Fix XXE in calculation view transformer (#1677)

Co-authored-by: Ivan Volkov <[email protected]>
SAP-archive · Jun 8, 2022 · 3418609 · 3418609
1 parent f4e09c5
commit 3418609
Showing 1 changed file with 30 additions and 31 deletions.
diff --git a/...nes/engine-core/src/main/java/com/sap/xsk/modificators/CalculationViewTransformation.java b/...nes/engine-core/src/main/java/com/sap/xsk/modificators/CalculationViewTransformation.java
@@ -11,45 +11,44 @@
  */
 package com.sap.xsk.modificators;
 
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.StringReader;
 import javax.xml.XMLConstants;
 import javax.xml.transform.Source;
 import javax.xml.transform.Transformer;
-import javax.xml.transform.TransformerFactory;
 import javax.xml.transform.TransformerException;
+import javax.xml.transform.TransformerFactory;
 import javax.xml.transform.stream.StreamResult;
 import javax.xml.transform.stream.StreamSource;
-import java.io.ByteArrayInputStream;
-import java.io.ByteArrayOutputStream;
-import java.io.StringReader;
 
 public class CalculationViewTransformation {
 
-  private static final String CALCULATION_VIEW_DATA_SOURCE_TRANSFORMATION_XSLT = "<xsl:stylesheet version=\"1.0\" xmlns:xsl=\"http://www.w3.org/1999/XSL/Transform\">\n"
-      + "    <xsl:template match=\"DataSource/@type\" />\n"
-      + "    <xsl:template match=\"@*|node()\">\n"
-      + "        <xsl:copy>\n"
-      + "            <xsl:apply-templates select=\"@*|node()\"/>\n"
-      + "        </xsl:copy>\n"
-      + "    </xsl:template>\n"
-      + "    <xsl:template match=\"logicalJoin/@associatedObjectUri\">\n"
-      + "         <xsl:attribute name=\"associatedObjectUri\">\n"
-      + "           <xsl:value-of select=\"concat(substring-before(substring-after(., '/'), '/'), '::', substring-after(substring-after(substring-after(., '/'), '/'), '/'))\" disable-output-escaping=\"yes\"  />\n"
-      + "         </xsl:attribute>\n"
-      + "     </xsl:template>\n"
-      + "     <xsl:template match=\"measureMapping/@schemaName\">\n"
-      + "         <xsl:copy-of select=\"/@*[name(.)!='schemaName']|node()\" />\n"
-      + "     </xsl:template>\n"
-      + "</xsl:stylesheet>";
+    private static final String CALCULATION_VIEW_DATA_SOURCE_TRANSFORMATION_XSLT = "<xsl:stylesheet version=\"1.0\" xmlns:xsl=\"http://www.w3.org/1999/XSL/Transform\">\n"
+        + "    <xsl:template match=\"DataSource/@type\" />\n"
+        + "    <xsl:template match=\"@*|node()\">\n"
+        + "        <xsl:copy>\n"
+        + "            <xsl:apply-templates select=\"@*|node()\"/>\n"
+        + "        </xsl:copy>\n"
+        + "    </xsl:template>\n"
+        + "    <xsl:template match=\"logicalJoin/@associatedObjectUri\">\n"
+        + "         <xsl:attribute name=\"associatedObjectUri\">\n"
+        + "           <xsl:value-of select=\"concat(substring-before(substring-after(., '/'), '/'), '::', substring-after(substring-after(substring-after(., '/'), '/'), '/'))\" disable-output-escaping=\"yes\"  />\n"
+        + "         </xsl:attribute>\n"
+        + "     </xsl:template>\n"
+        + "     <xsl:template match=\"measureMapping/@schemaName\">\n"
+        + "         <xsl:copy-of select=\"/@*[name(.)!='schemaName']|node()\" />\n"
+        + "     </xsl:template>\n"
+        + "</xsl:stylesheet>";
 
-  public byte[] removeTypeArtifact(byte[] bytes) throws TransformerException {
-    TransformerFactory factory = TransformerFactory.newInstance();
-    factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
-    factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
-    Source source = new StreamSource(new StringReader(CALCULATION_VIEW_DATA_SOURCE_TRANSFORMATION_XSLT));
-    Transformer transformer = factory.newTransformer(source);
-    StreamSource text = new StreamSource(new ByteArrayInputStream(bytes));
-    ByteArrayOutputStream bout = new ByteArrayOutputStream();
-    transformer.transform(text, new StreamResult(bout));
-    return bout.toByteArray();
-  }
+    public byte[] removeTypeArtifact(byte[] bytes) throws TransformerException {
+        TransformerFactory factory = TransformerFactory.newInstance();
+        factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+        Source source = new StreamSource(new StringReader(CALCULATION_VIEW_DATA_SOURCE_TRANSFORMATION_XSLT));
+        Transformer transformer = factory.newTransformer(source);
+        StreamSource text = new StreamSource(new ByteArrayInputStream(bytes));
+        ByteArrayOutputStream bout = new ByteArrayOutputStream();
+        transformer.transform(text, new StreamResult(bout));
+        return bout.toByteArray();
+    }
 }