Changeset 10404 in josm for trunk/src/org/openstreetmap


Ignore:
Timestamp:
2016-06-16T19:10:53+02:00 (8 years ago)
Author:
Don-vip
Message:

findbugs security - XML Parsing Vulnerable to XXE - enable FEATURE_SECURE_PROCESSING for DOM builders

Location:
trunk/src/org/openstreetmap/josm
Files:
8 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/org/openstreetmap/josm/data/CustomConfigurator.java

    r10378 r10404  
    3535import javax.swing.SwingUtilities;
    3636import javax.xml.parsers.DocumentBuilder;
    37 import javax.xml.parsers.DocumentBuilderFactory;
    3837import javax.xml.parsers.ParserConfigurationException;
    3938import javax.xml.stream.XMLStreamException;
     
    269268        try {
    270269            String toXML = Main.pref.toXML(true);
    271             InputStream is = new ByteArrayInputStream(toXML.getBytes(StandardCharsets.UTF_8));
    272             DocumentBuilderFactory builderFactory = DocumentBuilderFactory.newInstance();
    273             builderFactory.setValidating(false);
    274             builderFactory.setNamespaceAware(false);
    275             DocumentBuilder builder = builderFactory.newDocumentBuilder();
    276             document = builder.parse(is);
     270            DocumentBuilder builder = Utils.newSafeDOMBuilder();
     271            document = builder.parse(new ByteArrayInputStream(toXML.getBytes(StandardCharsets.UTF_8)));
    277272            exportDocument = builder.newDocument();
    278273            root = document.getDocumentElement();
     
    465460        public void openAndReadXML(InputStream is) {
    466461            try {
    467                 DocumentBuilderFactory builderFactory = DocumentBuilderFactory.newInstance();
    468                 builderFactory.setValidating(false);
    469                 builderFactory.setNamespaceAware(true);
    470                 DocumentBuilder builder = builderFactory.newDocumentBuilder();
    471                 Document document = builder.parse(is);
     462                Document document = Utils.parseSafeDOM(is);
    472463                synchronized (CustomConfigurator.class) {
    473464                    processXML(document);
  • trunk/src/org/openstreetmap/josm/gui/oauth/TestAccessTokenTask.java

    r10173 r10404  
    1010
    1111import javax.swing.JOptionPane;
    12 import javax.xml.parsers.DocumentBuilderFactory;
    1312import javax.xml.parsers.ParserConfigurationException;
    1413
     
    2625import org.openstreetmap.josm.tools.CheckParameterUtil;
    2726import org.openstreetmap.josm.tools.HttpClient;
     27import org.openstreetmap.josm.tools.Utils;
    2828import org.openstreetmap.josm.tools.XmlParsingException;
    2929import org.w3c.dom.Document;
     
    124124                throw new OsmApiException(connection.getResponse().getResponseCode(),
    125125                        connection.getResponse().getHeaderField("Error"), null);
    126             Document d = DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(connection.getResponse().getContent());
     126            Document d = Utils.parseSafeDOM(connection.getResponse().getContent());
    127127            return OsmServerUserInfoReader.buildFromXML(d);
    128128        } catch (SAXException | ParserConfigurationException e) {
  • trunk/src/org/openstreetmap/josm/io/OsmServerUserInfoReader.java

    r10212 r10404  
    99import java.util.List;
    1010
    11 import javax.xml.parsers.DocumentBuilderFactory;
    1211import javax.xml.parsers.ParserConfigurationException;
    1312import javax.xml.xpath.XPath;
     
    2019import org.openstreetmap.josm.data.osm.UserInfo;
    2120import org.openstreetmap.josm.gui.progress.ProgressMonitor;
     21import org.openstreetmap.josm.tools.Utils;
    2222import org.openstreetmap.josm.tools.XmlParsingException;
    2323import org.openstreetmap.josm.tools.date.DateUtils;
     
    175175            monitor.indeterminateSubTask(tr("Reading user info ..."));
    176176            try (InputStream in = getInputStream("user/details", monitor.createSubTaskMonitor(1, true), reason)) {
    177                 return buildFromXML(
    178                         DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(in)
    179                 );
     177                return buildFromXML(Utils.parseSafeDOM(in));
    180178            }
    181179        } catch (OsmTransferException e) {
  • trunk/src/org/openstreetmap/josm/io/imagery/WMSImagery.java

    r10216 r10404  
    1818import javax.imageio.ImageIO;
    1919import javax.xml.parsers.DocumentBuilder;
    20 import javax.xml.parsers.DocumentBuilderFactory;
    2120import javax.xml.parsers.ParserConfigurationException;
    2221
     
    152151
    153152        try {
    154             DocumentBuilderFactory builderFactory = DocumentBuilderFactory.newInstance();
    155             builderFactory.setValidating(false);
    156             builderFactory.setNamespaceAware(true);
    157             DocumentBuilder builder = builderFactory.newDocumentBuilder();
     153            DocumentBuilder builder = Utils.newSafeDOMBuilder();
    158154            builder.setEntityResolver(new EntityResolver() {
    159155                @Override
  • trunk/src/org/openstreetmap/josm/io/session/SessionReader.java

    r10208 r10404  
    2929import javax.swing.JOptionPane;
    3030import javax.swing.SwingUtilities;
    31 import javax.xml.parsers.DocumentBuilder;
    32 import javax.xml.parsers.DocumentBuilderFactory;
    3331import javax.xml.parsers.ParserConfigurationException;
    3432
     
