|
| 1 | +/** |
| 2 | + * Copyright 2026 Martynas Jusevičius <martynas@atomgraph.com> |
| 3 | + * |
| 4 | + * Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | + * you may not use this file except in compliance with the License. |
| 6 | + * You may obtain a copy of the License at |
| 7 | + * |
| 8 | + * http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | + * |
| 10 | + * Unless required by applicable law or agreed to in writing, software |
| 11 | + * distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | + * See the License for the specific language governing permissions and |
| 14 | + * limitations under the License. |
| 15 | + * |
| 16 | + */ |
| 17 | +package com.atomgraph.linkeddatahub.server.util; |
| 18 | + |
| 19 | +import javax.xml.XMLConstants; |
| 20 | +import javax.xml.parsers.DocumentBuilderFactory; |
| 21 | +import javax.xml.parsers.ParserConfigurationException; |
| 22 | +import javax.xml.parsers.SAXParserFactory; |
| 23 | +import org.xml.sax.SAXException; |
| 24 | +import org.xml.sax.XMLReader; |
| 25 | + |
| 26 | +/** |
| 27 | + * Factory helpers for XML parsers hardened against XXE and entity-expansion (billion laughs) attacks. |
| 28 | + * |
| 29 | + * @author Martynas Jusevičius {@literal <martynas@atomgraph.com>} |
| 30 | + * @see <a href="https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html">OWASP XXE Prevention</a> |
| 31 | + */ |
| 32 | +public final class SecureXML |
| 33 | +{ |
| 34 | + |
| 35 | + private SecureXML() |
| 36 | + { |
| 37 | + } |
| 38 | + |
| 39 | + /** |
| 40 | + * Returns a namespace-aware {@link DocumentBuilderFactory} with DTDs and external entities disabled. |
| 41 | + * Suitable for parsing trusted internal XML (e.g. stylesheets) that never carries a DOCTYPE. |
| 42 | + * |
| 43 | + * @return hardened document builder factory |
| 44 | + * @throws ParserConfigurationException if a feature cannot be set |
| 45 | + */ |
| 46 | + public static DocumentBuilderFactory newDocumentBuilderFactory() throws ParserConfigurationException |
| 47 | + { |
| 48 | + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); |
| 49 | + factory.setNamespaceAware(true); |
| 50 | + factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); |
| 51 | + factory.setFeature("http://xml.org/sax/features/external-general-entities", false); |
| 52 | + factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false); |
| 53 | + factory.setXIncludeAware(false); |
| 54 | + factory.setExpandEntityReferences(false); |
| 55 | + return factory; |
| 56 | + } |
| 57 | + |
| 58 | + /** |
| 59 | + * Returns an {@link XMLReader} hardened for parsing untrusted external content. |
| 60 | + * Secure processing caps entity expansion (billion laughs) and external entities are disabled, |
| 61 | + * while a benign internal DOCTYPE (e.g. XHTML) is still tolerated. |
| 62 | + * |
| 63 | + * @return hardened XML reader |
| 64 | + * @throws ParserConfigurationException if a feature cannot be set |
| 65 | + * @throws SAXException if the reader cannot be created |
| 66 | + */ |
| 67 | + public static XMLReader newXMLReader() throws ParserConfigurationException, SAXException |
| 68 | + { |
| 69 | + SAXParserFactory factory = SAXParserFactory.newInstance(); |
| 70 | + factory.setNamespaceAware(true); |
| 71 | + factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); |
| 72 | + factory.setFeature("http://xml.org/sax/features/external-general-entities", false); |
| 73 | + factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false); |
| 74 | + factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); |
| 75 | + return factory.newSAXParser().getXMLReader(); |
| 76 | + } |
| 77 | + |
| 78 | +} |
0 commit comments