Set FEATURE_SECURE_PROCESSING for DocumentBuilderFactory

veraPDF · Nov 4, 2024 · 37da4ec · 37da4ec
1 parent 31fe8bf
commit 37da4ec
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 1 deletion.
diff --git a/core/src/main/java/org/verapdf/metadata/fixer/utils/parser/XMLProcessedObjectsParser.java b/core/src/main/java/org/verapdf/metadata/fixer/utils/parser/XMLProcessedObjectsParser.java
@@ -28,6 +28,7 @@
 import org.w3c.dom.NodeList;
 import org.xml.sax.SAXException;
 
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
@@ -36,6 +37,8 @@
 import java.io.IOException;
 import java.io.InputStream;
 import java.util.Properties;
+import java.util.logging.Level;
+import java.util.logging.Logger;
 
 import static org.verapdf.metadata.fixer.utils.MetadataFixerConstants.*;
 
@@ -44,6 +47,7 @@
  */
 public class XMLProcessedObjectsParser implements ProcessedObjectsParser {
 
+    private static final Logger LOGGER = Logger.getLogger(XMLProcessedObjectsParser.class.getCanonicalName());
     private static final String XML_PROCESSED_OBJECTS_PATH_PROPERTY_PDFA_1 = "processed.objects.path.pdfa_1";
     private static final String XML_PROCESSED_OBJECTS_PATH_PROPERTY_PDFA_2_3 = "processed.objects.path.pdfa_2_3";
     private static final String XML_PROCESSED_OBJECTS_PATH_PROPERTY_PDFA_4 = "processed.objects.path.pdfa_4";
@@ -83,7 +87,11 @@ public ProcessedObjects getProcessedObjects(String path)
     public ProcessedObjects getProcessedObjects(InputStream xml)
             throws ParserConfigurationException, IOException, SAXException {
         DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
-
+        try {
+            factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+        } catch (Exception e) {
+            LOGGER.log(Level.WARNING, "Unable to secure xml processing");
+        }
         DocumentBuilder builder = factory.newDocumentBuilder();
 
         factory.setIgnoringElementContentWhitespace(true);

diff --git a/core/src/main/java/org/verapdf/report/XmpHandler.java b/core/src/main/java/org/verapdf/report/XmpHandler.java
@@ -29,13 +29,16 @@
 import org.xml.sax.InputSource;
 import org.xml.sax.SAXException;
 
+import javax.xml.XMLConstants;
 import javax.xml.bind.DatatypeConverter;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.util.Arrays;
+import java.util.logging.Level;
+import java.util.logging.Logger;
 
 /**
  * Class that's initially a placeholder for XMP specific functionality.
@@ -51,6 +54,7 @@
  * @author <a href="mailto:[email protected]">Carl Wilson</a>
  */
 public class XmpHandler {
+	private static final Logger LOGGER = Logger.getLogger(XmpHandler.class.getCanonicalName());
 	private static final byte[] UTF8_METADATA_PREFIX_SQ = {0x3C, 0x3F, 0x78,
 			0x70, 0x61, 0x63, 0x6B, 0x65, 0x74, 0x20, 0x62, 0x65, 0x67, 0x69,
 			0x6E, 0x3D, 0x27, -0x11, -0x45, -0x41, 0x27};
@@ -134,6 +138,11 @@ public static Node parseMetadataRootElement(FeatureTreeNode metadataNode)
 			return null;
 		}
 		DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+		try {
+			factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+		} catch (Exception e) {
+			LOGGER.log(Level.WARNING, "Unable to secure metadata processing");
+		}
 		factory.setNamespaceAware(true);
 		DocumentBuilder builder = factory.newDocumentBuilder();
 		Document metadataDocument = builder.parse(is);