From fb9759d934ae7ddbc028dc7c4872be8abb77a2f5 Mon Sep 17 00:00:00 2001 From: zubri Date: Thu, 25 Jan 2024 12:13:50 -0300 Subject: [PATCH] Deprecated unnecessary methods in the SafeXmlUtils class --- CHANGELOG.md | 3 + .../swift/utils/SafeXmlUtils.java | 10 ++- .../swift/utils/SafeXmlUtilsTest.java | 71 +------------------ 3 files changed, 13 insertions(+), 71 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6c879e48a..aa42e8321 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,8 @@ # Prowide Core - CHANGELOG +#### 9.4.15 - SNAPSHOT + * Deprecated unnecessary methods in the SafeXmlUtils class + #### 9.4.14 - December 2023 * (PW-1718) Changed the getComponentLabel(component) in Field59F to be dynamic based on the line identifiers (similar to existing API in Field50F) diff --git a/src/main/java/com/prowidesoftware/swift/utils/SafeXmlUtils.java b/src/main/java/com/prowidesoftware/swift/utils/SafeXmlUtils.java index 8d5a2efd8..7fc24056b 100644 --- a/src/main/java/com/prowidesoftware/swift/utils/SafeXmlUtils.java +++ b/src/main/java/com/prowidesoftware/swift/utils/SafeXmlUtils.java @@ -16,6 +16,8 @@ package com.prowidesoftware.swift.utils; import com.prowidesoftware.ProwideException; +import com.prowidesoftware.deprecation.ProwideDeprecated; +import com.prowidesoftware.deprecation.TargetYear; import java.util.logging.Level; import javax.xml.XMLConstants; import javax.xml.parsers.*; @@ -236,8 +238,10 @@ public static Transformer transformer() { } /** - * Safe schema factory + * @deprecated use the default SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI) instead, there is no need to prevent XXE attacks in the schema factory */ + @Deprecated + @ProwideDeprecated(phase2 = TargetYear.SRU2024) public static SchemaFactory schemaFactory() { String feature = null; try { @@ -261,8 +265,10 @@ public static SchemaFactory schemaFactory() { } /** - * Safe schema validator + * @deprecated use the default schema.newValidator() instead, there is no need to prevent XXE attacks in validation */ + @Deprecated + @ProwideDeprecated(phase2 = TargetYear.SRU2024) public static Validator validator(Schema schema) { String feature = null; try { diff --git a/src/test/java/com/prowidesoftware/swift/utils/SafeXmlUtilsTest.java b/src/test/java/com/prowidesoftware/swift/utils/SafeXmlUtilsTest.java index 60a2c3cbe..f9210fab0 100644 --- a/src/test/java/com/prowidesoftware/swift/utils/SafeXmlUtilsTest.java +++ b/src/test/java/com/prowidesoftware/swift/utils/SafeXmlUtilsTest.java @@ -5,6 +5,7 @@ import java.io.ByteArrayInputStream; import java.io.StringReader; import java.nio.charset.StandardCharsets; +import javax.xml.XMLConstants; import javax.xml.parsers.DocumentBuilder; import javax.xml.stream.XMLInputFactory; import javax.xml.stream.XMLStreamException; @@ -15,7 +16,6 @@ import javax.xml.transform.stream.StreamSource; import javax.xml.validation.Schema; import javax.xml.validation.SchemaFactory; -import javax.xml.validation.Validator; import org.junit.jupiter.api.Disabled; import org.junit.jupiter.api.Test; import org.xml.sax.SAXException; @@ -71,23 +71,6 @@ void testTransformer() { assertDoesNotThrow(SafeXmlUtils::transformer); } - /** - * Tests the creation of a SchemaFactory. - */ - @Test - void testSchemaFactory() { - assertDoesNotThrow(SafeXmlUtils::schemaFactory); - } - - /** - * Tests the creation of a Validator with a schema. - */ - @Test - void testValidator() { - SchemaFactory schemaFactory = SafeXmlUtils.schemaFactory(); - assertDoesNotThrow(() -> SafeXmlUtils.validator(schemaFactory.newSchema())); - } - /** * Tests the prevention of XXE attack on DocumentBuilder. */ @@ -127,7 +110,7 @@ void testXXEAttackOnSAXReaderCustomParameters() { + "]>" + "&xxe;"; - SchemaFactory schemaFactory = SafeXmlUtils.schemaFactory(); + SchemaFactory schemaFactory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI); Schema schema = null; try { schema = schemaFactory.newSchema(); @@ -142,56 +125,6 @@ void testXXEAttackOnSAXReaderCustomParameters() { }); } - /** - * Tests XXE attack on the Safe SchemaFactory and verifies that the entity in the schema is ignored. - */ - @Test - void testXXEAttackOnSchemaFactory() { - String dummyXSDWithExternalDTD = "\n" + "\n" - + " ]>\n" - + "\n" - + " \n" - + " \n" - + " \n" - + " \n" - + " \n" - + " \n" - + " \n" - + "\n"; - - // Attempt to create a Schema with dummy XSD containing external DTD using SafeXmlUtils - assertThrows(SAXException.class, () -> { - SchemaFactory schemaFactory = SafeXmlUtils.schemaFactory(); - Schema dummySchema = schemaFactory.newSchema(new javax.xml.transform.sax.SAXSource( - new org.xml.sax.InputSource(new java.io.StringReader(dummyXSDWithExternalDTD)))); - }); - } - - /** - * Tests XXE attack on the Safe Validator and verifies that the entity in the XML is ignored. - */ - @Test - void testXXEAttackOnValidator() throws SAXException { - // Create a dummy schema - SchemaFactory schemaFactory = SafeXmlUtils.schemaFactory(); - Schema dummySchema = schemaFactory.newSchema(); - - // Attempt to create a Validator with dummy schema using SafeXmlUtils.validator - assertThrows(SAXException.class, () -> { - Validator validator = SafeXmlUtils.validator(dummySchema); - - // Malicious XML document with XXE attack - String maliciousXml = "" - + "]>" - + "&xxe;"; - - // Attempt to validate the malicious XML document - validator.validate(new javax.xml.transform.sax.SAXSource( - new org.xml.sax.InputSource(new java.io.StringReader(maliciousXml)))); - }); - } - /** * Tests XXE attack on the Safe Transformer and verifies that the entity in the XML is ignored. */