Skip to content

Commit 9386ecb

Browse files
MaximPlusovGit User
authored and
Git User
committed
Set secure parameter for xslt transformation
1 parent 614ffa4 commit 9386ecb

File tree

3 files changed

+27
-30
lines changed

3 files changed

+27
-30
lines changed

Diff for: core/src/main/java/org/verapdf/policy/PolicyChecker.java

+13-10
Original file line numberDiff line numberDiff line change
@@ -42,7 +42,7 @@ public final class PolicyChecker {
4242

4343
private static final Logger LOGGER = Logger.getLogger(PolicyChecker.class.getCanonicalName());
4444

45-
private static final TransformerFactory factory = TransformerFactory.newInstance();
45+
private static final TransformerFactory factory = getTransformerFactory();
4646
public static final String SCHEMA_EXT = "sch"; //$NON-NLS-1$
4747
public static final String XSL_EXT = "xsl"; //$NON-NLS-1$
4848
public static final String XSLT_EXT = "xslt"; //$NON-NLS-1$
@@ -63,15 +63,6 @@ public final class PolicyChecker {
6363
private static final String mergeXsl = resourcePath + "MergeMrrPolicy" + '.' + XSL_EXT; //$NON-NLS-1$
6464
private static final Templates cachedMergeXsl = SchematronPipeline.createCachedTransform(mergeXsl);
6565

66-
static {
67-
try {
68-
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
69-
factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "file");
70-
} catch (TransformerConfigurationException ignored) {
71-
LOGGER.log(Level.WARNING, "Unable to secure xsl transformer");
72-
}
73-
}
74-
7566
private PolicyChecker() {
7667

7768
}
@@ -97,6 +88,7 @@ public static void insertPolicyReport(final File policyReport, final File mrrRep
9788
Transformer transformer = cachedMergeXsl.newTransformer();
9889
transformer.setParameter("policyResultPath", policyReport.getAbsolutePath()); //$NON-NLS-1$
9990
transformer.transform(new StreamSource(mrrReport), new StreamResult(mergedReport));
91+
return;
10092
} catch (TransformerException excep) {
10193
throw new VeraPDFException("Problem merging XML files.", excep); //$NON-NLS-1$
10294
}
@@ -215,4 +207,15 @@ private static void applySchematronXsl(final InputStream schematronXsl, final In
215207
Transformer transformer = factory.newTransformer(new StreamSource(schematronXsl));
216208
transformer.transform(new StreamSource(xmlReport), new StreamResult(policyReport));
217209
}
210+
211+
private static TransformerFactory getTransformerFactory() {
212+
TransformerFactory fact = TransformerFactory.newInstance();
213+
try {
214+
fact.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
215+
fact.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "file");
216+
} catch (TransformerConfigurationException e) {
217+
LOGGER.log(Level.WARNING, "Unable to secure xsl transformer");
218+
}
219+
return fact;
220+
}
218221
}

Diff for: core/src/main/java/org/verapdf/policy/SchematronPipeline.java

+2-10
Original file line numberDiff line numberDiff line change
@@ -45,15 +45,6 @@ final class SchematronPipeline {
4545
private static final Templates cachedExpXsl = createCachedTransform(isoExpXsl);
4646
private static final Templates cachedIsoSvrlXsl = createCachedTransform(isoSvrlXsl);
4747

48-
static {
49-
try {
50-
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
51-
factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "file");
52-
} catch (TransformerConfigurationException ignored) {
53-
LOGGER.log(Level.WARNING, "Unable to secure xsl transformer");
54-
}
55-
}
56-
5748
private SchematronPipeline() {
5849
}
5950

@@ -97,7 +88,8 @@ private static TransformerFactory getTransformerFactory() {
9788
try {
9889
fact.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
9990
fact.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "file");
100-
} catch (TransformerConfigurationException ignored) {
91+
} catch (TransformerConfigurationException e) {
92+
LOGGER.log(Level.WARNING, "Unable to secure xsl transformer");
10193
}
10294
fact.setURIResolver(new ClasspathResourceURIResolver());
10395
return fact;

Diff for: core/src/main/java/org/verapdf/report/XsltTransformer.java

+12-10
Original file line numberDiff line numberDiff line change
@@ -41,16 +41,7 @@ public final class XsltTransformer {
4141

4242
private static final Logger LOGGER = Logger.getLogger(XsltTransformer.class.getCanonicalName());
4343

44-
private static final TransformerFactory factory = TransformerFactory.newInstance();
45-
46-
static {
47-
try {
48-
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
49-
factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "file");
50-
} catch (TransformerConfigurationException ignored) {
51-
LOGGER.log(Level.WARNING, "Unable to secure xslt transformer");
52-
}
53-
}
44+
private static final TransformerFactory factory = getTransformerFactory();
5445

5546
private XsltTransformer() {
5647
}
@@ -84,4 +75,15 @@ public static void transform(InputStream source, InputStream xslt, PrintWriter d
8475

8576
transformer.transform(new StreamSource(source), new StreamResult(destination));
8677
}
78+
79+
private static TransformerFactory getTransformerFactory() {
80+
TransformerFactory fact = TransformerFactory.newInstance();
81+
try {
82+
fact.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
83+
fact.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "file");
84+
} catch (TransformerConfigurationException e) {
85+
LOGGER.log(Level.WARNING, "Unable to secure xsl transformer");
86+
}
87+
return fact;
88+
}
8789
}

0 commit comments

Comments
 (0)