improved xml transformer config

Author: hhund

dsf-bpe/dsf-bpe-server/src/main/java/dev/dsf/bpe/webservice/ProcessService.java

@@ -23,7 +23,9 @@
 import java.util.Objects;
 import java.util.function.Consumer;
 
+import javax.xml.XMLConstants;
 import javax.xml.transform.Transformer;
+import javax.xml.transform.TransformerConfigurationException;
 import javax.xml.transform.TransformerException;
 import javax.xml.transform.TransformerFactory;
 import javax.xml.transform.dom.DOMSource;
@@ -46,6 +48,7 @@
 import jakarta.ws.rs.core.Response;
 import jakarta.ws.rs.core.Response.Status;
 import jakarta.ws.rs.core.StreamingOutput;
+import net.sf.saxon.lib.FeatureKeys;
 
 @RolesAllowed("ADMIN")
 @Path(ProcessService.PATH)
@@ -61,7 +64,20 @@ public ProcessService(ThymeleafTemplateService templateService, RepositoryServic
 		super(templateService, "Process");
 
 		this.repositoryService = repositoryService;
+
 		transformerFactory = TransformerFactory.newInstance();
+		transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+		transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+
+		try
+		{
+			transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+			transformerFactory.setFeature(FeatureKeys.ALLOW_EXTERNAL_FUNCTIONS, false);
+		}
+		catch (TransformerConfigurationException e)
+		{
+			throw new RuntimeException(e);
+		}
 	}
 
 	@Override

dsf-fhir/dsf-fhir-server/src/main/java/dev/dsf/fhir/adapter/ThymeleafTemplateServiceImpl.java

@@ -34,6 +34,7 @@
 import java.util.regex.Pattern;
 import java.util.stream.Collectors;
 
+import javax.xml.XMLConstants;
 import javax.xml.transform.OutputKeys;
 import javax.xml.transform.Transformer;
 import javax.xml.transform.TransformerConfigurationException;
@@ -63,6 +64,7 @@
 import jakarta.ws.rs.core.PathSegment;
 import jakarta.ws.rs.core.SecurityContext;
 import jakarta.ws.rs.core.UriInfo;
+import net.sf.saxon.lib.FeatureKeys;
 
 public class ThymeleafTemplateServiceImpl implements ThymeleafTemplateService, InitializingBean
 {
@@ -106,7 +108,7 @@ public class ThymeleafTemplateServiceImpl implements ThymeleafTemplateService, I
 
 	private final Map<Class<? extends Resource>, List<ThymeleafContext>> contextsByResourceType;
 
-	private final TransformerFactory transformerFactory = TransformerFactory.newInstance();
+	private final TransformerFactory transformerFactory;
 	private final TemplateEngine templateEngine = new TemplateEngine();
 
 	/**
@@ -139,6 +141,20 @@ public ThymeleafTemplateServiceImpl(String serverBaseUrl, Theme theme, FhirConte
 		resolver.setCacheable(cacheEnabled);
 
 		templateEngine.setTemplateResolver(resolver);
+
+		transformerFactory = TransformerFactory.newInstance();
+		transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+		transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+
+		try
+		{
+			transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+			transformerFactory.setFeature(FeatureKeys.ALLOW_EXTERNAL_FUNCTIONS, false);
+		}
+		catch (TransformerConfigurationException e)
+		{
+			throw new RuntimeException(e);
+		}
 	}
 
 	@Override

dsf-maven/dsf-maven-plugin/src/main/java/dev/dsf/maven/bundle/BundleGenerator.java

@@ -36,8 +36,10 @@
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
 
+import javax.xml.XMLConstants;
 import javax.xml.transform.OutputKeys;
 import javax.xml.transform.Transformer;
+import javax.xml.transform.TransformerConfigurationException;
 import javax.xml.transform.TransformerException;
 import javax.xml.transform.TransformerFactory;
 import javax.xml.transform.stream.StreamResult;
@@ -70,6 +72,7 @@
 import ca.uhn.fhir.context.support.IValidationSupport;
 import ca.uhn.fhir.parser.IParser;
 import ca.uhn.fhir.parser.LenientErrorHandler;
+import net.sf.saxon.lib.FeatureKeys;
 
 public class BundleGenerator
 {
@@ -380,6 +383,19 @@ private void saveBundle(Bundle bundle, Path bundleFilename) throws IOException,
 		{
 			// minimized output: empty-element tags, no indentation, no line-breaks
 			TransformerFactory transformerFactory = TransformerFactory.newInstance();
+			transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+			transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+
+			try
+			{
+				transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+				transformerFactory.setFeature(FeatureKeys.ALLOW_EXTERNAL_FUNCTIONS, false);
+			}
+			catch (TransformerConfigurationException e)
+			{
+				throw new RuntimeException(e);
+			}
+
 			Transformer transformer = transformerFactory.newTransformer();
 			transformer.setOutputProperty(OutputKeys.METHOD, "xml");
 			transformer.setOutputProperty(OutputKeys.OMIT_XML_DECLARATION, "yes");