SafeXmlUtils
SafeXmlUtils is a class used in our library, in projects like iso20022 and Integrator.
This class provides mechanisms for creating secure XML parsers and transformers, focusing on mitigating XXE (XML External Entity) attacks.
The features of SafeXmlUtils are dependent on the implementation of XML APIs and have known issues with various versions of Xerces and Xalan. If an error occurs due to a feature not present in the environment, you can examine the XML-related dependencies and replace those that do not support the necessary feature.
Configuration for Ignoring Unsupported Features
In situations where dependencies cannot be modified to support a required XML feature, SafeXmlUtils
allows for the bypassing of
unsupported features by adding a property file to the classpath.
Configuration Steps:
- Property File: Create a file named
pw-swift-core.properties
and place it in the classpath of your project. - Properties Definition: Define the property
safeXmlUtils.ignore
in this file. Assign to this property a comma-separated list of XML features that should be ignored bySafeXmlUtils
. For example:
safeXmlUtils.ignore=http://xml.org/sax/features/external-general-entities,http://apache.org/xml/features/disallow-doctype-decl
By listing features in this property, SafeXmlUtils
will skip them, thereby preventing exceptions related to these
features not being available in the runtime environment.
Implementation Details
SafeXmlUtils
includes several methods tailored to create various types of XML parsers and transformers with safety
configurations. These methods apply or bypass specific XML features based on the project’s environment and needs.
Key methods include:
- documentBuilder(boolean namespaceAware): Configures a DocumentBuilder with safety features.
- reader(boolean namespaceAware, Schema schema): Creates a SAX parser with customized features.
- inputFactory(): Sets up a StAX parser with specific security settings.
- transformer(): Provides a Transformer with restricted access to external DTD and Stylesheets.
- schemaFactory(): Configures a SchemaFactory with limited external DTD access.
- validator(Schema schema): Creates a Validator with controlled access to external DTD and Schema.
Each of these methods handles specific XML features like "http://xml.org/sax/features/external-general-entities", "http://apache.org/xml/features/disallow-doctype-decl", and others, ensuring that only secure and supported XML processing features are utilized.