source: josm/trunk/src/org/openstreetmap/josm/io/OsmServerUserInfoReader.java@ 12051

Last change on this file since 12051 was 10404, checked in by Don-vip, 8 years ago

findbugs security - XML Parsing Vulnerable to XXE - enable FEATURE_SECURE_PROCESSING for DOM builders
  • Property svn:eol-style set to native
File size: 7.6 KB
Line 
1// License: GPL. For details, see LICENSE file.
2package org.openstreetmap.josm.io;
3
4import static org.openstreetmap.josm.tools.I18n.tr;
5
6import java.io.IOException;
7import java.io.InputStream;
8import java.util.LinkedList;
9import java.util.List;
10
11import javax.xml.parsers.ParserConfigurationException;
12import javax.xml.xpath.XPath;
13import javax.xml.xpath.XPathConstants;
14import javax.xml.xpath.XPathException;
15import javax.xml.xpath.XPathFactory;
16
17import org.openstreetmap.josm.data.coor.LatLon;
18import org.openstreetmap.josm.data.osm.DataSet;
19import org.openstreetmap.josm.data.osm.UserInfo;
20import org.openstreetmap.josm.gui.progress.ProgressMonitor;
21import org.openstreetmap.josm.tools.Utils;
22import org.openstreetmap.josm.tools.XmlParsingException;
23import org.openstreetmap.josm.tools.date.DateUtils;
24import org.w3c.dom.Document;
25import org.w3c.dom.Node;
26import org.w3c.dom.NodeList;
27import org.xml.sax.SAXException;
28
29public class OsmServerUserInfoReader extends OsmServerReader {
30
31 protected static String getAttribute(Node node, String name) {
32 return node.getAttributes().getNamedItem(name).getNodeValue();
33 }
34
35 /**
36 * Parses the given XML data and returns the associated user info.
37 * @param document The XML contents
38 * @return The user info
39 * @throws XmlParsingException if parsing goes wrong
40 */
41 public static UserInfo buildFromXML(Document document) throws XmlParsingException {
42 try {
43 XPathFactory factory = XPathFactory.newInstance();
44 XPath xpath = factory.newXPath();
45 UserInfo userInfo = new UserInfo();
46 Node xmlNode = (Node) xpath.compile("/osm/user[1]").evaluate(document, XPathConstants.NODE);
47 if (xmlNode == null)
48 throw new XmlParsingException(tr("XML tag <user> is missing."));
49
50 // -- id
51 String v = getAttribute(xmlNode, "id");
52 if (v == null)
53 throw new XmlParsingException(tr("Missing attribute ''{0}'' on XML tag ''{1}''.", "id", "user"));
54 try {
55 userInfo.setId(Integer.parseInt(v));
56 } catch (NumberFormatException e) {
57 throw new XmlParsingException(tr("Illegal value for attribute ''{0}'' on XML tag ''{1}''. Got {2}.", "id", "user", v), e);
58 }
59 // -- display name
60 v = getAttribute(xmlNode, "display_name");
61 userInfo.setDisplayName(v);
62 // -- account_created
63 v = getAttribute(xmlNode, "account_created");
64 if (v != null) {
65 userInfo.setAccountCreated(DateUtils.fromString(v));
66 }
67 // -- description
68 xmlNode = (Node) xpath.compile("/osm/user[1]/description[1]/text()").evaluate(document, XPathConstants.NODE);
69 if (xmlNode != null) {
70 userInfo.setDescription(xmlNode.getNodeValue());
71 }
72 // -- home
73 xmlNode = (Node) xpath.compile("/osm/user[1]/home").evaluate(document, XPathConstants.NODE);
74 if (xmlNode != null) {
75 v = getAttribute(xmlNode, "lat");
76 if (v == null)
77 throw new XmlParsingException(tr("Missing attribute ''{0}'' on XML tag ''{1}''.", "lat", "home"));
78 double lat;
79 try {
80 lat = Double.parseDouble(v);
81 } catch (NumberFormatException e) {
82 throw new XmlParsingException(tr("Illegal value for attribute ''{0}'' on XML tag ''{1}''. Got {2}.",
83 "lat", "home", v), e);
84 }
85
86 v = getAttribute(xmlNode, "lon");
