fixed

Issue #852
imixs · Mar 10, 2024 · 7968d86 · 7968d86
1 parent b153fc1
commit 7968d86
Show file tree

Hide file tree

Showing 5 changed files with 121 additions and 41 deletions.
diff --git a/imixs-workflow-core/src/main/java/org/imixs/workflow/util/XMLParser.java b/imixs-workflow-core/src/main/java/org/imixs/workflow/util/XMLParser.java
@@ -40,6 +40,7 @@
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
@@ -477,7 +478,10 @@ private static String oldinnerXml(Node node) throws TransformerFactoryConfigurat
         StringWriter writer = new StringWriter();
         String xml = null;
         Transformer transformer;
-        transformer = TransformerFactory.newInstance().newTransformer();
+        TransformerFactory transformerFactory = TransformerFactory.newInstance();
+        // Set secure process - see #852
+        transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, false);
+        transformer = transformerFactory.newTransformer();
         transformer.setOutputProperty(OutputKeys.OMIT_XML_DECLARATION, "yes");
         transformer.transform(new DOMSource(node), new StreamResult(writer));
         // now we remove the outer tag....

diff --git a/imixs-workflow-core/src/main/java/org/imixs/workflow/xml/XSLHandler.java b/imixs-workflow-core/src/main/java/org/imixs/workflow/xml/XSLHandler.java
@@ -38,6 +38,7 @@
 import java.util.logging.Level;
 import java.util.logging.Logger;
 
+import javax.xml.XMLConstants;
 import javax.xml.transform.Source;
 import javax.xml.transform.Transformer;
 import javax.xml.transform.TransformerException;
@@ -72,7 +73,7 @@ public class XSLHandler {
      * @param xslSource
      * @param encoding  (default UTF-8)
      * @return
-     * @throws UnsupportedEncodingException 
+     * @throws UnsupportedEncodingException
      * @throws TransformerException
      */
 
@@ -83,7 +84,11 @@ public static void transform(String xmlSource, String xslSource, String encoding
             if (encoding == null || encoding.isEmpty()) {
                 encoding = "UTF-8";
             }
-            TransformerFactory transFact = TransformerFactory.newInstance();
+            // Setup XSLT
+            TransformerFactory transformerFactory = TransformerFactory.newInstance();
+            // Set secure process - see #852
+            transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+
             if (debug) {
                 logger.log(Level.FINEST, "......xslTransformation: encoding={0}", encoding);
             }
@@ -100,7 +105,7 @@ public static void transform(String xmlSource, String xslSource, String encoding
             InputStreamReader isreaderXSL = new InputStreamReader(baisXSL, encoding);
             Source xslSrc = new StreamSource(isreaderXSL);
 
-            Transformer trans = transFact.newTransformer(xslSrc);
+            Transformer trans = transformerFactory.newTransformer(xslSrc);
             trans.transform(xmlSrc, new StreamResult(output));
 
         } finally {

diff --git a/imixs-workflow-engine/src/test/java/org/imixs/workflow/engine/TestReportService.java b/imixs-workflow-engine/src/test/java/org/imixs/workflow/engine/TestReportService.java
@@ -1,8 +1,16 @@
 package org.imixs.workflow.engine;
 
-import org.junit.Test;
+import java.io.ByteArrayOutputStream;
+import java.io.UnsupportedEncodingException;
+import java.util.logging.Logger;
+
+import javax.xml.transform.TransformerException;
 
+import org.imixs.workflow.plugins.TestMailPlugin;
+import org.imixs.workflow.xml.XSLHandler;
 import org.junit.Assert;
+import org.junit.Ignore;
+import org.junit.Test;
 
 /**
  * Test class for ReportService
@@ -13,12 +21,14 @@
  */
 public class TestReportService {
 
+	private final static Logger logger = Logger.getLogger(TestMailPlugin.class.getName());
+
 	/**
 	 * Test the customNumberFormat method of the report service.
 	 */
 	@Test
 	public void testFormatNumber() {
-		ReportService reportService=new ReportService();
+		ReportService reportService = new ReportService();
 		Assert.assertEquals("123,456.789", reportService.customNumberFormat("###,###.###", "en_UK", 123456.789));
 		Assert.assertEquals("123,456.789", reportService.customNumberFormat("###,###.###", "en_US", 123456.789));
 		Assert.assertEquals("123,456.79", reportService.customNumberFormat("###,##0.00", "en_US", 123456.789));
@@ -27,4 +37,65 @@ public void testFormatNumber() {
 		Assert.assertEquals("EUR 1.456,78", reportService.customNumberFormat("EUR #,###,##0.00", "de_DE", 1456.781));
 	}
 
