polygene-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From paulmer...@apache.org
Subject [3/3] polygene-java git commit: Tighten XML subsystem setup
Date Mon, 03 Apr 2017 09:22:51 GMT
Tighten XML subsystem setup

Move all XML subsystem setup into JavaxXmlFactories.
Prevent all network requests from XML parsing.
Enable secure XML processing.

POLYGENE-239


Project: http://git-wip-us.apache.org/repos/asf/polygene-java/repo
Commit: http://git-wip-us.apache.org/repos/asf/polygene-java/commit/30acba2e
Tree: http://git-wip-us.apache.org/repos/asf/polygene-java/tree/30acba2e
Diff: http://git-wip-us.apache.org/repos/asf/polygene-java/diff/30acba2e

Branch: refs/heads/develop
Commit: 30acba2eb85b35eff9b8e953e73d39eb08472d01
Parents: 151e020
Author: Paul Merlin <paulmerlin@apache.org>
Authored: Mon Apr 3 11:22:40 2017 +0200
Committer: Paul Merlin <paulmerlin@apache.org>
Committed: Mon Apr 3 11:22:40 2017 +0200

----------------------------------------------------------------------
 .../javaxxml/JavaxXmlDeserializer.java          |  16 +--
 .../javaxxml/JavaxXmlFactories.java             | 105 ++++++++++++++++---
 .../javaxxml/JavaxXmlSerializer.java            |  35 ++-----
 3 files changed, 101 insertions(+), 55 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/polygene-java/blob/30acba2e/extensions/serialization-javaxxml/src/main/java/org/apache/polygene/serialization/javaxxml/JavaxXmlDeserializer.java
----------------------------------------------------------------------
diff --git a/extensions/serialization-javaxxml/src/main/java/org/apache/polygene/serialization/javaxxml/JavaxXmlDeserializer.java
b/extensions/serialization-javaxxml/src/main/java/org/apache/polygene/serialization/javaxxml/JavaxXmlDeserializer.java
index dcadbd1..9acdfe0 100644
--- a/extensions/serialization-javaxxml/src/main/java/org/apache/polygene/serialization/javaxxml/JavaxXmlDeserializer.java
+++ b/extensions/serialization-javaxxml/src/main/java/org/apache/polygene/serialization/javaxxml/JavaxXmlDeserializer.java
@@ -17,7 +17,6 @@
  */
 package org.apache.polygene.serialization.javaxxml;
 
-import java.io.InputStream;
 import java.io.Reader;
 import java.lang.reflect.Array;
 import java.util.ArrayList;
@@ -35,8 +34,6 @@ import java.util.function.Predicate;
 import java.util.function.Supplier;
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
-import javax.xml.transform.OutputKeys;
-import javax.xml.transform.Transformer;
 import javax.xml.transform.TransformerException;
 import javax.xml.transform.dom.DOMResult;
 import javax.xml.transform.stream.StreamSource;
@@ -89,21 +86,10 @@ public class JavaxXmlDeserializer extends AbstractTextDeserializer
 
     private JavaxXmlSettings settings;
 
-    private Transformer normalizingTransformer;
-
     @Override
     public void initialize() throws Exception
     {
         settings = JavaxXmlSettings.orDefault( descriptor.metaInfo( JavaxXmlSettings.class
) );
-
-        String xslPath = "/org/apache/polygene/serialization/javaxxml/deserializer-normalization.xsl";
-        InputStream xsltStream = getClass().getResourceAsStream( xslPath );
-        normalizingTransformer = xmlFactories.transformerFactory()
-                                             .newTransformer( new StreamSource( xsltStream
) );
-        normalizingTransformer.setOutputProperty( OutputKeys.METHOD, "xml" );
-        normalizingTransformer.setOutputProperty( OutputKeys.VERSION, "1.1" );
-        normalizingTransformer.setOutputProperty( OutputKeys.STANDALONE, "yes" );
-        normalizingTransformer.setOutputProperty( OutputKeys.ENCODING, UTF_8.name() );
     }
 
