2 * Copyright (c) 2016 Cisco Systems, Inc. and others. All rights reserved.
4 * This program and the accompanying materials are made available under the
5 * terms of the Eclipse Public License v1.0 which accompanies this distribution,
6 * and is available at http://www.eclipse.org/legal/epl-v10.html
8 package org.opendaylight.yangtools.util.xml;
10 import com.google.common.annotations.Beta;
11 import java.io.InputStream;
12 import java.io.Reader;
13 import java.nio.charset.Charset;
14 import javax.annotation.Nonnull;
15 import javax.xml.XMLConstants;
16 import javax.xml.parsers.DocumentBuilder;
17 import javax.xml.parsers.DocumentBuilderFactory;
18 import javax.xml.parsers.ParserConfigurationException;
19 import javax.xml.parsers.SAXParser;
20 import javax.xml.parsers.SAXParserFactory;
21 import javax.xml.stream.XMLInputFactory;
22 import javax.xml.stream.XMLStreamException;
23 import javax.xml.stream.XMLStreamReader;
24 import org.xml.sax.SAXException;
25 import org.xml.sax.SAXNotRecognizedException;
26 import org.xml.sax.SAXNotSupportedException;
29 * Set of utility methods for instantiating parser that deal with untrusted XML sources.
31 * @author Robert Varga
34 public final class UntrustedXML {
35 private static final DocumentBuilderFactory DBF;
38 final DocumentBuilderFactory f = DocumentBuilderFactory.newInstance();
39 f.setCoalescing(true);
40 f.setExpandEntityReferences(false);
41 f.setIgnoringElementContentWhitespace(true);
42 f.setIgnoringComments(true);
43 f.setNamespaceAware(true);
44 f.setXIncludeAware(false);
46 f.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
47 f.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
48 f.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
49 f.setFeature("http://xml.org/sax/features/external-general-entities", false);
50 f.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
51 } catch (final ParserConfigurationException e) {
52 throw new ExceptionInInitializerError(e);
57 private static final SAXParserFactory SPF;
60 final SAXParserFactory f = SAXParserFactory.newInstance();
61 f.setNamespaceAware(true);
62 f.setXIncludeAware(false);
64 f.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
65 f.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
66 f.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
67 f.setFeature("http://xml.org/sax/features/external-general-entities", false);
68 f.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
69 } catch (final SAXNotRecognizedException | SAXNotSupportedException | ParserConfigurationException e) {
70 throw new ExceptionInInitializerError(e);
76 private static final XMLInputFactory XIF;
79 final XMLInputFactory f = XMLInputFactory.newInstance();
81 f.setProperty(XMLInputFactory.IS_COALESCING, Boolean.TRUE);
82 f.setProperty(XMLInputFactory.IS_NAMESPACE_AWARE, Boolean.TRUE);
83 f.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, Boolean.FALSE);
84 f.setProperty(XMLInputFactory.SUPPORT_DTD, Boolean.FALSE);
91 * Create a new {@link DocumentBuilder} for dealing with untrusted XML data. This method is equivalent to
92 * {@link DocumentBuilderFactory#newDocumentBuilder()}, except it does not throw a checked exception.
94 * @return A new DocumentBuilder
95 * @throws UnsupportedOperationException if the runtime fails to instantiate a good enough builder
97 public static @Nonnull DocumentBuilder newDocumentBuilder() {
99 return DBF.newDocumentBuilder();
100 } catch (ParserConfigurationException e) {
101 throw new UnsupportedOperationException("Failed to instantiate a DocumentBuilder", e);
106 * Create a new {@link SAXParser} for dealing with untrusted XML data. This method is equivalent to
107 * {@link SAXParserFactory#newSAXParser()}, except it does not throw a checked exception.
109 * @return A new SAXParser
110 * @throws UnsupportedOperationException if the runtime fails to instantiate a good enough builder
112 public static @Nonnull SAXParser newSAXParser() {
114 return SPF.newSAXParser();
115 } catch (ParserConfigurationException | SAXException e) {
116 throw new UnsupportedOperationException("Failed to instantiate a SAXParser", e);
121 * Create a new {@link XMLStreamReader} for dealing with untrusted XML data. This method is equivalent to
122 * {@link XMLInputFactory#createXMLStreamReader(InputStream)}.
124 * @return A new XMLStreamReader
125 * @throws XMLStreamException when the underlying factory throws it
127 public static @Nonnull XMLStreamReader createXMLStreamReader(final InputStream stream) throws XMLStreamException {
128 return XIF.createXMLStreamReader(stream);
132 * Create a new {@link XMLStreamReader} for dealing with untrusted XML data. This method is equivalent to
133 * {@link XMLInputFactory#createXMLStreamReader(InputStream, String)}, except it takes an explict charset argument.
135 * @return A new XMLStreamReader
136 * @throws XMLStreamException when the underlying factory throws it
138 public static @Nonnull XMLStreamReader createXMLStreamReader(final InputStream stream, final Charset charset)
139 throws XMLStreamException {
140 return XIF.createXMLStreamReader(stream, charset.name());
144 * Create a new {@link XMLStreamReader} for dealing with untrusted XML data. This method is equivalent to
145 * {@link XMLInputFactory#createXMLStreamReader(Reader)}.
147 * @return A new XMLStreamReader
148 * @throws XMLStreamException when the underlying factory throws it
150 public static @Nonnull XMLStreamReader createXMLStreamReader(final Reader reader) throws XMLStreamException {
151 return XIF.createXMLStreamReader(reader);