemq.artemis.json.JsonArray;
 import org.apache.activemq.artemis.json.JsonObject;
 import javax.xml.parsers.DocumentBuilder;
-import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.transform.Transformer;
-import javax.xml.transform.TransformerFactory;
 import javax.xml.transform.dom.DOMSource;
 import javax.xml.transform.stream.StreamResult;
 import java.io.BufferedReader;
@@ -94,6 +92,7 @@
 import org.apache.activemq.artemis.utils.SensitiveDataCodec;
 import org.apache.activemq.artemis.utils.StringUtil;
 import org.apache.activemq.artemis.utils.Wait;
+import org.apache.activemq.artemis.utils.XmlProvider;
 import org.apache.commons.configuration2.PropertiesConfiguration;
 import org.apache.commons.configuration2.builder.FileBasedConfigurationBuilder;
 import org.apache.commons.configuration2.builder.fluent.Configurations;
@@ -368,8 +367,7 @@ public void testSecurityManagerConfiguration() throws Exception {
       originalBootstrapFile.delete();
 
       // write the modified config into the bootstrap.xml file
-      TransformerFactory transformerFactory = TransformerFactory.newInstance();
-      Transformer transformer = transformerFactory.newTransformer();
+      Transformer transformer = XmlProvider.newTransformer();
       DOMSource source = new DOMSource(config);
       StreamResult streamResult = new StreamResult(originalBootstrapFile);
       transformer.transform(source, streamResult);
@@ -2195,8 +2193,7 @@ public boolean isWindows() {
    }
 
    private static Document parseXml(File xmlFile) throws ParserConfigurationException, IOException, SAXException {
-      DocumentBuilderFactory domFactory = DocumentBuilderFactory.newInstance();
-      DocumentBuilder domBuilder = domFactory.newDocumentBuilder();
+      DocumentBuilder domBuilder = XmlProvider.newDocumentBuilder();
       return domBuilder.parse(xmlFile);
    }
 