     @Override
@@ -112,7 +98,7 @@ public class JavaxXmlDeserializer extends AbstractTextDeserializer
         try
         {
             DOMResult domResult = new DOMResult();
-            normalizingTransformer.transform( new StreamSource( state ), domResult );
+            xmlFactories.normalizationTransformer().transform( new StreamSource( state ),
domResult );
             Node node = domResult.getNode();
             return fromXml( module, valueType, node );
         }

http://git-wip-us.apache.org/repos/asf/polygene-java/blob/30acba2e/extensions/serialization-javaxxml/src/main/java/org/apache/polygene/serialization/javaxxml/JavaxXmlFactories.java
----------------------------------------------------------------------
diff --git a/extensions/serialization-javaxxml/src/main/java/org/apache/polygene/serialization/javaxxml/JavaxXmlFactories.java
b/extensions/serialization-javaxxml/src/main/java/org/apache/polygene/serialization/javaxxml/JavaxXmlFactories.java
index f3a7f80..72b02fa 100644
--- a/extensions/serialization-javaxxml/src/main/java/org/apache/polygene/serialization/javaxxml/JavaxXmlFactories.java
+++ b/extensions/serialization-javaxxml/src/main/java/org/apache/polygene/serialization/javaxxml/JavaxXmlFactories.java
@@ -17,20 +17,38 @@
  */
 package org.apache.polygene.serialization.javaxxml;
 
+import java.io.InputStream;
+import javax.xml.XMLConstants;
+import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
+import javax.xml.transform.OutputKeys;
+import javax.xml.transform.Transformer;
+import javax.xml.transform.TransformerConfigurationException;
 import javax.xml.transform.TransformerFactory;
+import javax.xml.transform.stream.StreamSource;
 import org.apache.polygene.api.injection.scope.Uses;
 import org.apache.polygene.api.mixin.Initializable;
 import org.apache.polygene.api.mixin.Mixins;
+import org.apache.polygene.api.serialization.SerializationException;
 import org.apache.polygene.api.service.ServiceDescriptor;
+import org.w3c.dom.Document;
+
+import static java.nio.charset.StandardCharsets.UTF_8;
 
 @Mixins( JavaxXmlFactories.Mixin.class )
 public interface JavaxXmlFactories
 {
     DocumentBuilderFactory documentBuilderFactory();
 
+    Document newDocumentForSerialization();
+
     TransformerFactory transformerFactory();
 
+    Transformer serializationTransformer();
+
+    Transformer normalizationTransformer();
+
     class Mixin implements JavaxXmlFactories, Initializable
     {
         @Uses
@@ -39,24 +57,55 @@ public interface JavaxXmlFactories
         private DocumentBuilderFactory documentBuilderFactory;
         private TransformerFactory transformerFactory;
 
+        private Transformer serializationTransformer;
+        private Transformer normalizationTransformer;
+
         @Override
         public void initialize()
         {
             JavaxXmlSettings settings = JavaxXmlSettings.orDefault( descriptor.metaInfo(
JavaxXmlSettings.class ) );
 
