/*
* This program is free software; you can redistribute it and/or modify it under the
* terms of the GNU Lesser General Public License, version 2.1 as published by the Free Software
* Foundation.
*
* You should have received a copy of the GNU Lesser General Public License along with this
* program; if not, you can obtain a copy at http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html
* or from the Free Software Foundation, Inc.,
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
* without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
* See the GNU Lesser General Public License for more details.
*
* Copyright (c) 2016 Pentaho Corporation. All rights reserved.
*/
package org.pentaho.marketplace.util;
import org.xml.sax.SAXNotRecognizedException;
import org.xml.sax.SAXNotSupportedException;
import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.parsers.SAXParserFactory;
public class XmlParserFactoryProducer {
/**
* Creates an instance of {@link DocumentBuilderFactory} class
* with enabled {@link XMLConstants#FEATURE_SECURE_PROCESSING} property.
* Enabling this feature prevents from some XXE attacks (e.g. XML bomb)
* See PPP-3506 for more details.
*
* @throws ParserConfigurationException if feature can't be enabled
*
*/
public static DocumentBuilderFactory createSecureDocBuilderFactory() throws ParserConfigurationException {
DocumentBuilderFactory docBuilderFactory = DocumentBuilderFactory.newInstance();
docBuilderFactory.setFeature( XMLConstants.FEATURE_SECURE_PROCESSING, true );
docBuilderFactory.setFeature( "http://apache.org/xml/features/disallow-doctype-decl", true );
return docBuilderFactory;
}
/**
* Creates an instance of {@link SAXParserFactory} class with enabled {@link XMLConstants#FEATURE_SECURE_PROCESSING} property.
* Enabling this feature prevents from some XXE attacks (e.g. XML bomb)
*
* @throws ParserConfigurationException if a parser cannot
* be created which satisfies the requested configuration.
*
* @throws SAXNotRecognizedException When the underlying XMLReader does
* not recognize the property name.
*
* @throws SAXNotSupportedException When the underlying XMLReader
* recognizes the property name but doesn't support the
* property.
*/
public static SAXParserFactory createSecureSAXParserFactory()
throws SAXNotSupportedException, SAXNotRecognizedException, ParserConfigurationException {
SAXParserFactory factory = SAXParserFactory.newInstance();
factory.setFeature( XMLConstants.FEATURE_SECURE_PROCESSING, true );
factory.setFeature( "http://xml.org/sax/features/external-general-entities", false );
factory.setFeature( "http://xml.org/sax/features/external-parameter-entities", false );
factory.setFeature( "http://apache.org/xml/features/nonvalidating/load-external-dtd", false );
return factory;
}
}