From 3d46364055dd01def5adf6d3a8240ef6d5a33fa4 Mon Sep 17 00:00:00 2001 From: Andriy Redko Date: Fri, 29 May 2026 23:55:41 -0400 Subject: [PATCH 1/2] More SchemaFactory hardenings --- .../validation/W3CMultiSchemaFactory.java | 17 ++++++++++++++++- .../ws/addressing/EndpointReferenceUtils.java | 12 ++++++++++++ .../apache/cxf/aegis/type/XMLTypeCreator.java | 1 + .../java/org/apache/cxf/ws/rm/RMEndpoint.java | 1 + .../common/dom/ExtendedDocumentBuilder.java | 11 +++++++++++ .../databinding/jaxb/JAXBDataBinding.java | 8 ++++++++ 6 files changed, 49 insertions(+), 1 deletion(-) diff --git a/core/src/main/java/org/apache/cxf/staxutils/validation/W3CMultiSchemaFactory.java b/core/src/main/java/org/apache/cxf/staxutils/validation/W3CMultiSchemaFactory.java index 27cd4513603..8d64753c4bd 100644 --- a/core/src/main/java/org/apache/cxf/staxutils/validation/W3CMultiSchemaFactory.java +++ b/core/src/main/java/org/apache/cxf/staxutils/validation/W3CMultiSchemaFactory.java @@ -29,7 +29,11 @@ import java.util.Map; import java.util.Set; import java.util.TreeSet; +import java.util.logging.Level; +import java.util.logging.Logger; +import javax.xml.XMLConstants; +import javax.xml.parsers.ParserConfigurationException; import javax.xml.parsers.SAXParserFactory; import javax.xml.stream.XMLStreamException; import javax.xml.transform.Source; @@ -40,6 +44,8 @@ import org.w3c.dom.Node; import org.xml.sax.Locator; +import org.xml.sax.SAXNotRecognizedException; +import org.xml.sax.SAXNotSupportedException; import com.ctc.wstx.msv.W3CSchema; import com.sun.msv.grammar.ExpressionPool; @@ -53,6 +59,7 @@ import com.sun.msv.reader.xmlschema.WSDLGrammarReaderController; import com.sun.msv.reader.xmlschema.XMLSchemaReader; +import org.apache.cxf.common.logging.LogUtils; import org.codehaus.stax2.validation.XMLValidationSchema; /** @@ -60,7 +67,8 @@ * Woodstox itself. */ public class W3CMultiSchemaFactory { - + private static final Logger LOG = LogUtils.getL7dLogger(W3CMultiSchemaFactory.class); + private MultiSchemaReader multiSchemaReader; private SAXParserFactory parserFactory; private RecursiveAllowedXMLSchemaReader xmlSchemaReader; @@ -139,6 +147,13 @@ public XMLValidationSchema createSchema(String baseURI, } } parserFactory = SAXParserFactory.newInstance(); + try { + parserFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE); + parserFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + } catch (SAXNotRecognizedException | SAXNotSupportedException | ParserConfigurationException e) { + LOG.log(Level.WARNING, "The properties '" + XMLConstants.FEATURE_SECURE_PROCESSING + + "', 'http://apache.org/xml/features/disallow-doctype-decl' are not supported."); + } parserFactory.setNamespaceAware(true); WSDLGrammarReaderController ctrl = new WSDLGrammarReaderController(null, baseURI, embeddedSources); diff --git a/core/src/main/java/org/apache/cxf/ws/addressing/EndpointReferenceUtils.java b/core/src/main/java/org/apache/cxf/ws/addressing/EndpointReferenceUtils.java index 7912092d62e..05b2d13f087 100644 --- a/core/src/main/java/org/apache/cxf/ws/addressing/EndpointReferenceUtils.java +++ b/core/src/main/java/org/apache/cxf/ws/addressing/EndpointReferenceUtils.java @@ -51,6 +51,8 @@ import org.w3c.dom.ls.LSResourceResolver; import org.xml.sax.InputSource; +import org.xml.sax.SAXNotRecognizedException; +import org.xml.sax.SAXNotSupportedException; import jakarta.xml.bind.JAXBContext; import jakarta.xml.bind.JAXBElement; @@ -488,6 +490,16 @@ private static Schema createSchema(ServiceInfo serviceInfo, Bus b) { Schema schema = serviceInfo.getProperty(Schema.class.getName(), Schema.class); if (schema == null) { SchemaFactory factory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI); + try { + factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE); + factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); + } catch (SAXNotRecognizedException | SAXNotSupportedException e) { + LOG.log(Level.WARNING, "The properties '" + XMLConstants.FEATURE_SECURE_PROCESSING + "', '" + + XMLConstants.ACCESS_EXTERNAL_DTD + "', '" + XMLConstants.ACCESS_EXTERNAL_SCHEMA + + "' are not supported."); + } + Map schemaSourcesMap = new LinkedHashMap<>(); Map schemaSourcesMap2 = new LinkedHashMap<>(); diff --git a/rt/databinding/aegis/src/main/java/org/apache/cxf/aegis/type/XMLTypeCreator.java b/rt/databinding/aegis/src/main/java/org/apache/cxf/aegis/type/XMLTypeCreator.java index 85c26c8ade7..abcee6d0bf3 100644 --- a/rt/databinding/aegis/src/main/java/org/apache/cxf/aegis/type/XMLTypeCreator.java +++ b/rt/databinding/aegis/src/main/java/org/apache/cxf/aegis/type/XMLTypeCreator.java @@ -126,6 +126,7 @@ public class XMLTypeCreator extends AbstractTypeCreator { try (InputStream is = XMLTypeCreator.class.getResourceAsStream(path)) { if (is != null) { SchemaFactory schemaFactory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI); + schemaFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE); Schema aegisSchema = schemaFactory.newSchema(new StreamSource(is)); AEGIS_DOCUMENT_BUILDER_FACTORY.setSchema(aegisSchema); } diff --git a/rt/ws/rm/src/main/java/org/apache/cxf/ws/rm/RMEndpoint.java b/rt/ws/rm/src/main/java/org/apache/cxf/ws/rm/RMEndpoint.java index 76ecd7aa30a..7c2609474a0 100644 --- a/rt/ws/rm/src/main/java/org/apache/cxf/ws/rm/RMEndpoint.java +++ b/rt/ws/rm/src/main/java/org/apache/cxf/ws/rm/RMEndpoint.java @@ -385,6 +385,7 @@ private static synchronized Schema getSchema() { if (rmSchema == null) { try { SchemaFactory factory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI); + factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE); javax.xml.transform.Source ad = new StreamSource(RMEndpoint.class .getResource("/schemas/wsdl/addressing.xsd") .openStream(), diff --git a/tools/common/src/main/java/org/apache/cxf/tools/common/dom/ExtendedDocumentBuilder.java b/tools/common/src/main/java/org/apache/cxf/tools/common/dom/ExtendedDocumentBuilder.java index 747acf1fa59..f1d6807a7e8 100644 --- a/tools/common/src/main/java/org/apache/cxf/tools/common/dom/ExtendedDocumentBuilder.java +++ b/tools/common/src/main/java/org/apache/cxf/tools/common/dom/ExtendedDocumentBuilder.java @@ -38,6 +38,8 @@ import org.w3c.dom.Document; import org.xml.sax.SAXException; +import org.xml.sax.SAXNotRecognizedException; +import org.xml.sax.SAXNotSupportedException; import org.apache.cxf.common.logging.LogUtils; import org.apache.cxf.staxutils.StaxUtils; @@ -65,6 +67,15 @@ private InputStream getSchemaLocation() { public void setValidating(boolean validate) { if (validate) { this.schemaFactory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI); + try { + schemaFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE); + schemaFactory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + schemaFactory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); + } catch (SAXNotRecognizedException | SAXNotSupportedException e) { + LOG.log(Level.WARNING, "The