-            String documentBuilderFactoryClassName = settings.getDocumentBuilderFactoryClassName();
-            documentBuilderFactory = documentBuilderFactoryClassName == null
-                                     ? DocumentBuilderFactory.newInstance()
-                                     : DocumentBuilderFactory.newInstance( documentBuilderFactoryClassName,
-                                                                           getClass().getClassLoader()
);
-            documentBuilderFactory.setNamespaceAware( false );
-            documentBuilderFactory.setIgnoringComments( true );
-
-            String transformerFactoryClassName = settings.getTransformerFactoryClassName();
-            transformerFactory = transformerFactoryClassName == null
-                                 ? TransformerFactory.newInstance()
-                                 : TransformerFactory.newInstance( transformerFactoryClassName,
-                                                                   getClass().getClassLoader()
);
+            try
+            {
+                String documentBuilderFactoryClassName = settings.getDocumentBuilderFactoryClassName();
+                documentBuilderFactory = documentBuilderFactoryClassName == null
+                                         ? DocumentBuilderFactory.newInstance()
+                                         : DocumentBuilderFactory.newInstance( documentBuilderFactoryClassName,
+                                                                               getClass().getClassLoader()
);
+                documentBuilderFactory.setValidating( false );
+                documentBuilderFactory.setNamespaceAware( false );
+                documentBuilderFactory.setIgnoringComments( true );
+                documentBuilderFactory.setFeature( XMLConstants.FEATURE_SECURE_PROCESSING,
true );
+
+                String transformerFactoryClassName = settings.getTransformerFactoryClassName();
+                transformerFactory = transformerFactoryClassName == null
+                                     ? TransformerFactory.newInstance()
+                                     : TransformerFactory.newInstance( transformerFactoryClassName,
+                                                                       getClass().getClassLoader()
);
+                transformerFactory.setFeature( XMLConstants.FEATURE_SECURE_PROCESSING, true
);
+                transformerFactory.setAttribute( XMLConstants.ACCESS_EXTERNAL_DTD, "" );
+                transformerFactory.setAttribute( XMLConstants.ACCESS_EXTERNAL_STYLESHEET,
"" );
+
+                serializationTransformer = transformerFactory.newTransformer();
+                serializationTransformer.setOutputProperty( OutputKeys.METHOD, "xml" );
+                serializationTransformer.setOutputProperty( OutputKeys.VERSION, "1.1" );
+                serializationTransformer.setOutputProperty( OutputKeys.STANDALONE, "yes"
);
+                serializationTransformer.setOutputProperty( OutputKeys.ENCODING, UTF_8.name()
);
+                serializationTransformer.setOutputProperty( OutputKeys.INDENT, "no" );
+
+                String xslPath = "/org/apache/polygene/serialization/javaxxml/deserializer-normalization.xsl";
+                InputStream xsltStream = getClass().getResourceAsStream( xslPath );
+                normalizationTransformer = transformerFactory.newTransformer( new StreamSource(
xsltStream ) );
+                normalizationTransformer.setOutputProperty( OutputKeys.METHOD, "xml" );
+                normalizationTransformer.setOutputProperty( OutputKeys.VERSION, "1.1" );
+                normalizationTransformer.setOutputProperty( OutputKeys.STANDALONE, "yes"
);
+                normalizationTransformer.setOutputProperty( OutputKeys.ENCODING, UTF_8.name()
);
+                normalizationTransformer.setOutputProperty( OutputKeys.INDENT, "no" );
+            }
+            catch( ParserConfigurationException | TransformerConfigurationException ex )
+            {
+                throw new SerializationException( "Unable to setup the XML subsystem", ex
);
+            }
         }
 
         @Override
@@ -66,9 +115,39 @@ public interface JavaxXmlFactories
         }
 
         @Override
+        public Document newDocumentForSerialization()
+        {
+            try
+            {
+                DocumentBuilder docBuilder = documentBuilderFactory.newDocumentBuilder();
+                Document doc = docBuilder.newDocument();
+                doc.setXmlVersion( "1.1" );
+                doc.setXmlStandalone( true );
+                return doc;
+            }
+            catch( ParserConfigurationException ex )
+            {
+                throw new SerializationException( "Unable to create XML document. "
+                                                  + "Is your javax.xml subsystem correctly
set up?", ex );
+            }
+        }
+
+        @Override
         public TransformerFactory transformerFactory()
         {
             return transformerFactory;
         }
+
+        @Override
+        public Transformer serializationTransformer()
+        {
+            return serializationTransformer;
+        }
+
+        @Override
+        public Transformer normalizationTransformer()
+        {
+            return normalizationTransformer;
+        }
     }
 }

