Changeset 10404 in josm for trunk/src/org/openstreetmap/josm/tools

Timestamp:

2016-06-16T19:10:53+02:00 (7 years ago)

Author:

Don-vip

Message:

findbugs security - XML Parsing Vulnerable to XXE - enable FEATURE_SECURE_PROCESSING for DOM builders

Location:

trunk/src/org/openstreetmap/josm/tools

Files:

• Utils.java (modified) (3 diffs)
• bugreport/BugReportSender.java (modified) (2 diffs)

trunk/src/org/openstreetmap/josm/tools/Utils.java

@@ -64 +64 @@
 
 import javax.xml.XMLConstants;
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.parsers.SAXParser;
@@ -70 +72 @@
 import org.apache.commons.compress.compressors.bzip2.BZip2CompressorInputStream;
 import org.openstreetmap.josm.Main;
+import org.w3c.dom.Document;
 import org.xml.sax.InputSource;
 import org.xml.sax.SAXException;
@@ -1408 +1411 @@
         }
         return null;
+    }
+
+    /**
+     * Returns a new secure DOM builder, supporting XML namespaces.
+     * @return a new secure DOM builder, supporting XML namespaces
+     * @throws ParserConfigurationException if a parser cannot be created which satisfies the requested configuration.
+     * @throws ParserConfigurationException if a parser cannot be created which satisfies the requested configuration.
+     * @since 10404
+     */
+    public static DocumentBuilder newSafeDOMBuilder() throws ParserConfigurationException {
+        DocumentBuilderFactory builderFactory = DocumentBuilderFactory.newInstance();
+        builderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+        builderFactory.setNamespaceAware(true);
+        builderFactory.setValidating(false);
+        return builderFactory.newDocumentBuilder();
+    }
+
+    /**
+     * Parse the content given {@link InputStream} as XML.
+     * This method uses a secure DOM builder, supporting XML namespaces.
+     *
+     * @param is The InputStream containing the content to be parsed.
+     * @return the result DOM document
+     * @throws ParserConfigurationException if a parser cannot be created which satisfies the requested configuration.
+     * @throws IOException if any IO errors occur.
+     * @throws SAXException for SAX errors.
+     * @since 10404
+     */
+    public static Document parseSafeDOM(InputStream is) throws ParserConfigurationException, IOException, SAXException {
+        long start = System.currentTimeMillis();
+        if (Main.isDebugEnabled()) {
+            Main.debug("Starting DOM parsing of " + is);
+        }
+        Document result = newSafeDOMBuilder().parse(is);
+        if (Main.isDebugEnabled()) {
+            Main.debug("DOM parsing done in " + getDurationString(System.currentTimeMillis() - start));
+        }
+        return result;
     }
 

trunk/src/org/openstreetmap/josm/tools/bugreport/BugReportSender.java

@@ -18 +18 @@
 import javax.swing.JPanel;
 import javax.swing.SwingUtilities;
-import javax.xml.parsers.DocumentBuilder;
-import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.xpath.XPath;
@@ -100 +98 @@
 
             try (InputStream in = connection.getContent()) {
-                DocumentBuilder builder = DocumentBuilderFactory.newInstance().newDocumentBuilder();
-                Document document = builder.parse(in);
-                return retrieveDebugToken(document);
+                return retrieveDebugToken(Utils.parseSafeDOM(in));
             }
         } catch (IOException | SAXException | ParserConfigurationException | XPathExpressionException t) {