diff --git a/artemis-commons/src/main/java/org/apache/activemq/artemis/utils/XmlProvider.java b/artemis-commons/src/main/java/org/apache/activemq/artemis/utils/XmlProvider.java
@@ -0,0 +1,265 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.activemq.artemis.utils;
+
+import javax.xml.XMLConstants;
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
+import javax.xml.stream.XMLInputFactory;
+import javax.xml.stream.XMLStreamException;
+import javax.xml.stream.XMLStreamReader;
+import javax.xml.transform.Source;
+import javax.xml.transform.Transformer;
+import javax.xml.transform.TransformerConfigurationException;
+import javax.xml.transform.TransformerFactory;
+import javax.xml.validation.Schema;
+import javax.xml.validation.SchemaFactory;
+import javax.xml.validation.Validator;
+import java.io.InputStream;
+import java.io.Reader;
+import java.net.URL;
+import java.util.Map;
+
+import org.w3c.dom.ls.LSInput;
+import org.xml.sax.SAXException;
+
+public class XmlProvider {
+   public static final String ARTEMIS_DISABLE_XXE_PROPERTY = "artemis.disableXxe";
+
+   public static final String XINCLUDE_AWARE_PROPERTY = "XINCLUDE_AWARE";
+   public static final String NAMESPACE_AWARE_PROPERTY = "NAMESPACE_AWARE";
+   public static final String IGNORE_COMMENTS_PROPERTY = "IGNORE_COMMENTS";
+   public static final String IGNORE_ELEMENT_CONTENT_WHITESPACE_PROPERTY = "IGNORE_ELEMENT_CONTENT_WHITESPACE";
+
+   private static final String ACTIVEMQ_CORE_NS = "urn:activemq:core";
+   private static final String ACTIVEMQ_JMS_NS = "urn:activemq:jms";
+
+   private static final String ARTEMIS_XML_SCHEMA_SID = "xml.xsd";
+   private static final String ARTEMIS_CONFIGURATION_SCHEMA_SID = "artemis-configuration.xsd";
+   private static final String ARTEMIS_JMS_SCHEMA_SID = "artemis-jms.xsd";
+
+   private static final String ARTEMIS_SCHEMA_BASE_URL = "schema/";
+   private static final String ARTEMIS_XML_SCHEMA_URL = ARTEMIS_SCHEMA_BASE_URL + ARTEMIS_XML_SCHEMA_SID;
+   private static final String ARTEMIS_CONFIGURATION_SCHEMA_URL = ARTEMIS_SCHEMA_BASE_URL + ARTEMIS_CONFIGURATION_SCHEMA_SID;
+   private static final String ARTEMIS_JMS_SCHEMA_URL = ARTEMIS_SCHEMA_BASE_URL + ARTEMIS_JMS_SCHEMA_SID;
+
+   private static boolean xxeEnabled = !"".equals(System.getProperty(ARTEMIS_DISABLE_XXE_PROPERTY)) &&
+      !Boolean.parseBoolean(System.getProperty(ARTEMIS_DISABLE_XXE_PROPERTY, Boolean.FALSE.toString()));
+
+   public static boolean isXxeEnabled() {
+      return xxeEnabled;
+   }
+
+   public static void setXxeEnabled(boolean enabled) {
+      xxeEnabled = enabled;
+   }
+
+   public static DocumentBuilder newDocumentBuilder() throws ParserConfigurationException {
+      return newDocumentBuilder(null, null);
+   }
+
+   public static DocumentBuilder newDocumentBuilder(Map<String, Boolean> features, Map<String, Boolean> properties) throws ParserConfigurationException {
+      DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+
+      if (features != null) {
+         for (Map.Entry<String, Boolean> feature : features.entrySet()) {
+            factory.setFeature(feature.getKey(), feature.getValue());
+         }
+      }
+
+      if (properties != null) {
+         for (Map.Entry<String, Boolean> property : properties.entrySet()) {
+            if (XINCLUDE_AWARE_PROPERTY.equals(property.getKey())) {
+               factory.setXIncludeAware(property.getValue());
+            } else if (NAMESPACE_AWARE_PROPERTY.equals(property.getKey())) {
+               factory.setNamespaceAware(property.getValue());
+            } else if (IGNORE_COMMENTS_PROPERTY.equals(property.getKey())) {
+               factory.setIgnoringComments(property.getValue());
+            } else if (IGNORE_ELEMENT_CONTENT_WHITESPACE_PROPERTY.equals(property.getKey())) {
+               factory.setIgnoringElementContentWhitespace(property.getValue());
+            } else {
+               throw new IllegalArgumentException("Property not supported: " + property.getKey());
+            }
+         }
+      }
+
+      if (!isXxeEnabled()) {
+         factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+         factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+         factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+         factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+
+         factory.setXIncludeAware(false);
+         factory.setExpandEntityReferences(false);
+      }
+
+      return factory.newDocumentBuilder();
+   }
+
+   public static XMLStreamReader createXMLStreamReader(InputStream inputStream) throws XMLStreamException {
+      XMLInputFactory xmlInputFactory = XMLInputFactory.newInstance();
+
+      if (!isXxeEnabled()) {
+         // This disables DTDs entirely for that factory
+         xmlInputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
+         // disable external entities
+         xmlInputFactory.setProperty("javax.xml.stream.isSupportingExternalEntities", false);
+      }
+
+      return xmlInputFactory.createXMLStreamReader(inputStream);
+   }
+
+   public static Schema newSchema(Source schema, Map<String, Boolean> features) throws SAXException {
+      return newSchemaFactory(features).newSchema(schema);
+   }
+
+   private static SchemaFactory newSchemaFactory(Map<String, Boolean> features) throws SAXException {
+      SchemaFactory factory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
+
+      if (features != null) {
+         for (Map.Entry<String, Boolean> feature : features.entrySet()) {
+            factory.setFeature(feature.getKey(), feature.getValue());
+         }
+      }
+
+      if (!isXxeEnabled()) {
+         factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+         factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
+
+         factory.setResourceResolver((type, namespaceURI, publicId, systemId, baseURI) -> {
+            if (XMLConstants.W3C_XML_SCHEMA_NS_URI.equals(type) && XMLConstants.XML_NS_URI.equals(namespaceURI) && ARTEMIS_XML_SCHEMA_SID.equals(systemId)) {
+               return newLSInput(publicId, systemId, baseURI, Thread.currentThread().getContextClassLoader().getResourceAsStream(ARTEMIS_XML_SCHEMA_URL));
+            } else if (XMLConstants.W3C_XML_SCHEMA_NS_URI.equals(type) && ACTIVEMQ_CORE_NS.equals(namespaceURI) && ARTEMIS_CONFIGURATION_SCHEMA_SID.equals(systemId)) {
+               return newLSInput(publicId, systemId, baseURI, Thread.currentThread().getContextClassLoader().getResourceAsStream(ARTEMIS_CONFIGURATION_SCHEMA_URL));
+            } else if (XMLConstants.W3C_XML_SCHEMA_NS_URI.equals(type) && ACTIVEMQ_JMS_NS.equals(namespaceURI) && ARTEMIS_JMS_SCHEMA_SID.equals(systemId)) {
+               return newLSInput(publicId, systemId, baseURI, Thread.currentThread().getContextClassLoader().getResourceAsStream(ARTEMIS_JMS_SCHEMA_URL));
+            }
+
+            return null;
+         });
+      }
+
+      return factory;
+   }
+
+   public static Transformer newTransformer() throws TransformerConfigurationException {
+      TransformerFactory transformerFactory = TransformerFactory.newInstance();
+
+      if (!isXxeEnabled()) {
+         transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+         transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+      }
+
+      return transformerFactory.newTransformer();
+   }
+
+   public static Validator newValidator(URL schema) throws SAXException {
+      Validator validator = newSchemaFactory(null).newSchema(schema).newValidator();
+
+      if (!isXxeEnabled()) {
+         validator.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+         validator.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
+      }
+
+      return validator;
+   }
+
+   private static LSInput newLSInput(String publicId, String systemId, String baseURI, InputStream byteStream) {
+      return new LSInput() {
+         @Override
+         public Reader getCharacterStream() {
+            return null;
+         }
+
+         @Override
+         public void setCharacterStream(Reader reader) {
+
+         }
+
+         @Override
+         public InputStream getByteStream() {
+            return byteStream;
+         }
+
+         @Override
+         public void setByteStream(InputStream inputStream) {
+
+         }
+
+         @Override
+         public String getStringData() {
+            return null;
+         }
+
+         @Override
+         public void setStringData(String s) {
+
+         }
+
+         @Override
+         public String getSystemId() {
+            return systemId;
+         }
+
+         @Override
+         public void setSystemId(String s) {
+
+         }
+
+         @Override
+         public String getPublicId() {
+            return publicId;
+         }
+
+         @Override
+         public void setPublicId(String s) {
+
+         }
+
+         @Override
+         public String getBaseURI() {
+            return baseURI;
+         }
+
+         @Override
+         public void setBaseURI(String s) {
+
+         }
+
+         @Override
+         public String getEncoding() {
+            return null;
+         }
+
+         @Override
+         public void setEncoding(String s) {
+
+         }
+
+         @Override
+         public boolean getCertifiedText() {
+            return false;
+         }
+
+         @Override
+         public void setCertifiedText(boolean b) {
+
+         }
+      };
+   }
+}