dkontyko · dkontyko · Feb 12, 2024 · Feb 12, 2024 · Feb 12, 2024
diff --git a/FunctionApp/src/main/java/app/djk/RestPdfFormFiller/Pdf/RestPdfApi.java b/FunctionApp/src/main/java/app/djk/RestPdfFormFiller/Pdf/RestPdfApi.java
@@ -9,15 +9,17 @@
 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.transform.OutputKeys;
 import javax.xml.transform.TransformerException;
-import javax.xml.transform.TransformerFactory;
 import javax.xml.transform.dom.DOMSource;
 import javax.xml.transform.stream.StreamResult;
 import java.io.*;
-import java.util.ArrayList;
-import java.util.Arrays;
+import java.util.List;
 
 public class RestPdfApi {
-    public static final ArrayList<String> FORM_DATA_FORMATS = new ArrayList<>(Arrays.asList("json", "xml"));
+
+    private RestPdfApi() {
+        throw new IllegalStateException("Utility class");
+    }
+    public static final List<String> FORM_DATA_FORMATS = List.of("json", "xml");
 
     /**
      * Gets the XML form field data from the given DA 4187. (This may work with other XFA forms, but
@@ -33,7 +35,7 @@ public static String getXfaDatasetNodeAsString(InputStream is) throws IOExceptio
             //This is the node that contains the XFA form data.
             final var datasetsNode = newReader.getAcroFields().getXfa().getDatasetsNode();
 
-            final var transformer = TransformerFactory.newInstance().newTransformer();
+            final var transformer = SecureTransformerFactory.newInstance().newTransformer();
             transformer.setOutputProperty(OutputKeys.ENCODING, "UTF-8");
             transformer.setOutputProperty(OutputKeys.INDENT, "yes");
 

diff --git a/FunctionApp/src/main/java/app/djk/RestPdfFormFiller/Pdf/SecureTransformerFactory.java b/FunctionApp/src/main/java/app/djk/RestPdfFormFiller/Pdf/SecureTransformerFactory.java
@@ -0,0 +1,24 @@
+package app.djk.RestPdfFormFiller.Pdf;
+
+import javax.xml.transform.TransformerConfigurationException;
+import javax.xml.transform.TransformerFactory;
+
+public class SecureTransformerFactory {
+
+    private SecureTransformerFactory() {
+        throw new IllegalStateException("Utility class");
+    }
+    public static TransformerFactory newInstance() throws TransformerConfigurationException {
+        TransformerFactory factory = TransformerFactory.newInstance(); //NOSONAR
+        try {
+            // Disable external entities
+            factory.setFeature("http://javax.xml.XMLConstants/feature/secure-processing", true);
+            factory.setAttribute("http://javax.xml.XMLConstants/property/accessExternalDTD", "");
+            factory.setAttribute("http://javax.xml.XMLConstants/property/accessExternalStylesheet", "");
+        } catch (TransformerConfigurationException e) {
+            throw new TransformerConfigurationException("Could not configure TransformerFactory for secure processing: " + e.getMessage());
+        }
+        return factory;
+    }
+
+}
diff --git a/FunctionApp/src/main/java/app/djk/RestPdfFormFiller/functions/HttpTriggerFunctions.java b/FunctionApp/src/main/java/app/djk/RestPdfFormFiller/functions/HttpTriggerFunctions.java
@@ -13,7 +13,6 @@
 import com.microsoft.azure.functions.annotation.AuthorizationLevel;
 import com.microsoft.azure.functions.annotation.FunctionName;
 import com.microsoft.azure.functions.annotation.HttpTrigger;
-import com.microsoft.graph.serviceclient.GraphServiceClient;
 import com.microsoft.kiota.ApiException;
 import okhttp3.FormBody;
 import okhttp3.OkHttpClient;
@@ -22,6 +21,7 @@
 import java.io.IOException;
 import java.io.InputStream;
 import java.util.*;
+import java.util.logging.Level;
 
 /**
  * Azure Functions with HTTP Trigger.
@@ -177,9 +177,9 @@ private HttpResponseMessage errorHandler(final HttpRequestMessage<?> request,
              to its original type. So that's what the inner try-catch block does, until I find a
              better way.
             */
-            try {
+            try { //NOSONAR
                 return function.get();
-            } catch (Exception e) {
+            } catch (Exception e) { //NOSONAR
                 context.getLogger().warning("Caught exception: " + e);
                 context.getLogger().warning(Arrays.toString(e.getStackTrace()));
                 var eClass = e.getClass();
@@ -308,7 +308,7 @@ private static <T> String getAuthTokenOverHttp(final HttpRequestMessage<T> reque
         }
 
         final var incomingToken = authHeader.substring(7); // removing "Bearer" prefix and space
-        context.getLogger().info("Incoming token: " + incomingToken);
+        context.getLogger().log(Level.FINEST, "Incoming token: {}", incomingToken);
 
         final var client = new OkHttpClient();
 
@@ -320,7 +320,7 @@ private static <T> String getAuthTokenOverHttp(final HttpRequestMessage<T> reque
                 .add("scope", "https://graph.microsoft.com/.default")
                 .add("requested_token_use", "on_behalf_of")
                 .build();
-        context.getLogger().info("Form body: " + formBody.toString());
+        context.getLogger().log(Level.FINEST, "Form body: {}", formBody);
 
         final var outgoingRequest = new Request.Builder()
                 .url("https://login.microsoftonline.com/" + System.getenv("tenantId") + "/oauth2/v2.0/token")
@@ -330,7 +330,7 @@ private static <T> String getAuthTokenOverHttp(final HttpRequestMessage<T> reque
         try (final var response = client.newCall(outgoingRequest).execute()) {
             context.getLogger().info("Executed outgoing request.");
             final var responseString = Objects.requireNonNull(response.body()).string();
-            System.out.println(responseString);
+            context.getLogger().log(Level.FINEST, "Response: {}", responseString);
             return "test";
         } catch (IOException e) {
             throw new RuntimeException(e);