Use secure parser for reading xml schemas

Author: runeflobakk

jaxb/src/main/java/no/digipost/signature/jaxb/JaxbMarshaller.java

@@ -17,6 +17,7 @@
 
 import no.digipost.signature.xsd.SignatureApiSchemas;
 import no.digipost.xml.bind.MarshallingCustomization;
+import no.digipost.xml.parsers.SaxParserProvider;
 import org.w3c.dom.Document;
 import org.w3c.dom.Node;
 import org.xml.sax.InputSource;
@@ -26,7 +27,6 @@
 import javax.xml.bind.Unmarshaller;
 import javax.xml.transform.Source;
 import javax.xml.transform.dom.DOMResult;
-import javax.xml.transform.sax.SAXSource;
 
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
@@ -118,7 +118,7 @@ public ForAllApis() {
     public JaxbMarshaller(MarshallingCustomization marshallingCustomization, Class<?> ... classesToBeBound) {
         this.jaxbContext = JaxbUtils.initContext(classesToBeBound);
         this.marshallingCustomization = marshallingCustomization;
-        this.saxParserProvider = SaxParserProvider.createSecuredParserFactory();
+        this.saxParserProvider = SaxParserProvider.createSecuredProvider();
     }
 
     public JaxbMarshaller(MarshallingCustomization marshallingCustomization, Set<Class<?>> classesToBeBound) {
@@ -194,7 +194,7 @@ private <T> void doWithMarshaller(T object, ThrowingBiConsumer<? super T, ? supe
     }
 
     public <T> T unmarshal(InputStream inputStream, Class<T> type) {
-        Source xmlSource = new SAXSource(saxParserProvider.createXMLReader(), new InputSource(inputStream));
+        Source xmlSource = saxParserProvider.createSource(new InputSource(inputStream));
         return unmarshal(unmarshaller -> unmarshaller.unmarshal(xmlSource), type);
     }
 

jaxb/src/main/java/no/digipost/xml/bind/MarshallerCustomizer.java

@@ -15,6 +15,8 @@
  */
 package no.digipost.xml.bind;
 
+import no.digipost.xml.validation.SchemaHelper;
+
 import javax.xml.bind.Marshaller;
 import javax.xml.validation.Schema;
 
@@ -29,7 +31,7 @@ public interface MarshallerCustomizer {
     public static MarshallerCustomizer validateUsingSchemaResources(Set<String> schemaResources) {
         return Optional.ofNullable(schemaResources)
                 .filter(s -> !s.isEmpty())
-                .map(XmlUtils::createSchema)
+                .map(SchemaHelper::createW3cXmlSchema)
                 .map(MarshallerCustomizer::validateUsingSchema)
                 .orElse(NO_CUSTOMIZATION);
     }

jaxb/src/main/java/no/digipost/xml/bind/UnmarshallerCustomizer.java

@@ -15,6 +15,8 @@
  */
 package no.digipost.xml.bind;
 
+import no.digipost.xml.validation.SchemaHelper;
+
 import javax.xml.bind.Unmarshaller;
 import javax.xml.validation.Schema;
 
@@ -29,7 +31,7 @@ public interface UnmarshallerCustomizer {
     public static UnmarshallerCustomizer validateUsingSchemaResources(Set<String> schemaResources) {
         return Optional.ofNullable(schemaResources)
                 .filter(s -> !s.isEmpty())
-                .map(XmlUtils::createSchema)
+                .map(SchemaHelper::createW3cXmlSchema)
                 .map(UnmarshallerCustomizer::validateUsingSchema)
                 .orElse(NO_CUSTOMIZATION);
     }

jaxb/src/main/java/no/digipost/xml/bind/XmlUtils.java

@@ -13,8 +13,9 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package no.digipost.signature.jaxb;
+package no.digipost.xml.parsers;
 
+import org.xml.sax.InputSource;
 import org.xml.sax.SAXException;
 import org.xml.sax.SAXNotRecognizedException;
 import org.xml.sax.SAXNotSupportedException;
@@ -23,12 +24,13 @@
 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.parsers.SAXParser;
 import javax.xml.parsers.SAXParserFactory;
+import javax.xml.transform.sax.SAXSource;
 
 import static javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING;
 
-class SaxParserProvider {
+public interface SaxParserProvider {
 
-    public static SaxParserProvider createSecuredParserFactory() {
+    public static SaxParserProvider createSecuredProvider() {
         SAXParserFactory factory = SAXParserFactory.newInstance();
         factory.setNamespaceAware(true);
 
@@ -37,40 +39,23 @@ public static SaxParserProvider createSecuredParserFactory() {
         try {
             factory.setFeature(FEATURE_SECURE_PROCESSING, true);
             factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
-            factory.setValidating(false);  // this only concerns DTD validation
+            factory.setValidating(false);   // this only concerns DTD validation
             factory.setXIncludeAware(false);  // already false by default, but setting anyway
         } catch (SAXNotRecognizedException | SAXNotSupportedException | ParserConfigurationException e) {
             throw new IllegalStateException(
                     "Unable to configure " + factory.getClass().getName() + " for secure processing " +
                     "because " + e.getClass().getSimpleName() + ": " + e.getMessage(), e);
         }
 
