Skip to content

Commit 614ffa4

Browse files
MaximPlusovGit User
authored and
Git User
committed
Set secure parameter for xslt transformation
1 parent 4aa5dae commit 614ffa4

File tree

3 files changed

+48
-6
lines changed

3 files changed

+48
-6
lines changed

Diff for: core/src/main/java/org/verapdf/policy/PolicyChecker.java

+16-4
Original file line numberDiff line numberDiff line change
@@ -20,15 +20,15 @@
2020
import org.verapdf.core.VeraPDFException;
2121
import org.verapdf.core.utils.FileUtils;
2222

23-
import javax.xml.transform.Templates;
24-
import javax.xml.transform.Transformer;
25-
import javax.xml.transform.TransformerException;
26-
import javax.xml.transform.TransformerFactory;
23+
import javax.xml.XMLConstants;
24+
import javax.xml.transform.*;
2725
import javax.xml.transform.stream.StreamResult;
2826
import javax.xml.transform.stream.StreamSource;
2927
import java.io.*;
3028
import java.util.Arrays;
3129
import java.util.List;
30+
import java.util.logging.Level;
31+
import java.util.logging.Logger;
3232

3333
/**
3434
* The veraPDF policy checker which is simply an abstraction that makes applying
@@ -39,6 +39,9 @@
3939
* @version 0.1 Created 12 Dec 2016:17:51:12
4040
*/
4141
public final class PolicyChecker {
42+
43+
private static final Logger LOGGER = Logger.getLogger(PolicyChecker.class.getCanonicalName());
44+
4245
private static final TransformerFactory factory = TransformerFactory.newInstance();
4346
public static final String SCHEMA_EXT = "sch"; //$NON-NLS-1$
4447
public static final String XSL_EXT = "xsl"; //$NON-NLS-1$
@@ -60,6 +63,15 @@ public final class PolicyChecker {
6063
private static final String mergeXsl = resourcePath + "MergeMrrPolicy" + '.' + XSL_EXT; //$NON-NLS-1$
6164
private static final Templates cachedMergeXsl = SchematronPipeline.createCachedTransform(mergeXsl);
6265

66+
static {
67+
try {
68+
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
69+
factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "file");
70+
} catch (TransformerConfigurationException ignored) {
71+
LOGGER.log(Level.WARNING, "Unable to secure xsl transformer");
72+
}
73+
}
74+
6375
private PolicyChecker() {
6476

6577
}

Diff for: core/src/main/java/org/verapdf/policy/SchematronPipeline.java

+16-2
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,7 @@
1717
*/
1818
package org.verapdf.policy;
1919

20+
import javax.xml.XMLConstants;
2021
import javax.xml.transform.*;
2122
import javax.xml.transform.stream.StreamResult;
2223
import javax.xml.transform.stream.StreamSource;
@@ -31,8 +32,7 @@
3132
*/
3233

3334
final class SchematronPipeline {
34-
private static final Logger LOGGER = Logger
35-
.getLogger(SchematronPipeline.class.getName());
35+
private static final Logger LOGGER = Logger.getLogger(SchematronPipeline.class.getName());
3636

3737
static final ClassLoader cl = SchematronPipeline.class.getClassLoader();
3838
private static final TransformerFactory factory = getTransformerFactory();
@@ -45,6 +45,15 @@ final class SchematronPipeline {
4545
private static final Templates cachedExpXsl = createCachedTransform(isoExpXsl);
4646
private static final Templates cachedIsoSvrlXsl = createCachedTransform(isoSvrlXsl);
4747

48+
static {
49+
try {
50+
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
51+
factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "file");
52+
} catch (TransformerConfigurationException ignored) {
53+
LOGGER.log(Level.WARNING, "Unable to secure xsl transformer");
54+
}
55+
}
56+
4857
private SchematronPipeline() {
4958
}
5059

@@ -85,6 +94,11 @@ private static File createTempFileResult(final Transformer transformer, final St
8594

8695
private static TransformerFactory getTransformerFactory() {
8796
TransformerFactory fact = TransformerFactory.newInstance();
97+
try {
98+
fact.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
99+
fact.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "file");
100+
} catch (TransformerConfigurationException ignored) {
101+
}
88102
fact.setURIResolver(new ClasspathResourceURIResolver());
89103
return fact;
90104
}

Diff for: core/src/main/java/org/verapdf/report/XsltTransformer.java

+16
Original file line numberDiff line numberDiff line change
@@ -23,8 +23,12 @@
2323
import java.io.InputStream;
2424
import java.io.PrintWriter;
2525
import java.util.Map;
26+
import java.util.logging.Level;
27+
import java.util.logging.Logger;
2628

29+
import javax.xml.XMLConstants;
2730
import javax.xml.transform.Transformer;
31+
import javax.xml.transform.TransformerConfigurationException;
2832
import javax.xml.transform.TransformerException;
2933
import javax.xml.transform.TransformerFactory;
3034
import javax.xml.transform.stream.StreamResult;
@@ -34,8 +38,20 @@
3438
* @author Maksim Bezrukov
3539
*/
3640
public final class XsltTransformer {
41+
42+
private static final Logger LOGGER = Logger.getLogger(XsltTransformer.class.getCanonicalName());
43+
3744
private static final TransformerFactory factory = TransformerFactory.newInstance();
3845

46+
static {
47+
try {
48+
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
49+
factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "file");
50+
} catch (TransformerConfigurationException ignored) {
51+
LOGGER.log(Level.WARNING, "Unable to secure xslt transformer");
52+
}
53+
}
54+
3955
private XsltTransformer() {
4056
}
4157

0 commit comments

Comments
 (0)