diff --git a/core/src/main/java/org/verapdf/metadata/fixer/utils/parser/XMLProcessedObjectsParser.java b/core/src/main/java/org/verapdf/metadata/fixer/utils/parser/XMLProcessedObjectsParser.java index 3404027d0..989a22a15 100644 --- a/core/src/main/java/org/verapdf/metadata/fixer/utils/parser/XMLProcessedObjectsParser.java +++ b/core/src/main/java/org/verapdf/metadata/fixer/utils/parser/XMLProcessedObjectsParser.java @@ -23,6 +23,7 @@ import org.verapdf.metadata.fixer.utils.model.ProcessedObjects; import org.verapdf.metadata.fixer.utils.model.RuleDescription; import org.verapdf.pdfa.flavours.PDFAFlavour; +import org.verapdf.xmp.tools.SecureXML; import org.w3c.dom.Document; import org.w3c.dom.Node; import org.w3c.dom.NodeList; @@ -86,16 +87,7 @@ public ProcessedObjects getProcessedObjects(String path) @Override public ProcessedObjects getProcessedObjects(InputStream xml) throws ParserConfigurationException, IOException, SAXException { - DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); - try { - factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); - } catch (Exception e) { - LOGGER.log(Level.WARNING, "Unable to secure xml processing"); - } - DocumentBuilder builder = factory.newDocumentBuilder(); - - factory.setIgnoringElementContentWhitespace(true); - + DocumentBuilder builder = SecureXML.newSafeDocumentBuilder(); Document doc = builder.parse(xml); Node root = doc.getDocumentElement(); diff --git a/core/src/main/java/org/verapdf/report/XmpHandler.java b/core/src/main/java/org/verapdf/report/XmpHandler.java index b30b001f2..d89222c51 100644 --- a/core/src/main/java/org/verapdf/report/XmpHandler.java +++ b/core/src/main/java/org/verapdf/report/XmpHandler.java @@ -24,6 +24,7 @@ package org.verapdf.report; import org.verapdf.features.tools.FeatureTreeNode; +import org.verapdf.xmp.tools.SecureXML; import org.w3c.dom.Document; import org.w3c.dom.Node; import org.xml.sax.InputSource; @@ -137,14 +138,7 @@ public static Node parseMetadataRootElement(FeatureTreeNode metadataNode) if (is == null) { return null; } - DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); - try { - factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); - } catch (Exception e) { - LOGGER.log(Level.WARNING, "Unable to secure metadata processing"); - } - factory.setNamespaceAware(true); - DocumentBuilder builder = factory.newDocumentBuilder(); + DocumentBuilder builder = SecureXML.newSafeDocumentBuilder(); Document metadataDocument = builder.parse(is); return metadataDocument.getDocumentElement(); } diff --git a/xmp-core/src/main/java/org/verapdf/xmp/impl/XMPMetaParser.java b/xmp-core/src/main/java/org/verapdf/xmp/impl/XMPMetaParser.java index 12bc51ddc..4f72121b5 100644 --- a/xmp-core/src/main/java/org/verapdf/xmp/impl/XMPMetaParser.java +++ b/xmp-core/src/main/java/org/verapdf/xmp/impl/XMPMetaParser.java @@ -16,11 +16,10 @@ import java.io.StringReader; import java.io.UnsupportedEncodingException; -import javax.xml.XMLConstants; import javax.xml.parsers.DocumentBuilder; -import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.ParserConfigurationException; +import org.verapdf.xmp.tools.SecureXML; import org.w3c.dom.Document; import org.w3c.dom.Node; import org.w3c.dom.NodeList; @@ -47,7 +46,6 @@ public class XMPMetaParser /** */ private static final Object XMP_RDF = new Object(); /** the DOM Parser Factory, options are set */ - private static DocumentBuilderFactory factory = createDocumentBuilderFactory(); //------------------------------------------------------------------------------ veraPDF: additional field for actual encoding used for XMP package serialization private String actualEncoding; @@ -280,8 +278,7 @@ private Document parseInputSource(InputSource source) throws XMPException { try { - DocumentBuilder builder = factory.newDocumentBuilder(); - builder.setErrorHandler(null); + DocumentBuilder builder = SecureXML.newSafeDocumentBuilder(); return builder.parse(source); } catch (SAXException e) @@ -395,29 +392,4 @@ else if (!xmpmetaRequired && return null; // is extracted here in the C++ Toolkit } - - - /** - * @return Creates, configures and returnes the document builder factory for - * the Metadata Parser. - */ - private static DocumentBuilderFactory createDocumentBuilderFactory() - { - DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); - factory.setNamespaceAware(true); - factory.setIgnoringComments(true); - - try - { - // honor System parsing limits, e.g. - // System.setProperty("entityExpansionLimit", "10"); - factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); - } - catch (Exception e) - { - // Ignore IllegalArgumentException and ParserConfigurationException - // in case the configured XML-Parser does not implement the feature. - } - return factory; - } } \ No newline at end of file diff --git a/xmp-core/src/main/java/org/verapdf/xmp/tools/SecureXML.java b/xmp-core/src/main/java/org/verapdf/xmp/tools/SecureXML.java new file mode 100644 index 000000000..d0d729070 --- /dev/null +++ b/xmp-core/src/main/java/org/verapdf/xmp/tools/SecureXML.java @@ -0,0 +1,47 @@ +package org.verapdf.xmp.tools; + +import javax.xml.XMLConstants; +import javax.xml.parsers.DocumentBuilder; +import javax.xml.parsers.DocumentBuilderFactory; +import javax.xml.parsers.ParserConfigurationException; + +public class SecureXML { + + private static DocumentBuilderFactory factory = createDocumentBuilderFactory(); + + public static DocumentBuilder newSafeDocumentBuilder() throws ParserConfigurationException { + DocumentBuilder builder = factory.newDocumentBuilder(); + builder.setErrorHandler(null); + return builder; + } + + /** + * @return Creates, configures and returns the document builder factory for + * the Metadata Parser. + */ + private static DocumentBuilderFactory createDocumentBuilderFactory() + { + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + factory.setNamespaceAware(true); + factory.setIgnoringComments(true); + try + { + // honor System parsing limits, e.g. + // System.setProperty("entityExpansionLimit", "10"); + factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); + factory.setFeature("[http://apache.org/xml/features/disallow-doctype-decl](http://apache.org/xml/features/disallow-doctype-decl)", true); + factory.setFeature("[http://xml.org/sax/features/external-general-entities](http://xml.org/sax/features/external-general-entities)", false); + factory.setFeature("[http://xml.org/sax/features/external-parameter-entities](http://xml.org/sax/features/external-parameter-entities)", false); + factory.setFeature("[http://apache.org/xml/features/nonvalidating/load-external-dtd](http://apache.org/xml/features/nonvalidating/load-external-dtd)", false); + factory.setXIncludeAware(false); + factory.setExpandEntityReferences(false); + factory.setIgnoringElementContentWhitespace(true); + } + catch (Exception e) + { + // Ignore IllegalArgumentException and ParserConfigurationException + // in case the configured XML-Parser does not implement the feature. + } + return factory; + } +}