From 37da4eca4d5d280f1f3c48aa9bc2c3002d447155 Mon Sep 17 00:00:00 2001 From: Maxim Date: Mon, 4 Nov 2024 14:16:42 +0300 Subject: [PATCH] Set FEATURE_SECURE_PROCESSING for DocumentBuilderFactory --- .../fixer/utils/parser/XMLProcessedObjectsParser.java | 10 +++++++++- core/src/main/java/org/verapdf/report/XmpHandler.java | 9 +++++++++ 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/core/src/main/java/org/verapdf/metadata/fixer/utils/parser/XMLProcessedObjectsParser.java b/core/src/main/java/org/verapdf/metadata/fixer/utils/parser/XMLProcessedObjectsParser.java index 6c5921ba1..5d2b7f0d4 100644 --- a/core/src/main/java/org/verapdf/metadata/fixer/utils/parser/XMLProcessedObjectsParser.java +++ b/core/src/main/java/org/verapdf/metadata/fixer/utils/parser/XMLProcessedObjectsParser.java @@ -28,6 +28,7 @@ import org.w3c.dom.NodeList; import org.xml.sax.SAXException; +import javax.xml.XMLConstants; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.ParserConfigurationException; @@ -36,6 +37,8 @@ import java.io.IOException; import java.io.InputStream; import java.util.Properties; +import java.util.logging.Level; +import java.util.logging.Logger; import static org.verapdf.metadata.fixer.utils.MetadataFixerConstants.*; @@ -44,6 +47,7 @@ */ public class XMLProcessedObjectsParser implements ProcessedObjectsParser { + private static final Logger LOGGER = Logger.getLogger(XMLProcessedObjectsParser.class.getCanonicalName()); private static final String XML_PROCESSED_OBJECTS_PATH_PROPERTY_PDFA_1 = "processed.objects.path.pdfa_1"; private static final String XML_PROCESSED_OBJECTS_PATH_PROPERTY_PDFA_2_3 = "processed.objects.path.pdfa_2_3"; private static final String XML_PROCESSED_OBJECTS_PATH_PROPERTY_PDFA_4 = "processed.objects.path.pdfa_4"; @@ -83,7 +87,11 @@ public ProcessedObjects getProcessedObjects(String path) public ProcessedObjects getProcessedObjects(InputStream xml) throws ParserConfigurationException, IOException, SAXException { DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); - + try { + factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); + } catch (Exception e) { + LOGGER.log(Level.WARNING, "Unable to secure xml processing"); + } DocumentBuilder builder = factory.newDocumentBuilder(); factory.setIgnoringElementContentWhitespace(true); diff --git a/core/src/main/java/org/verapdf/report/XmpHandler.java b/core/src/main/java/org/verapdf/report/XmpHandler.java index 0c904ed9b..c20b00c04 100644 --- a/core/src/main/java/org/verapdf/report/XmpHandler.java +++ b/core/src/main/java/org/verapdf/report/XmpHandler.java @@ -29,6 +29,7 @@ import org.xml.sax.InputSource; import org.xml.sax.SAXException; +import javax.xml.XMLConstants; import javax.xml.bind.DatatypeConverter; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; @@ -36,6 +37,8 @@ import java.io.ByteArrayInputStream; import java.io.IOException; import java.util.Arrays; +import java.util.logging.Level; +import java.util.logging.Logger; /** * Class that's initially a placeholder for XMP specific functionality. @@ -51,6 +54,7 @@ * @author Carl Wilson */ public class XmpHandler { + private static final Logger LOGGER = Logger.getLogger(XmpHandler.class.getCanonicalName()); private static final byte[] UTF8_METADATA_PREFIX_SQ = {0x3C, 0x3F, 0x78, 0x70, 0x61, 0x63, 0x6B, 0x65, 0x74, 0x20, 0x62, 0x65, 0x67, 0x69, 0x6E, 0x3D, 0x27, -0x11, -0x45, -0x41, 0x27}; @@ -134,6 +138,11 @@ public static Node parseMetadataRootElement(FeatureTreeNode metadataNode) return null; } DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + try { + factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); + } catch (Exception e) { + LOGGER.log(Level.WARNING, "Unable to secure metadata processing"); + } factory.setNamespaceAware(true); DocumentBuilder builder = factory.newDocumentBuilder(); Document metadataDocument = builder.parse(is);