Skip to content

Commit

Permalink
Disable external entities when using SAX parser.
Browse files Browse the repository at this point in the history
Signed-off-by: azerr <[email protected]>
  • Loading branch information
angelozerr committed Aug 23, 2021
1 parent f831037 commit d9ba63a
Show file tree
Hide file tree
Showing 4 changed files with 28 additions and 3 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -148,7 +148,7 @@ private static String getRelativeURI(String fullPathGrammarURI, String documentU
private static String getTargetNamespace(String xsdURI) {
TargetNamespaceHandler handler = new TargetNamespaceHandler();
try {
SAXParserFactory factory = SAXParserFactory.newInstance();
SAXParserFactory factory = DOMUtils.newSAXParserFactory();
SAXParser saxParser = factory.newSAXParser();
saxParser.parse(new URL(xsdURI).openStream(), handler);
} catch (Exception e) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@
import org.eclipse.lemminx.dom.DOMAttr;
import org.eclipse.lemminx.dom.DOMElement;
import org.eclipse.lemminx.extensions.xsd.utils.XSDUtils;
import org.eclipse.lemminx.utils.DOMUtils;
import org.eclipse.lemminx.utils.StringUtils;
import org.xml.sax.Attributes;
import org.xml.sax.InputSource;
Expand Down Expand Up @@ -103,7 +104,7 @@ public static String getDocumentation(DOMAttr attr) {

private static Map<String, DataType> loadDataTypes() {
try {
SAXParserFactory factory = SAXParserFactory.newInstance();
SAXParserFactory factory = DOMUtils.newSAXParserFactory();
SAXParser saxParser = factory.newSAXParser();
DataTypeHandler handler = new DataTypeHandler();
saxParser.parse(new InputSource(DataType.class.getResourceAsStream("/schemas/xsd/datatypes.xml")), handler);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@
import org.apache.xerces.xs.XSObject;
import org.apache.xerces.xs.XSObjectList;
import org.apache.xerces.xs.datatypes.ObjectList;
import org.eclipse.lemminx.utils.DOMUtils;
import org.eclipse.lemminx.utils.StringUtils;
import org.xml.sax.Attributes;
import org.xml.sax.InputSource;
Expand Down Expand Up @@ -183,7 +184,7 @@ public static String getPrefix(XSObjectList annotations, String value) {

public static XSDAnnotationModel load(XSAnnotation annotation) {
try {
SAXParserFactory factory = SAXParserFactory.newInstance();
SAXParserFactory factory = DOMUtils.newSAXParserFactory();
SAXParser saxParser = factory.newSAXParser();
XSAnnotationHandler handler = new XSAnnotationHandler();
saxParser.parse(new InputSource(new StringReader(annotation.getAnnotationString())), handler);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -15,10 +15,15 @@
import java.util.logging.Level;
import java.util.logging.Logger;

import javax.xml.parsers.ParserConfigurationException;
import javax.xml.parsers.SAXParserFactory;

import org.eclipse.lemminx.dom.DOMDocument;
import org.eclipse.lemminx.dom.DOMElement;
import org.eclipse.lemminx.dom.DOMParser;
import org.eclipse.lemminx.uriresolver.URIResolverExtensionManager;
import org.xml.sax.SAXNotRecognizedException;
import org.xml.sax.SAXNotSupportedException;

/**
* DOM Utilities.
Expand Down Expand Up @@ -134,4 +139,22 @@ public static DOMDocument loadDocument(String documentURI, URIResolverExtensionM
return null;
}
}

/**
* Returns an instance of SAX parser factory by disabling external entities
* declarations.
*
* @return an instance of SAX parser factory by disabling external entities
* declarations.
* @throws SAXNotRecognizedException
* @throws SAXNotSupportedException
* @throws ParserConfigurationException
*/
public static SAXParserFactory newSAXParserFactory()
throws SAXNotRecognizedException, SAXNotSupportedException, ParserConfigurationException {
SAXParserFactory factory = SAXParserFactory.newInstance();
// to be more secure, completely disable DOCTYPE declaration:
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
return factory;
}
}

0 comments on commit d9ba63a

Please sign in to comment.