+	/**
+	 * This test verifies the FEATURE_SECURE_PROCESSING.
+	 * This feature will set limits on XML constructs to avoid conditions such as
+	 * denial of service attacks.
+	 * 
+	 * See discussion: https://github.com/imixs/imixs-workflow/issues/852
+	 * 
+	 * 
+	 */
+	@Test
+	@Ignore
+	public void testSecureProcessing() {
+		logger.info("[TestMailPlugin] getBody...");
+
+		// prepare data
+		String insecureCode = "xxxxx";
+		// insecureCode = "<xml:stylesheet version=\"1.0\"
+		// xmlns:xsl=\"http://www.w3.org/1999/XSL/Transform\"
+		// xmlns:rt=\"http://xml.apache.org/xalan/java/javax.xml.transform\"
+		// xmlns:ob=\"http://xml.apache.org/xalan/java/org.apache.xalan.xsltc\"
+		// xmlns:val=\"rt:getRuntime()\" xmlns:proc=\"rt:exec('$rt:load(\\'touch
+		// ~/insecure_success\\')')\" xmlns:parameter=\"ob:toString('$processString')\"
+		// xmlns:value-of=\"rt:eval('$value-ofString')\" />\n";
+
+		String xmlDoc = "<document>" +
+				"   <item name=\"txtname\"><value>Anna</value></item>" +
+				"	<item name='insecure'>" +
+				"      <value xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"" +
+				"	          xmlns:xs=\"http://www.w3.org/2001/XMLSchema\" xsi:type=\"xs:string\">" + insecureCode +
+				"	   </value>" +
+				"   </item>" +
+				"</document>";
+
+		// create XSL template...
+		String xsl = "";
+		xsl = "<?xml version=\"1.0\" encoding=\"UTF-8\" ?>" + "<xsl:stylesheet xmlns=\"http://www.w3.org/1999/xhtml\""
+				+ "	xmlns:xsl=\"http://www.w3.org/1999/XSL/Transform\" version=\"1.0\">"
+				+ " <xsl:output method=\"html\" media-type=\"text/html\" indent=\"no\" encoding=\"ISO-8859-1\"" + " />";
+		xsl += "<xsl:template match=\"/\">";
+		xsl += "<html>  <body> ";
+		xsl += " <h1>Welcome</h1>";
+		xsl += " <h2><xsl:value-of select=\"document/item[@name='txtname']/value\" /></h2>";
+		xsl += " <h3><xsl:value-of select=\"document/item[@name='insecure']/value\" /></h3>";
+		xsl += "</body></html>";
+		xsl += "</xsl:template></xsl:stylesheet>";
+
+		try {
+			ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
+			logger.info("xmlDoc=" + xmlDoc);
+			XSLHandler.transform(xmlDoc, xsl, "UTF-8", outputStream);
+			String outputContent = outputStream.toString("UTF-8");
+			logger.info("result=" + outputContent);
+			Assert.assertTrue(outputContent.contains("<h2>Anna</h2>"));
+
+		} catch (UnsupportedEncodingException | TransformerException e) {
+			e.printStackTrace();
+			Assert.fail();
+		}
+
+	}
+
 }
diff --git a/imixs-workflow-jax-rs/src/main/java/org/imixs/workflow/jaxrs/ReportRestService.java b/imixs-workflow-jax-rs/src/main/java/org/imixs/workflow/jaxrs/ReportRestService.java
@@ -42,26 +42,10 @@
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
+import java.util.logging.Level;
 import java.util.logging.Logger;
 