-        return new SaxParserProvider(factory);
+        return new SharedFactorySaxParserProvider(factory);
     }
 
 
-    /**
-     * A configured SAXParserFactory's {@link SAXParserFactory#newSAXParser() newSAXParser()} method is
-     * <a href="https://jcp.org/aboutJava/communityprocess/review/jsr063/jaxp-pd2.pdf">expected by specification to be thread safe  (ch. 3.4)</a>
-     */
-    private final SAXParserFactory saxParserFactory;
 
-    public SaxParserProvider(SAXParserFactory saxParserFactory) {
-        this.saxParserFactory = saxParserFactory;
-    }
+    SAXParser createParser();
 
 
-    public SAXParser createParser() {
-        try {
-            return saxParserFactory.newSAXParser();
-        } catch (ParserConfigurationException | SAXException e) {
-            throw new IllegalStateException(
-                    "Unable to create new SAX parser from " + saxParserFactory.getClass().getName() +
-                    " because " + e.getClass().getSimpleName() + ": " + e.getMessage(), e);
-        }
-    }
-
-    public XMLReader createXMLReader() {
+    default XMLReader createXMLReader() {
         SAXParser parser = createParser();
         try {
             return parser.getXMLReader();
@@ -80,4 +65,8 @@ public XMLReader createXMLReader() {
                     " because " + e.getClass().getSimpleName() + ": " + e.getMessage(), e);
         }
     }
+
+    default SAXSource createSource(InputSource inputSource) {
+        return new SAXSource(createXMLReader(), inputSource);
+    }
 }

jaxb/src/main/java/no/digipost/signature/jaxb/SaxParserProvider.java renamed to jaxb/src/main/java/no/digipost/xml/parsers/SaxParserProvider.java

@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) Posten Norge AS
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *         http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package no.digipost.xml.parsers;
+
+import org.xml.sax.SAXException;
+
+import javax.xml.parsers.ParserConfigurationException;
+import javax.xml.parsers.SAXParser;
+import javax.xml.parsers.SAXParserFactory;
+
+class SharedFactorySaxParserProvider implements SaxParserProvider {
+
+    /**
+     * A configured SAXParserFactory's {@link SAXParserFactory#newSAXParser() newSAXParser()} method is
+     * <a href="https://jcp.org/aboutJava/communityprocess/review/jsr063/jaxp-pd2.pdf">expected by specification to be thread safe  (ch. 3.4)</a>
+     */
+    private final SAXParserFactory saxParserFactory;
+
+    SharedFactorySaxParserProvider(SAXParserFactory saxParserFactory) {
+        this.saxParserFactory = saxParserFactory;
+    }
+
+
+    @Override
+    public SAXParser createParser() {
+        try {
+            return saxParserFactory.newSAXParser();
+        } catch (ParserConfigurationException | SAXException e) {
+            throw new IllegalStateException(
+                    "Unable to create new SAX parser from " + saxParserFactory.getClass().getName() +
+                    " because " + e.getClass().getSimpleName() + ": " + e.getMessage(), e);
+        }
+    }
+}

jaxb/src/main/java/no/digipost/xml/parsers/SharedFactorySaxParserProvider.java

@@ -0,0 +1,70 @@
+/*
+ * Copyright (C) Posten Norge AS
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *         http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package no.digipost.xml.transform.sax;
+
+import org.xml.sax.InputSource;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.Reader;
+import java.io.UncheckedIOException;
+import java.net.URL;
+import java.nio.charset.Charset;
+
+import static java.util.Objects.requireNonNull;
+
+public class UrlInputSource extends InputSource {
+
+    public static UrlInputSource fromClasspath(String resourceName, Charset encoding) {
+        return fromClasspath(resourceName, encoding, UrlInputSource.class.getClassLoader());
+    }
+
+    public static UrlInputSource fromClasspath(String resourceName, Charset encoding, ClassLoader classLoader) {
+        URL location = classLoader.getResource(resourceName.startsWith("/") ? resourceName.substring(1) : resourceName);
+        requireNonNull(location, resourceName + " not found on classpath");
+        return new UrlInputSource(location, encoding);
+    }
+
+    private URL location;
+
+    public UrlInputSource(URL location, Charset encoding) {
+        this.location = location;
+        this.setEncoding(encoding.name());
+        this.setSystemId(location.toString());
+    }
+
+    @Override
+    public final InputStream getByteStream() {
+        try {
+            return location.openStream();
+        } catch (IOException e) {
+            throw new UncheckedIOException(
+                    "Unable to obtain InputStream for " + location +
+                    " because " + e.getClass().getSimpleName() + ": " + e.getMessage(), e);
+        }
+    }
+
+    @Override
+    public final String getEncoding() {
+        return super.getEncoding();
+    }
+
+    @Override
+    public final Reader getCharacterStream() {
+        return null;
+    }
+
+}