Harden SchemaFactory and TransformerFactory with XMLConstants.FEATURE_SECURE_PROCESSING (#3006)

(cherry picked from commit 43c7733)

Author: reta

rt/ws/transfer/src/main/java/org/apache/cxf/ws/transfer/validationtransformation/XSDResourceTypeIdentifier.java

@@ -20,6 +20,7 @@
 package org.apache.cxf.ws.transfer.validationtransformation;
 
 import java.io.IOException;
+import java.util.logging.Level;
 import java.util.logging.Logger;
 
 import javax.xml.XMLConstants;
@@ -32,6 +33,8 @@
 import org.w3c.dom.Node;
 
 import org.xml.sax.SAXException;
+import org.xml.sax.SAXNotRecognizedException;
+import org.xml.sax.SAXNotSupportedException;
 
 import jakarta.annotation.Resource;
 import jakarta.xml.ws.WebServiceContext;
@@ -60,6 +63,14 @@ public XSDResourceTypeIdentifier(Source xsd, ResourceTransformer resourceTransfo
         try {
             this.resourceTransformer = resourceTransformer;
             SchemaFactory schemaFactory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
+            schemaFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
+            try {
+                schemaFactory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+                schemaFactory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
+            } catch (SAXNotRecognizedException | SAXNotSupportedException e) {
+                LOG.log(Level.WARNING, "The properties '" + XMLConstants.ACCESS_EXTERNAL_DTD  
+                    + "', '" + XMLConstants.ACCESS_EXTERNAL_SCHEMA + "' are not supported.");
+            }
             Schema schema = schemaFactory.newSchema(xsd);
             this.validator = schema.newValidator();
         } catch (SAXException ex) {

rt/ws/transfer/src/main/java/org/apache/cxf/ws/transfer/validationtransformation/XSDResourceValidator.java

@@ -20,6 +20,7 @@
 package org.apache.cxf.ws.transfer.validationtransformation;
 
 import java.io.IOException;
+import java.util.logging.Level;
 import java.util.logging.Logger;
 
 import javax.xml.XMLConstants;
@@ -32,6 +33,8 @@
 import org.w3c.dom.Node;
 
 import org.xml.sax.SAXException;
+import org.xml.sax.SAXNotRecognizedException;
+import org.xml.sax.SAXNotSupportedException;
 
 import jakarta.annotation.Resource;
 import jakarta.xml.ws.WebServiceContext;
@@ -57,6 +60,14 @@ public class XSDResourceValidator implements ResourceValidator {
     public XSDResourceValidator(Source xsd, ResourceTransformer resourceTransformer) {
         try {
             SchemaFactory schemaFactory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
+            schemaFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
+            try {
+                schemaFactory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+                schemaFactory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
+            } catch (SAXNotRecognizedException | SAXNotSupportedException e) {
+                LOG.log(Level.WARNING, "The properties '" + XMLConstants.ACCESS_EXTERNAL_DTD  
+                    + "', '" + XMLConstants.ACCESS_EXTERNAL_SCHEMA + "' are not supported.");
+            }
             Schema schema = schemaFactory.newSchema(xsd);
             this.validator = schema.newValidator();
         } catch (SAXException ex) {

rt/ws/transfer/src/main/java/org/apache/cxf/ws/transfer/validationtransformation/XSLTResourceTransformer.java

@@ -21,6 +21,7 @@
 
 import java.util.logging.Logger;
 
+import javax.xml.XMLConstants;
 import javax.xml.transform.Source;
 import javax.xml.transform.Templates;
 import javax.xml.transform.TransformerConfigurationException;
@@ -61,7 +62,15 @@ public XSLTResourceTransformer(Source xsl) {
     public XSLTResourceTransformer(Source xsl, ResourceValidator validator) {
         this.validator = validator;
         try {
-            templates = TransformerFactory.newInstance().newTemplates(xsl);
+            final TransformerFactory transformerFactory = TransformerFactory.newInstance();
+            try {
+                transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+                transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+            } catch (IllegalArgumentException ex) {
+                // ignore
+            }
+            transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
+            templates = transformerFactory.newTemplates(xsl);
         } catch (TransformerConfigurationException e) {
             LOG.severe(e.getLocalizedMessage());
             throw new SoapFault("Internal error", getSoapVersion().getReceiver());

systests/ws-transfer/pom.xml

@@ -69,9 +69,9 @@
     </dependencies>
     <profiles>
         <profile>
-            <id>jdk24</id>
+            <id>jdk17</id>
             <activation>
-                <jdk>[24,)</jdk>
+                <jdk>[17,)</jdk>
             </activation>
             <build>
                 <plugins>