-import jakarta.inject.Inject;
-import jakarta.ws.rs.Consumes;
-import jakarta.ws.rs.DELETE;
-import jakarta.ws.rs.DefaultValue;
-import jakarta.ws.rs.GET;
-import jakarta.ws.rs.POST;
-import jakarta.ws.rs.PUT;
-import jakarta.ws.rs.Path;
-import jakarta.ws.rs.PathParam;
-import jakarta.ws.rs.Produces;
-import jakarta.ws.rs.QueryParam;
-import jakarta.ws.rs.WebApplicationException;
-import jakarta.ws.rs.core.Context;
-import jakarta.ws.rs.core.MediaType;
-import jakarta.ws.rs.core.MultivaluedMap;
-import jakarta.ws.rs.core.Response;
-import jakarta.ws.rs.core.StreamingOutput;
-import jakarta.ws.rs.core.UriInfo;
+import javax.xml.XMLConstants;
 import javax.xml.transform.Result;
 import javax.xml.transform.Source;
 import javax.xml.transform.Transformer;
@@ -84,11 +68,28 @@
 import org.imixs.workflow.xml.XSLHandler;
 
 import jakarta.ejb.Stateless;
+import jakarta.inject.Inject;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
+import jakarta.ws.rs.Consumes;
+import jakarta.ws.rs.DELETE;
+import jakarta.ws.rs.DefaultValue;
+import jakarta.ws.rs.GET;
+import jakarta.ws.rs.POST;
+import jakarta.ws.rs.PUT;
+import jakarta.ws.rs.Path;
+import jakarta.ws.rs.PathParam;
+import jakarta.ws.rs.Produces;
+import jakarta.ws.rs.QueryParam;
+import jakarta.ws.rs.WebApplicationException;
+import jakarta.ws.rs.core.Context;
+import jakarta.ws.rs.core.MediaType;
+import jakarta.ws.rs.core.MultivaluedMap;
+import jakarta.ws.rs.core.Response;
+import jakarta.ws.rs.core.StreamingOutput;
+import jakarta.ws.rs.core.UriInfo;
 import jakarta.xml.bind.JAXBContext;
 import jakarta.xml.bind.Marshaller;
-import java.util.logging.Level;
 
 /**
  * The WorkflowService Handler supports methods to process different kind of
@@ -567,31 +568,28 @@ public void fopTranformation(String xmlSource, String xslSource, String aEncodin
             Fop fop = fopFactory.newFop(MimeConstants.MIME_PDF, foUserAgent, output);
 
             // Setup XSLT
-            TransformerFactory factory = TransformerFactory.newInstance();
-            ByteArrayInputStream baisXSL = new ByteArrayInputStream(xslSource.getBytes());
-            InputStreamReader isreaderXSL = new InputStreamReader(baisXSL, aEncoding);
-            Source xslSrc = new StreamSource(isreaderXSL);
+            TransformerFactory transformerFactory = TransformerFactory.newInstance();
+            // Set secure process - see #852
+            transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+            ByteArrayInputStream baseXSL = new ByteArrayInputStream(xslSource.getBytes());
+            InputStreamReader isReaderXSL = new InputStreamReader(baseXSL, aEncoding);
+            Source xslSrc = new StreamSource(isReaderXSL);
 
-            Transformer transformer = factory.newTransformer(xslSrc);
+            Transformer transformer = transformerFactory.newTransformer(xslSrc);
 
             // Setup input for XSLT transformation
             ByteArrayInputStream baisXML = new ByteArrayInputStream(xmlSource.getBytes());
-            InputStreamReader isreaderXML;
-
-            isreaderXML = new InputStreamReader(baisXML, aEncoding);
+            InputStreamReader isReaderXML;
+            isReaderXML = new InputStreamReader(baisXML, aEncoding);
+            Source xmlSrc = new StreamSource(isReaderXML);
 
-            Source xmlSrc = new StreamSource(isreaderXML);
-
-            // Resulting SAX events (the generated FO) must be piped through to
-            // FOP
+            // Resulting SAX events (the generated FO) must be piped through to FOP
             Result res = new SAXResult(fop.getDefaultHandler());
 
             // Start XSLT transformation and FOP processing
             transformer.transform(xmlSrc, res);
 
-            // return res.toString();
         } finally {
-
             // out.close();
             // output.flush();
             // output.close();

diff --git a/src/site/markdown/core/xml/post_xml.md b/src/site/markdown/core/xml/post_xml.md
@@ -10,8 +10,10 @@ template provided in a file:
 		String sXSLPath="/home/imixs.xsl";
 		StreamSource stylesource = new StreamSource(sXSLPath);
 		// create a transformer factory
-		TransformerFactory factory = TransformerFactory.newInstance();
-		Transformer transformer = factory.newTransformer(stylesource);
+		TransformerFactory transformerFactory = TransformerFactory.newInstance();
+        transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+
+		Transformer transformer = transformerFactory.newTransformer(stylesource);
 		// create a ByteArray Output Stream
 		ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
 		transformer.transform(domSource, new StreamResult(outputStream));