Skip to content

Commit d5314cb

Browse files
committed
Set secure parameter for xslt transformation
1 parent 772abdc commit d5314cb

File tree

3 files changed

+46
-8
lines changed

3 files changed

+46
-8
lines changed

Diff for: core/src/main/java/org/verapdf/policy/PolicyChecker.java

+19-5
Original file line numberDiff line numberDiff line change
@@ -20,15 +20,15 @@
2020
import org.verapdf.core.VeraPDFException;
2121
import org.verapdf.core.utils.FileUtils;
2222

23-
import javax.xml.transform.Templates;
24-
import javax.xml.transform.Transformer;
25-
import javax.xml.transform.TransformerException;
26-
import javax.xml.transform.TransformerFactory;
23+
import javax.xml.XMLConstants;
24+
import javax.xml.transform.*;
2725
import javax.xml.transform.stream.StreamResult;
2826
import javax.xml.transform.stream.StreamSource;
2927
import java.io.*;
3028
import java.util.Arrays;
3129
import java.util.List;
30+
import java.util.logging.Level;
31+
import java.util.logging.Logger;
3232

3333
/**
3434
* The veraPDF policy checker which is simply an abstraction that makes applying
@@ -39,7 +39,10 @@
3939
* @version 0.1 Created 12 Dec 2016:17:51:12
4040
*/
4141
public final class PolicyChecker {
42-
private static final TransformerFactory factory = TransformerFactory.newInstance();
42+
43+
private static final Logger LOGGER = Logger.getLogger(PolicyChecker.class.getCanonicalName());
44+
45+
private static final TransformerFactory factory = getTransformerFactory();
4346
public static final String SCHEMA_EXT = "sch"; //$NON-NLS-1$
4447
public static final String XSL_EXT = "xsl"; //$NON-NLS-1$
4548
public static final String XSLT_EXT = "xslt"; //$NON-NLS-1$
@@ -204,4 +207,15 @@ private static void applySchematronXsl(final InputStream schematronXsl, final In
204207
Transformer transformer = factory.newTransformer(new StreamSource(schematronXsl));
205208
transformer.transform(new StreamSource(xmlReport), new StreamResult(policyReport));
206209
}
210+
211+
private static TransformerFactory getTransformerFactory() {
212+
TransformerFactory fact = TransformerFactory.newInstance();
213+
try {
214+
fact.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
215+
fact.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "file");
216+
} catch (TransformerConfigurationException e) {
217+
LOGGER.log(Level.WARNING, "Unable to secure xsl transformer");
218+
}
219+
return fact;
220+
}
207221
}

Diff for: core/src/main/java/org/verapdf/policy/SchematronPipeline.java

+8-2
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,7 @@
1717
*/
1818
package org.verapdf.policy;
1919

20+
import javax.xml.XMLConstants;
2021
import javax.xml.transform.*;
2122
import javax.xml.transform.stream.StreamResult;
2223
import javax.xml.transform.stream.StreamSource;
@@ -31,8 +32,7 @@
3132
*/
3233

3334
final class SchematronPipeline {
34-
private static final Logger LOGGER = Logger
35-
.getLogger(SchematronPipeline.class.getName());
35+
private static final Logger LOGGER = Logger.getLogger(SchematronPipeline.class.getName());
3636

3737
static final ClassLoader cl = SchematronPipeline.class.getClassLoader();
3838
private static final TransformerFactory factory = getTransformerFactory();
@@ -85,6 +85,12 @@ private static File createTempFileResult(final Transformer transformer, final St
8585

8686
private static TransformerFactory getTransformerFactory() {
8787
TransformerFactory fact = TransformerFactory.newInstance();
88+
try {
89+
fact.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
90+
fact.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "file");
91+
} catch (TransformerConfigurationException e) {
92+
LOGGER.log(Level.WARNING, "Unable to secure xsl transformer");
93+
}
8894
fact.setURIResolver(new ClasspathResourceURIResolver());
8995
return fact;
9096
}

Diff for: core/src/main/java/org/verapdf/report/XsltTransformer.java

+19-1
Original file line numberDiff line numberDiff line change
@@ -23,8 +23,12 @@
2323
import java.io.InputStream;
2424
import java.io.PrintWriter;
2525
import java.util.Map;
26+
import java.util.logging.Level;
27+
import java.util.logging.Logger;
2628

29+
import javax.xml.XMLConstants;
2730
import javax.xml.transform.Transformer;
31+
import javax.xml.transform.TransformerConfigurationException;
2832
import javax.xml.transform.TransformerException;
2933
import javax.xml.transform.TransformerFactory;
3034
import javax.xml.transform.stream.StreamResult;
@@ -34,8 +38,11 @@
3438
* @author Maksim Bezrukov
3539
*/
3640
public final class XsltTransformer {
37-
private static final TransformerFactory factory = TransformerFactory.newInstance();
3841

42+
private static final Logger LOGGER = Logger.getLogger(XsltTransformer.class.getCanonicalName());
43+
44+
private static final TransformerFactory factory = getTransformerFactory();
45+
3946
private XsltTransformer() {
4047
}
4148

@@ -68,4 +75,15 @@ public static void transform(InputStream source, InputStream xslt, PrintWriter d
6875

6976
transformer.transform(new StreamSource(source), new StreamResult(destination));
7077
}
78+
79+
private static TransformerFactory getTransformerFactory() {
80+
TransformerFactory fact = TransformerFactory.newInstance();
81+
try {
82+
fact.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
83+
fact.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "file");
84+
} catch (TransformerConfigurationException e) {
85+
LOGGER.log(Level.WARNING, "Unable to secure xsl transformer");
86+
}
87+
return fact;
88+
}
7189
}

0 commit comments

Comments
 (0)