87 if (v == null)
88 throw new XmlParsingException(tr("Missing attribute ''{0}'' on XML tag ''{1}''.", "lon", "home"));
89 double lon;
90 try {
91 lon = Double.parseDouble(v);
92 } catch (NumberFormatException e) {
93 throw new XmlParsingException(tr("Illegal value for attribute ''{0}'' on XML tag ''{1}''. Got {2}.",
94 "lon", "home", v), e);
95 }
96
97 v = getAttribute(xmlNode, "zoom");
98 if (v == null)
99 throw new XmlParsingException(tr("Missing attribute ''{0}'' on XML tag ''{1}''.", "zoom", "home"));
100 int zoom;
101 try {
102 zoom = Integer.parseInt(v);
103 } catch (NumberFormatException e) {
104 throw new XmlParsingException(tr("Illegal value for attribute ''{0}'' on XML tag ''{1}''. Got {2}.",
105 "zoom", "home", v), e);
106 }
107 userInfo.setHome(new LatLon(lat, lon));
108 userInfo.setHomeZoom(zoom);
109 }
110
111 // -- language list
112 NodeList xmlNodeList = (NodeList) xpath.compile("/osm/user[1]/languages[1]/lang/text()").evaluate(document, XPathConstants.NODESET);
113 if (xmlNodeList != null) {
114 List<String> languages = new LinkedList<>();
115 for (int i = 0; i < xmlNodeList.getLength(); i++) {
116 languages.add(xmlNodeList.item(i).getNodeValue());
117 }
118 userInfo.setLanguages(languages);
119 }
120
121 // -- messages
122 xmlNode = (Node) xpath.compile("/osm/user[1]/messages/received").evaluate(document, XPathConstants.NODE);
123 if (xmlNode != null) {
124 v = getAttribute(xmlNode, "unread");
125 if (v == null)
126 throw new XmlParsingException(tr("Missing attribute ''{0}'' on XML tag ''{1}''.", "unread", "received"));
127 try {
128 userInfo.setUnreadMessages(Integer.parseInt(v));
129 } catch (NumberFormatException e) {
130 throw new XmlParsingException(
131 tr("Illegal value for attribute ''{0}'' on XML tag ''{1}''. Got {2}.", "unread", "received", v), e);
132 }
133 }
134
135 return userInfo;
136 } catch (XPathException e) {
137 throw new XmlParsingException(e);
138 }
139 }
140
141 /**
142 * Constructs a new {@code OsmServerUserInfoReader}.
143 */
144 public OsmServerUserInfoReader() {
145 setDoAuthenticate(true);
146 }
147
148 @Override
149 public DataSet parseOsm(ProgressMonitor progressMonitor) throws OsmTransferException {
150 // not implemented
151 return null;
152 }
153
154 /**
155 * Fetches user info, without explicit reason.
156 * @param monitor The progress monitor
157 * @return The user info
158 * @throws OsmTransferException if something goes wrong
159 */
160 public UserInfo fetchUserInfo(ProgressMonitor monitor) throws OsmTransferException {
161 return fetchUserInfo(monitor, null);
162 }
163
164 /**
165 * Fetches user info, with an explicit reason.
166 * @param monitor The progress monitor
167 * @param reason The reason to show on console. Can be {@code null} if no reason is given
168 * @return The user info
169 * @throws OsmTransferException if something goes wrong
170 * @since 6695
171 */
172 public UserInfo fetchUserInfo(ProgressMonitor monitor, String reason) throws OsmTransferException {
173 try {
174 monitor.beginTask("");
175 monitor.indeterminateSubTask(tr("Reading user info ..."));
176 try (InputStream in = getInputStream("user/details", monitor.createSubTaskMonitor(1, true), reason)) {
177 return buildFromXML(Utils.parseSafeDOM(in));
178 }
179 } catch (OsmTransferException e) {
180 throw e;
181 } catch (IOException | ParserConfigurationException | SAXException e) {
182 throw new OsmTransferException(e);
183 } finally {
184 monitor.finishTask();
185 }
186 }
187}
Note: See TracBrowser for help on using the repository browser.