KNOX-2053 - Ensure secure XML processing
Signed-off-by: Kevin Risden <krisden@apache.org>
diff --git a/gateway-server/src/main/java/org/apache/knox/gateway/topology/validation/TopologyValidator.java b/gateway-server/src/main/java/org/apache/knox/gateway/topology/validation/TopologyValidator.java
index 5561087..8ea9440 100644
--- a/gateway-server/src/main/java/org/apache/knox/gateway/topology/validation/TopologyValidator.java
+++ b/gateway-server/src/main/java/org/apache/knox/gateway/topology/validation/TopologyValidator.java
@@ -15,7 +15,6 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
-
package org.apache.knox.gateway.topology.validation;
import java.io.File;
@@ -55,25 +54,26 @@
public boolean validateTopology() {
errors = new LinkedList<>();
try {
- SchemaFactory fact = SchemaFactory
- .newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
+ SchemaFactory schemaFactory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
URL schemaUrl = getClass().getResource( "/conf/topology-v1.xsd" );
- Schema s = fact.newSchema( schemaUrl );
+ Schema s = schemaFactory.newSchema( schemaUrl );
Validator validator = s.newValidator();
+ validator.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ validator.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
final List<SAXParseException> exceptions = new LinkedList<>();
validator.setErrorHandler(new ErrorHandler() {
@Override
- public void warning(SAXParseException exception) throws SAXException {
+ public void warning(SAXParseException exception) {
exceptions.add(exception);
}
@Override
- public void fatalError(SAXParseException exception) throws SAXException {
+ public void fatalError(SAXParseException exception) {
exceptions.add(exception);
}
@Override
- public void error(SAXParseException exception) throws SAXException {
+ public void error(SAXParseException exception) {
exceptions.add(exception);
}
});
diff --git a/gateway-spi/src/main/java/org/apache/knox/gateway/service/definition/UrlRewriteRulesDescriptorAdapter.java b/gateway-spi/src/main/java/org/apache/knox/gateway/service/definition/UrlRewriteRulesDescriptorAdapter.java
index 8acdf89..a4ba66b 100644
--- a/gateway-spi/src/main/java/org/apache/knox/gateway/service/definition/UrlRewriteRulesDescriptorAdapter.java
+++ b/gateway-spi/src/main/java/org/apache/knox/gateway/service/definition/UrlRewriteRulesDescriptorAdapter.java
@@ -25,6 +25,7 @@
import java.io.Writer;
import java.nio.charset.StandardCharsets;
+import javax.xml.XMLConstants;
import javax.xml.bind.annotation.adapters.XmlAdapter;
import javax.xml.transform.TransformerFactory;
import javax.xml.transform.dom.DOMSource;
@@ -53,7 +54,9 @@
private static InputStream nodeToInputStream(Node node) throws Exception {
try (ByteArrayOutputStream outputStream = new ByteArrayOutputStream()) {
- TransformerFactory.newInstance().newTransformer().transform(new DOMSource(node), new StreamResult(outputStream));
+ TransformerFactory transformerFactory = TransformerFactory.newInstance();
+ transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+ transformerFactory.newTransformer().transform(new DOMSource(node), new StreamResult(outputStream));
return new ByteArrayInputStream(outputStream.toByteArray());
}
}