    633631
    634632        try {
    635             DocumentBuilderFactory builderFactory = DocumentBuilderFactory.newInstance();
    636             builderFactory.setValidating(false);
    637             builderFactory.setNamespaceAware(true);
    638             DocumentBuilder builder = builderFactory.newDocumentBuilder();
    639             Document document = builder.parse(josIS);
    640             parseJos(document, progressMonitor);
     633            parseJos(Utils.parseSafeDOM(josIS), progressMonitor);
    641634        } catch (SAXException e) {
    642635            throw new IllegalDataException(e);
  • trunk/src/org/openstreetmap/josm/io/session/SessionWriter.java

    r10212 r10404  
    1919
    2020import javax.xml.parsers.DocumentBuilder;
    21 import javax.xml.parsers.DocumentBuilderFactory;
    2221import javax.xml.parsers.ParserConfigurationException;
    2322import javax.xml.transform.OutputKeys;
     
    201200     */
    202201    public Document createJosDocument() throws IOException {
    203         DocumentBuilderFactory builderFactory = DocumentBuilderFactory.newInstance();
    204         builderFactory.setValidating(false);
    205         builderFactory.setNamespaceAware(true);
    206202        DocumentBuilder builder = null;
    207203        try {
    208             builder = builderFactory.newDocumentBuilder();
     204            builder = Utils.newSafeDOMBuilder();
    209205        } catch (ParserConfigurationException e) {
    210             throw new RuntimeException(e);
     206            throw new IOException(e);
    211207        }
    212208        Document doc = builder.newDocument();
  • trunk/src/org/openstreetmap/josm/tools/Utils.java

    r10315 r10404  
    6464
    6565import javax.xml.XMLConstants;
     66import javax.xml.parsers.DocumentBuilder;
     67import javax.xml.parsers.DocumentBuilderFactory;
    6668import javax.xml.parsers.ParserConfigurationException;
    6769import javax.xml.parsers.SAXParser;
     
    7072import org.apache.commons.compress.compressors.bzip2.BZip2CompressorInputStream;
    7173import org.openstreetmap.josm.Main;
     74import org.w3c.dom.Document;
    7275import org.xml.sax.InputSource;
    7376import org.xml.sax.SAXException;
     
    14081411        }
    14091412        return null;
     1413    }
     1414
     1415    /**
     1416     * Returns a new secure DOM builder, supporting XML namespaces.
     1417     * @return a new secure DOM builder, supporting XML namespaces
     1418     * @throws ParserConfigurationException if a parser cannot be created which satisfies the requested configuration.
     1419     * @throws ParserConfigurationException if a parser cannot be created which satisfies the requested configuration.
     1420     * @since 10404
     1421     */
     1422    public static DocumentBuilder newSafeDOMBuilder() throws ParserConfigurationException {
     1423        DocumentBuilderFactory builderFactory = DocumentBuilderFactory.newInstance();
     1424        builderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
     1425        builderFactory.setNamespaceAware(true);
     1426        builderFactory.setValidating(false);
     1427        return builderFactory.newDocumentBuilder();
     1428    }
     1429
     1430    /**
     1431     * Parse the content given {@link InputStream} as XML.
     1432     * This method uses a secure DOM builder, supporting XML namespaces.
     1433     *
     1434     * @param is The InputStream containing the content to be parsed.
     1435     * @return the result DOM document
     1436     * @throws ParserConfigurationException if a parser cannot be created which satisfies the requested configuration.
     1437     * @throws IOException if any IO errors occur.
     1438     * @throws SAXException for SAX errors.
     1439     * @since 10404
     1440     */
     1441    public static Document parseSafeDOM(InputStream is) throws ParserConfigurationException, IOException, SAXException {
     1442        long start = System.currentTimeMillis();
     1443        if (Main.isDebugEnabled()) {
     1444            Main.debug("Starting DOM parsing of " + is);
     1445        }
     1446        Document result = newSafeDOMBuilder().parse(is);
     1447        if (Main.isDebugEnabled()) {
     1448            Main.debug("DOM parsing done in " + getDurationString(System.currentTimeMillis() - start));
     1449        }
     1450        return result;
    14101451    }
    14111452
  • trunk/src/org/openstreetmap/josm/tools/bugreport/BugReportSender.java

    r10067 r10404  
    1818import javax.swing.JPanel;
    1919import javax.swing.SwingUtilities;
    20 import javax.xml.parsers.DocumentBuilder;
    21 import javax.xml.parsers.DocumentBuilderFactory;
    2220import javax.xml.parsers.ParserConfigurationException;
    2321import javax.xml.xpath.XPath;
     
    10098
    10199            try (InputStream in = connection.getContent()) {
    102                 DocumentBuilder builder = DocumentBuilderFactory.newInstance().newDocumentBuilder();
    103                 Document document = builder.parse(in);
    104                 return retrieveDebugToken(document);
     100                return retrieveDebugToken(Utils.parseSafeDOM(in));
    105101            }
    106102        } catch (IOException | SAXException | ParserConfigurationException | XPathExpressionException t) {
Note: See TracChangeset for help on using the changeset viewer.