http://git-wip-us.apache.org/repos/asf/polygene-java/blob/30acba2e/extensions/serialization-javaxxml/src/main/java/org/apache/polygene/serialization/javaxxml/JavaxXmlSerializer.java
----------------------------------------------------------------------
diff --git a/extensions/serialization-javaxxml/src/main/java/org/apache/polygene/serialization/javaxxml/JavaxXmlSerializer.java
b/extensions/serialization-javaxxml/src/main/java/org/apache/polygene/serialization/javaxxml/JavaxXmlSerializer.java
index 44fd7b0..5331f0f 100644
--- a/extensions/serialization-javaxxml/src/main/java/org/apache/polygene/serialization/javaxxml/JavaxXmlSerializer.java
+++ b/extensions/serialization-javaxxml/src/main/java/org/apache/polygene/serialization/javaxxml/JavaxXmlSerializer.java
@@ -25,9 +25,6 @@ import java.util.Map;
 import java.util.function.Function;
 import java.util.stream.Stream;
 import java.util.stream.StreamSupport;
-import javax.xml.parsers.ParserConfigurationException;
-import javax.xml.transform.OutputKeys;
-import javax.xml.transform.Transformer;
 import javax.xml.transform.TransformerException;
 import javax.xml.transform.dom.DOMSource;
 import javax.xml.transform.stream.StreamResult;
@@ -82,17 +79,10 @@ public class JavaxXmlSerializer extends AbstractTextSerializer
 
     private JavaxXmlSettings settings;
 
-    private Transformer toStringTransformer;
-
     @Override
     public void initialize() throws Exception
     {
         settings = JavaxXmlSettings.orDefault( descriptor.metaInfo( JavaxXmlSettings.class
) );
-        toStringTransformer = xmlFactories.transformerFactory().newTransformer();
-        toStringTransformer.setOutputProperty( OutputKeys.METHOD, "xml" );
-        toStringTransformer.setOutputProperty( OutputKeys.VERSION, "1.1" );
-        toStringTransformer.setOutputProperty( OutputKeys.STANDALONE, "yes" );
-        toStringTransformer.setOutputProperty( OutputKeys.ENCODING, "UTF-8" );
     }
 
     @Override
@@ -112,7 +102,8 @@ public class JavaxXmlSerializer extends AbstractTextSerializer
             }
             else
             {
-                toStringTransformer.transform( new DOMSource( xmlDocument ), new StreamResult(
writer ) );
+                xmlFactories.serializationTransformer().transform( new DOMSource( xmlDocument
),
+                                                                   new StreamResult( writer
) );
             }
         }
         catch( IOException ex )
@@ -133,22 +124,12 @@ public class JavaxXmlSerializer extends AbstractTextSerializer
 
     private <T> Document doSerializeRoot( Options options, T object )
     {
-        try
-        {
-            Document doc = xmlFactories.documentBuilderFactory().newDocumentBuilder().newDocument();
-            doc.setXmlVersion( "1.1" );
-            doc.setXmlStandalone( true );
-            Element stateElement = doc.createElement( settings.getRootTagName() );
-            Node node = doSerialize( doc, options, object, true );
-            stateElement.appendChild( node );
-            doc.appendChild( stateElement );
-            return doc;
-        }
-        catch( ParserConfigurationException ex )
-        {
-            throw new SerializationException( "Unable to create XML document. "
-                                              + "Is your javax.xml subsystem correctly set
up?", ex );
-        }
+        Document doc = xmlFactories.newDocumentForSerialization();
+        Element stateElement = doc.createElement( settings.getRootTagName() );
+        Node node = doSerialize( doc, options, object, true );
+        stateElement.appendChild( node );
+        doc.appendChild( stateElement );
+        return doc;
     }
 
     private <T> Node doSerialize( Document document, Options options, T object, boolean
root )


Mime
View raw message