Improve XML XXE protection

https://rules.sonarsource.com/java/RSPEC-2755/
mangstadt · Nov 4, 2023 · 80a54d0 · 80a54d0 · M66B · Dec 31, 2023
1 parent 2e80b18
commit 80a54d0
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 2 deletions.
diff --git a/src/main/java/biweekly/io/xml/XCalDocument.java b/src/main/java/biweekly/io/xml/XCalDocument.java
@@ -471,7 +471,10 @@ public void write(Writer writer, Integer indent, String xmlVersion) throws Trans
 	public void write(Writer writer, Map<String, String> outputProperties) throws TransformerException {
 		Transformer transformer;
 		try {
-			transformer = TransformerFactory.newInstance().newTransformer();
+			TransformerFactory factory = TransformerFactory.newInstance();
+			XmlUtils.applyXXEProtection(factory);
+
+			transformer = factory.newTransformer();
 		} catch (TransformerConfigurationException e) {
 			//should never be thrown because we're not doing anything fancy with the configuration
 			throw new RuntimeException(e);

diff --git a/src/main/java/biweekly/util/XmlUtils.java b/src/main/java/biweekly/util/XmlUtils.java
@@ -202,13 +202,18 @@ public static void applyXXEProtection(DocumentBuilderFactory factory) {
 	 * @see <a href=
 	 * "https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Prevention_Cheat_Sheet#Java">
 	 * XXE Cheat Sheet</a>
+	 * @see <a href="https://rules.sonarsource.com/java/RSPEC-2755/">SonarLint
+	 * 2755</a>
 	 */
 	public static void applyXXEProtection(TransformerFactory factory) {
 		//@formatter:off
 		String[] attributes = {
 			//XMLConstants.ACCESS_EXTERNAL_DTD (Java 7 only)
 			"http://javax.xml.XMLConstants/property/accessExternalDTD",
 
+			//XMLConstants.ACCESS_EXTERNAL_SCHEMA (Java 7 only)
+			"http://javax.xml.XMLConstants/property/accessExternalSchema", 
+
 			//XMLConstants.ACCESS_EXTERNAL_STYLESHEET (Java 7 only)
 			"http://javax.xml.XMLConstants/property/accessExternalStylesheet"
 		};
@@ -283,7 +288,10 @@ public static void toWriter(Node node, Writer writer) throws TransformerExceptio
 	 */
 	public static void toWriter(Node node, Writer writer, Map<String, String> outputProperties) throws TransformerException {
 		try {
-			Transformer transformer = TransformerFactory.newInstance().newTransformer();
+			TransformerFactory factory = TransformerFactory.newInstance();
+			applyXXEProtection(factory);
+
+			Transformer transformer = factory.newTransformer();
 			for (Map.Entry<String, String> property : outputProperties.entrySet()) {
 				try {
 					transformer.setOutputProperty(property.getKey(), property.getValue());