Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id CE8DA200C3C for ; Mon, 3 Apr 2017 11:22:51 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id CCEBC160B76; Mon, 3 Apr 2017 09:22:51 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id C584B160B9F for ; Mon, 3 Apr 2017 11:22:50 +0200 (CEST) Received: (qmail 10919 invoked by uid 500); 3 Apr 2017 09:22:50 -0000 Mailing-List: contact commits-help@polygene.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@polygene.apache.org Delivered-To: mailing list commits@polygene.apache.org Received: (qmail 10893 invoked by uid 99); 3 Apr 2017 09:22:50 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 03 Apr 2017 09:22:50 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id B9CB2DFEF3; Mon, 3 Apr 2017 09:22:49 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: paulmerlin@apache.org To: commits@polygene.apache.org Date: Mon, 03 Apr 2017 09:22:51 -0000 Message-Id: <6e4f01331f7042f89cede090eddc58b6@git.apache.org> In-Reply-To: <184a90cfe86b4a4a9b61fad1b850c33e@git.apache.org> References: <184a90cfe86b4a4a9b61fad1b850c33e@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: [3/3] polygene-java git commit: Tighten XML subsystem setup archived-at: Mon, 03 Apr 2017 09:22:51 -0000 Tighten XML subsystem setup Move all XML subsystem setup into JavaxXmlFactories. Prevent all network requests from XML parsing. Enable secure XML processing. POLYGENE-239 Project: http://git-wip-us.apache.org/repos/asf/polygene-java/repo Commit: http://git-wip-us.apache.org/repos/asf/polygene-java/commit/30acba2e Tree: http://git-wip-us.apache.org/repos/asf/polygene-java/tree/30acba2e Diff: http://git-wip-us.apache.org/repos/asf/polygene-java/diff/30acba2e Branch: refs/heads/develop Commit: 30acba2eb85b35eff9b8e953e73d39eb08472d01 Parents: 151e020 Author: Paul Merlin Authored: Mon Apr 3 11:22:40 2017 +0200 Committer: Paul Merlin Committed: Mon Apr 3 11:22:40 2017 +0200 ---------------------------------------------------------------------- .../javaxxml/JavaxXmlDeserializer.java | 16 +-- .../javaxxml/JavaxXmlFactories.java | 105 ++++++++++++++++--- .../javaxxml/JavaxXmlSerializer.java | 35 ++----- 3 files changed, 101 insertions(+), 55 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/polygene-java/blob/30acba2e/extensions/serialization-javaxxml/src/main/java/org/apache/polygene/serialization/javaxxml/JavaxXmlDeserializer.java ---------------------------------------------------------------------- diff --git a/extensions/serialization-javaxxml/src/main/java/org/apache/polygene/serialization/javaxxml/JavaxXmlDeserializer.java b/extensions/serialization-javaxxml/src/main/java/org/apache/polygene/serialization/javaxxml/JavaxXmlDeserializer.java index dcadbd1..9acdfe0 100644 --- a/extensions/serialization-javaxxml/src/main/java/org/apache/polygene/serialization/javaxxml/JavaxXmlDeserializer.java +++ b/extensions/serialization-javaxxml/src/main/java/org/apache/polygene/serialization/javaxxml/JavaxXmlDeserializer.java @@ -17,7 +17,6 @@ */ package org.apache.polygene.serialization.javaxxml; -import java.io.InputStream; import java.io.Reader; import java.lang.reflect.Array; import java.util.ArrayList; @@ -35,8 +34,6 @@ import java.util.function.Predicate; import java.util.function.Supplier; import java.util.stream.Collectors; import java.util.stream.Stream; -import javax.xml.transform.OutputKeys; -import javax.xml.transform.Transformer; import javax.xml.transform.TransformerException; import javax.xml.transform.dom.DOMResult; import javax.xml.transform.stream.StreamSource; @@ -89,21 +86,10 @@ public class JavaxXmlDeserializer extends AbstractTextDeserializer private JavaxXmlSettings settings; - private Transformer normalizingTransformer; - @Override public void initialize() throws Exception { settings = JavaxXmlSettings.orDefault( descriptor.metaInfo( JavaxXmlSettings.class ) ); - - String xslPath = "/org/apache/polygene/serialization/javaxxml/deserializer-normalization.xsl"; - InputStream xsltStream = getClass().getResourceAsStream( xslPath ); - normalizingTransformer = xmlFactories.transformerFactory() - .newTransformer( new StreamSource( xsltStream ) ); - normalizingTransformer.setOutputProperty( OutputKeys.METHOD, "xml" ); - normalizingTransformer.setOutputProperty( OutputKeys.VERSION, "1.1" ); - normalizingTransformer.setOutputProperty( OutputKeys.STANDALONE, "yes" ); - normalizingTransformer.setOutputProperty( OutputKeys.ENCODING, UTF_8.name() ); } @Override @@ -112,7 +98,7 @@ public class JavaxXmlDeserializer extends AbstractTextDeserializer try { DOMResult domResult = new DOMResult(); - normalizingTransformer.transform( new StreamSource( state ), domResult ); + xmlFactories.normalizationTransformer().transform( new StreamSource( state ), domResult ); Node node = domResult.getNode(); return fromXml( module, valueType, node ); } http://git-wip-us.apache.org/repos/asf/polygene-java/blob/30acba2e/extensions/serialization-javaxxml/src/main/java/org/apache/polygene/serialization/javaxxml/JavaxXmlFactories.java ---------------------------------------------------------------------- diff --git a/extensions/serialization-javaxxml/src/main/java/org/apache/polygene/serialization/javaxxml/JavaxXmlFactories.java b/extensions/serialization-javaxxml/src/main/java/org/apache/polygene/serialization/javaxxml/JavaxXmlFactories.java index f3a7f80..72b02fa 100644 --- a/extensions/serialization-javaxxml/src/main/java/org/apache/polygene/serialization/javaxxml/JavaxXmlFactories.java +++ b/extensions/serialization-javaxxml/src/main/java/org/apache/polygene/serialization/javaxxml/JavaxXmlFactories.java @@ -17,20 +17,38 @@ */ package org.apache.polygene.serialization.javaxxml; +import java.io.InputStream; +import javax.xml.XMLConstants; +import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; +import javax.xml.parsers.ParserConfigurationException; +import javax.xml.transform.OutputKeys; +import javax.xml.transform.Transformer; +import javax.xml.transform.TransformerConfigurationException; import javax.xml.transform.TransformerFactory; +import javax.xml.transform.stream.StreamSource; import org.apache.polygene.api.injection.scope.Uses; import org.apache.polygene.api.mixin.Initializable; import org.apache.polygene.api.mixin.Mixins; +import org.apache.polygene.api.serialization.SerializationException; import org.apache.polygene.api.service.ServiceDescriptor; +import org.w3c.dom.Document; + +import static java.nio.charset.StandardCharsets.UTF_8; @Mixins( JavaxXmlFactories.Mixin.class ) public interface JavaxXmlFactories { DocumentBuilderFactory documentBuilderFactory(); + Document newDocumentForSerialization(); + TransformerFactory transformerFactory(); + Transformer serializationTransformer(); + + Transformer normalizationTransformer(); + class Mixin implements JavaxXmlFactories, Initializable { @Uses @@ -39,24 +57,55 @@ public interface JavaxXmlFactories private DocumentBuilderFactory documentBuilderFactory; private TransformerFactory transformerFactory; + private Transformer serializationTransformer; + private Transformer normalizationTransformer; + @Override public void initialize() { JavaxXmlSettings settings = JavaxXmlSettings.orDefault( descriptor.metaInfo( JavaxXmlSettings.class ) ); - String documentBuilderFactoryClassName = settings.getDocumentBuilderFactoryClassName(); - documentBuilderFactory = documentBuilderFactoryClassName == null - ? DocumentBuilderFactory.newInstance() - : DocumentBuilderFactory.newInstance( documentBuilderFactoryClassName, - getClass().getClassLoader() ); - documentBuilderFactory.setNamespaceAware( false ); - documentBuilderFactory.setIgnoringComments( true ); - - String transformerFactoryClassName = settings.getTransformerFactoryClassName(); - transformerFactory = transformerFactoryClassName == null - ? TransformerFactory.newInstance() - : TransformerFactory.newInstance( transformerFactoryClassName, - getClass().getClassLoader() ); + try + { + String documentBuilderFactoryClassName = settings.getDocumentBuilderFactoryClassName(); + documentBuilderFactory = documentBuilderFactoryClassName == null + ? DocumentBuilderFactory.newInstance() + : DocumentBuilderFactory.newInstance( documentBuilderFactoryClassName, + getClass().getClassLoader() ); + documentBuilderFactory.setValidating( false ); + documentBuilderFactory.setNamespaceAware( false ); + documentBuilderFactory.setIgnoringComments( true ); + documentBuilderFactory.setFeature( XMLConstants.FEATURE_SECURE_PROCESSING, true ); + + String transformerFactoryClassName = settings.getTransformerFactoryClassName(); + transformerFactory = transformerFactoryClassName == null + ? TransformerFactory.newInstance() + : TransformerFactory.newInstance( transformerFactoryClassName, + getClass().getClassLoader() ); + transformerFactory.setFeature( XMLConstants.FEATURE_SECURE_PROCESSING, true ); + transformerFactory.setAttribute( XMLConstants.ACCESS_EXTERNAL_DTD, "" ); + transformerFactory.setAttribute( XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "" ); + + serializationTransformer = transformerFactory.newTransformer(); + serializationTransformer.setOutputProperty( OutputKeys.METHOD, "xml" ); + serializationTransformer.setOutputProperty( OutputKeys.VERSION, "1.1" ); + serializationTransformer.setOutputProperty( OutputKeys.STANDALONE, "yes" ); + serializationTransformer.setOutputProperty( OutputKeys.ENCODING, UTF_8.name() ); + serializationTransformer.setOutputProperty( OutputKeys.INDENT, "no" ); + + String xslPath = "/org/apache/polygene/serialization/javaxxml/deserializer-normalization.xsl"; + InputStream xsltStream = getClass().getResourceAsStream( xslPath ); + normalizationTransformer = transformerFactory.newTransformer( new StreamSource( xsltStream ) ); + normalizationTransformer.setOutputProperty( OutputKeys.METHOD, "xml" ); + normalizationTransformer.setOutputProperty( OutputKeys.VERSION, "1.1" ); + normalizationTransformer.setOutputProperty( OutputKeys.STANDALONE, "yes" ); + normalizationTransformer.setOutputProperty( OutputKeys.ENCODING, UTF_8.name() ); + normalizationTransformer.setOutputProperty( OutputKeys.INDENT, "no" ); + } + catch( ParserConfigurationException | TransformerConfigurationException ex ) + { + throw new SerializationException( "Unable to setup the XML subsystem", ex ); + } } @Override @@ -66,9 +115,39 @@ public interface JavaxXmlFactories } @Override + public Document newDocumentForSerialization() + { + try + { + DocumentBuilder docBuilder = documentBuilderFactory.newDocumentBuilder(); + Document doc = docBuilder.newDocument(); + doc.setXmlVersion( "1.1" ); + doc.setXmlStandalone( true ); + return doc; + } + catch( ParserConfigurationException ex ) + { + throw new SerializationException( "Unable to create XML document. " + + "Is your javax.xml subsystem correctly set up?", ex ); + } + } + + @Override public TransformerFactory transformerFactory() { return transformerFactory; } + + @Override + public Transformer serializationTransformer() + { + return serializationTransformer; + } + + @Override + public Transformer normalizationTransformer() + { + return normalizationTransformer; + } } } http://git-wip-us.apache.org/repos/asf/polygene-java/blob/30acba2e/extensions/serialization-javaxxml/src/main/java/org/apache/polygene/serialization/javaxxml/JavaxXmlSerializer.java ---------------------------------------------------------------------- diff --git a/extensions/serialization-javaxxml/src/main/java/org/apache/polygene/serialization/javaxxml/JavaxXmlSerializer.java b/extensions/serialization-javaxxml/src/main/java/org/apache/polygene/serialization/javaxxml/JavaxXmlSerializer.java index 44fd7b0..5331f0f 100644 --- a/extensions/serialization-javaxxml/src/main/java/org/apache/polygene/serialization/javaxxml/JavaxXmlSerializer.java +++ b/extensions/serialization-javaxxml/src/main/java/org/apache/polygene/serialization/javaxxml/JavaxXmlSerializer.java @@ -25,9 +25,6 @@ import java.util.Map; import java.util.function.Function; import java.util.stream.Stream; import java.util.stream.StreamSupport; -import javax.xml.parsers.ParserConfigurationException; -import javax.xml.transform.OutputKeys; -import javax.xml.transform.Transformer; import javax.xml.transform.TransformerException; import javax.xml.transform.dom.DOMSource; import javax.xml.transform.stream.StreamResult; @@ -82,17 +79,10 @@ public class JavaxXmlSerializer extends AbstractTextSerializer private JavaxXmlSettings settings; - private Transformer toStringTransformer; - @Override public void initialize() throws Exception { settings = JavaxXmlSettings.orDefault( descriptor.metaInfo( JavaxXmlSettings.class ) ); - toStringTransformer = xmlFactories.transformerFactory().newTransformer(); - toStringTransformer.setOutputProperty( OutputKeys.METHOD, "xml" ); - toStringTransformer.setOutputProperty( OutputKeys.VERSION, "1.1" ); - toStringTransformer.setOutputProperty( OutputKeys.STANDALONE, "yes" ); - toStringTransformer.setOutputProperty( OutputKeys.ENCODING, "UTF-8" ); } @Override @@ -112,7 +102,8 @@ public class JavaxXmlSerializer extends AbstractTextSerializer } else { - toStringTransformer.transform( new DOMSource( xmlDocument ), new StreamResult( writer ) ); + xmlFactories.serializationTransformer().transform( new DOMSource( xmlDocument ), + new StreamResult( writer ) ); } } catch( IOException ex ) @@ -133,22 +124,12 @@ public class JavaxXmlSerializer extends AbstractTextSerializer private Document doSerializeRoot( Options options, T object ) { - try - { - Document doc = xmlFactories.documentBuilderFactory().newDocumentBuilder().newDocument(); - doc.setXmlVersion( "1.1" ); - doc.setXmlStandalone( true ); - Element stateElement = doc.createElement( settings.getRootTagName() ); - Node node = doSerialize( doc, options, object, true ); - stateElement.appendChild( node ); - doc.appendChild( stateElement ); - return doc; - } - catch( ParserConfigurationException ex ) - { - throw new SerializationException( "Unable to create XML document. " - + "Is your javax.xml subsystem correctly set up?", ex ); - } + Document doc = xmlFactories.newDocumentForSerialization(); + Element stateElement = doc.createElement( settings.getRootTagName() ); + Node node = doSerialize( doc, options, object, true ); + stateElement.appendChild( node ); + doc.appendChild( stateElement ); + return doc; } private Node doSerialize( Document document, Options options, T object, boolean root )