properties '" + XMLConstants.FEATURE_SECURE_PROCESSING + "', '" + + XMLConstants.ACCESS_EXTERNAL_DTD + "', '" + XMLConstants.ACCESS_EXTERNAL_SCHEMA + + "' are not supported."); + } try { this.schema = schemaFactory.newSchema(new StreamSource(getSchemaLocation())); } catch (SAXException e) { diff --git a/tools/wsdlto/databinding/jaxb/src/main/java/org/apache/cxf/tools/wsdlto/databinding/jaxb/JAXBDataBinding.java b/tools/wsdlto/databinding/jaxb/src/main/java/org/apache/cxf/tools/wsdlto/databinding/jaxb/JAXBDataBinding.java index c2c371395db..fc9d8c0fb53 100644 --- a/tools/wsdlto/databinding/jaxb/src/main/java/org/apache/cxf/tools/wsdlto/databinding/jaxb/JAXBDataBinding.java +++ b/tools/wsdlto/databinding/jaxb/src/main/java/org/apache/cxf/tools/wsdlto/databinding/jaxb/JAXBDataBinding.java @@ -67,6 +67,8 @@ import org.xml.sax.InputSource; import org.xml.sax.Locator; import org.xml.sax.SAXException; +import org.xml.sax.SAXNotRecognizedException; +import org.xml.sax.SAXNotSupportedException; import org.xml.sax.SAXParseException; import org.xml.sax.helpers.XMLFilterImpl; @@ -1065,6 +1067,12 @@ public void validateSchema(Element ele, final OASISCatalogManager catalog, final SchemaCollection schemaCollection) throws ToolException { SchemaFactory schemaFact = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI); + try { + schemaFact.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE); + } catch (SAXNotRecognizedException | SAXNotSupportedException e) { + LOG.log(Level.WARNING, "The property '" + XMLConstants.FEATURE_SECURE_PROCESSING + + "' is not supported."); + } schemaFact.setResourceResolver(new LSResourceResolver() { public LSInput resolveResource(String type, String namespaceURI, From 651e23cf78c6c1714b3dfe6e2a4f06916eaa7e4a Mon Sep 17 00:00:00 2001 From: Andriy Redko Date: Tue, 2 Jun 2026 08:05:43 -0400 Subject: [PATCH 2/2] Address code review comments --- .../validation/W3CMultiSchemaFactory.java | 9 +++++++-- .../ws/addressing/EndpointReferenceUtils.java | 15 ++++++++++++--- .../common/dom/ExtendedDocumentBuilder.java | 16 +++++++++++++--- 3 files changed, 32 insertions(+), 8 deletions(-) diff --git a/core/src/main/java/org/apache/cxf/staxutils/validation/W3CMultiSchemaFactory.java b/core/src/main/java/org/apache/cxf/staxutils/validation/W3CMultiSchemaFactory.java index 8d64753c4bd..e5a24d8c47e 100644 --- a/core/src/main/java/org/apache/cxf/staxutils/validation/W3CMultiSchemaFactory.java +++ b/core/src/main/java/org/apache/cxf/staxutils/validation/W3CMultiSchemaFactory.java @@ -66,6 +66,7 @@ * Legacy implementation for Woostox 5.x. For Woodstox 6.2+, use W3CMultiSchemaFactory in * Woodstox itself. */ +@Deprecated(forRemoval = true, since = "4.2.1") public class W3CMultiSchemaFactory { private static final Logger LOG = LogUtils.getL7dLogger(W3CMultiSchemaFactory.class); @@ -149,10 +150,14 @@ public XMLValidationSchema createSchema(String baseURI, parserFactory = SAXParserFactory.newInstance(); try { parserFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE); + } catch (SAXNotRecognizedException | SAXNotSupportedException | ParserConfigurationException e) { + LOG.log(Level.WARNING, "The property '" + XMLConstants.FEATURE_SECURE_PROCESSING + "', is not supported."); + } + try { parserFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); } catch (SAXNotRecognizedException | SAXNotSupportedException | ParserConfigurationException e) { - LOG.log(Level.WARNING, "The properties '" + XMLConstants.FEATURE_SECURE_PROCESSING - + "', 'http://apache.org/xml/features/disallow-doctype-decl' are not supported."); + LOG.log(Level.WARNING, "The property 'http://apache.org/xml/features/disallow-doctype-decl'" + + " is not supported."); } parserFactory.setNamespaceAware(true); diff --git a/core/src/main/java/org/apache/cxf/ws/addressing/EndpointReferenceUtils.java b/core/src/main/java/org/apache/cxf/ws/addressing/EndpointReferenceUtils.java index 05b2d13f087..cd95087fe52 100644 --- a/core/src/main/java/org/apache/cxf/ws/addressing/EndpointReferenceUtils.java +++ b/core/src/main/java/org/apache/cxf/ws/addressing/EndpointReferenceUtils.java @@ -492,12 +492,21 @@ private static Schema createSchema(ServiceInfo serviceInfo, Bus b) { SchemaFactory factory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI); try { factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE); + } catch (SAXNotRecognizedException | SAXNotSupportedException e) { + LOG.log(Level.WARNING, "The property '" + XMLConstants.FEATURE_SECURE_PROCESSING + + "' is not supported."); + } + + try { factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + } catch (SAXNotRecognizedException | SAXNotSupportedException e) { + LOG.log(Level.WARNING, "The property '" + XMLConstants.ACCESS_EXTERNAL_DTD + "' is not supported."); + } + + try { factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); } catch (SAXNotRecognizedException | SAXNotSupportedException e) { - LOG.log(Level.WARNING, "The properties '" + XMLConstants.FEATURE_SECURE_PROCESSING + "', '" - + XMLConstants.ACCESS_EXTERNAL_DTD + "', '" + XMLConstants.ACCESS_EXTERNAL_SCHEMA - + "' are not supported."); + LOG.log(Level.WARNING, "The property '" + XMLConstants.ACCESS_EXTERNAL_SCHEMA + "' is not supported."); } Map schemaSourcesMap = new LinkedHashMap<>(); diff --git a/tools/common/src/main/java/org/apache/cxf/tools/common/dom/ExtendedDocumentBuilder.java b/tools/common/src/main/java/org/apache/cxf/tools/common/dom/ExtendedDocumentBuilder.java index f1d6807a7e8..b8db3b09e8d 100644 --- a/tools/common/src/main/java/org/apache/cxf/tools/common/dom/ExtendedDocumentBuilder.java +++ b/tools/common/src/main/java/org/apache/cxf/tools/common/dom/ExtendedDocumentBuilder.java @@ -69,13 +69,23 @@ public void setValidating(boolean validate) { this.schemaFactory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI); try { schemaFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE); + } catch (SAXNotRecognizedException | SAXNotSupportedException e) { + LOG.log(Level.WARNING, "The property '" + XMLConstants.FEATURE_SECURE_PROCESSING + + "' is not supported."); + } + + try { schemaFactory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + } catch (SAXNotRecognizedException | SAXNotSupportedException e) { + LOG.log(Level.WARNING, "The property '" + XMLConstants.ACCESS_EXTERNAL_DTD + "' is not supported."); + } + + try { schemaFactory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); } catch (SAXNotRecognizedException | SAXNotSupportedException e) { - LOG.log(Level.WARNING, "The properties '" + XMLConstants.FEATURE_SECURE_PROCESSING + "', '" - + XMLConstants.ACCESS_EXTERNAL_DTD + "', '" + XMLConstants.ACCESS_EXTERNAL_SCHEMA - + "' are not supported."); + LOG.log(Level.WARNING, "The property '" + XMLConstants.ACCESS_EXTERNAL_SCHEMA + "' is not supported."); } + try { this.schema = schemaFactory.newSchema(new StreamSource(getSchemaLocation())); } catch (SAXException e) {