Skip to content

Commit

Permalink
Deprecated unnecessary methods in the SafeXmlUtils class
Browse files Browse the repository at this point in the history
  • Loading branch information
@zubri
zubri committed Jan 25, 2024
1 parent 49d2460 commit fb9759d
Show file tree
Hide file tree
Showing 3 changed files with 13 additions and 71 deletions.
3 changes: 3 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,8 @@
# Prowide Core - CHANGELOG

#### 9.4.15 - SNAPSHOT
* Deprecated unnecessary methods in the SafeXmlUtils class

#### 9.4.14 - December 2023
* (PW-1718) Changed the getComponentLabel(component) in Field59F to be dynamic based on the line identifiers (similar to existing API in Field50F)

Expand Down
10 changes: 8 additions & 2 deletions src/main/java/com/prowidesoftware/swift/utils/SafeXmlUtils.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,8 @@
package com.prowidesoftware.swift.utils;

import com.prowidesoftware.ProwideException;
import com.prowidesoftware.deprecation.ProwideDeprecated;
import com.prowidesoftware.deprecation.TargetYear;
import java.util.logging.Level;
import javax.xml.XMLConstants;
import javax.xml.parsers.*;
Expand Down Expand Up @@ -236,8 +238,10 @@ public static Transformer transformer() {
}

/**
* Safe schema factory
* @deprecated use the default SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI) instead, there is no need to prevent XXE attacks in the schema factory
*/
@Deprecated
@ProwideDeprecated(phase2 = TargetYear.SRU2024)
public static SchemaFactory schemaFactory() {
String feature = null;
try {
Expand All @@ -261,8 +265,10 @@ public static SchemaFactory schemaFactory() {
}

/**
* Safe schema validator
* @deprecated use the default schema.newValidator() instead, there is no need to prevent XXE attacks in validation
*/
@Deprecated
@ProwideDeprecated(phase2 = TargetYear.SRU2024)
public static Validator validator(Schema schema) {
String feature = null;
try {
Expand Down
71 changes: 2 additions & 69 deletions src/test/java/com/prowidesoftware/swift/utils/SafeXmlUtilsTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
import java.io.ByteArrayInputStream;
import java.io.StringReader;
import java.nio.charset.StandardCharsets;
import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.stream.XMLInputFactory;
import javax.xml.stream.XMLStreamException;
Expand All @@ -15,7 +16,6 @@
import javax.xml.transform.stream.StreamSource;
import javax.xml.validation.Schema;
import javax.xml.validation.SchemaFactory;
import javax.xml.validation.Validator;
import org.junit.jupiter.api.Disabled;
import org.junit.jupiter.api.Test;
import org.xml.sax.SAXException;
Expand Down Expand Up @@ -71,23 +71,6 @@ void testTransformer() {
assertDoesNotThrow(SafeXmlUtils::transformer);
}

/**
* Tests the creation of a SchemaFactory.
*/
@Test
void testSchemaFactory() {
assertDoesNotThrow(SafeXmlUtils::schemaFactory);
}

/**
* Tests the creation of a Validator with a schema.
*/
@Test
void testValidator() {
SchemaFactory schemaFactory = SafeXmlUtils.schemaFactory();
assertDoesNotThrow(() -> SafeXmlUtils.validator(schemaFactory.newSchema()));
}

/**
* Tests the prevention of XXE attack on DocumentBuilder.
*/
Expand Down Expand Up @@ -127,7 +110,7 @@ void testXXEAttackOnSAXReaderCustomParameters() {
+ "<!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM \"file:///etc/passwd\">]>"
+ "<foo>&xxe;</foo>";

SchemaFactory schemaFactory = SafeXmlUtils.schemaFactory();
SchemaFactory schemaFactory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
Schema schema = null;
try {
schema = schemaFactory.newSchema();
Expand All @@ -142,56 +125,6 @@ void testXXEAttackOnSAXReaderCustomParameters() {
});
}

/**
* Tests XXE attack on the Safe SchemaFactory and verifies that the entity in the schema is ignored.
*/
@Test
void testXXEAttackOnSchemaFactory() {
String dummyXSDWithExternalDTD = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n" + "<!DOCTYPE root [\n"
+ " <!ELEMENT root ANY >\n"
+ " <!ENTITY xxe SYSTEM \"file:///etc/passwd\" >]>\n"
+ "<xs:schema xmlns:xs=\"http://www.w3.org/2001/XMLSchema\" xmlns:fn=\"http://www.w3.org/2005/xpath-functions\">\n"
+ " <xs:element name=\"root\" type=\"xs:string\">\n"
+ " <xs:complexType>\n"
+ " <xs:sequence>\n"
+ " <xs:element name=\"data\" type=\"xs:string\"/>\n"
+ " </xs:sequence>\n"
+ " </xs:complexType>\n"
+ " </xs:element>\n"
+ "</xs:schema>\n";

// Attempt to create a Schema with dummy XSD containing external DTD using SafeXmlUtils
assertThrows(SAXException.class, () -> {
SchemaFactory schemaFactory = SafeXmlUtils.schemaFactory();
Schema dummySchema = schemaFactory.newSchema(new javax.xml.transform.sax.SAXSource(
new org.xml.sax.InputSource(new java.io.StringReader(dummyXSDWithExternalDTD))));
});
}

/**
* Tests XXE attack on the Safe Validator and verifies that the entity in the XML is ignored.
*/
@Test
void testXXEAttackOnValidator() throws SAXException {
// Create a dummy schema
SchemaFactory schemaFactory = SafeXmlUtils.schemaFactory();
Schema dummySchema = schemaFactory.newSchema();

// Attempt to create a Validator with dummy schema using SafeXmlUtils.validator
assertThrows(SAXException.class, () -> {
Validator validator = SafeXmlUtils.validator(dummySchema);

// Malicious XML document with XXE attack
String maliciousXml = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
+ "<!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM \"file:///etc/passwd\">]>"
+ "<foo>&xxe;</foo>";

// Attempt to validate the malicious XML document
validator.validate(new javax.xml.transform.sax.SAXSource(
new org.xml.sax.InputSource(new java.io.StringReader(maliciousXml))));
});
}

/**
* Tests XXE attack on the Safe Transformer and verifies that the entity in the XML is ignored.
*/
Expand Down

0 comments on commit fb9759d

Please sign in to comment.