diff options
author | Matthew Khouzam | 2019-08-06 19:23:27 +0000 |
---|---|---|
committer | Matthew Khouzam | 2019-08-07 19:22:11 +0000 |
commit | ae3065ba3d661c9458ec1c86c48d03938b133cef (patch) | |
tree | 3eb33d0eae1cd4a096d57519c01d6e1b61b5788d | |
parent | 2a3edf6fd10e7b5d197f2a3da30f80ce02df7ee0 (diff) | |
download | org.eclipse.tracecompass-ae3065ba3d661c9458ec1c86c48d03938b133cef.tar.gz org.eclipse.tracecompass-ae3065ba3d661c9458ec1c86c48d03938b133cef.tar.xz org.eclipse.tracecompass-ae3065ba3d661c9458ec1c86c48d03938b133cef.zip |
common.core: introduce XmlUtils#newSafeDocumentBuilderFactory
updates many features to avoid using DocumentBuilderFactory#newInstance
[Security] Disable XML external entity (XXE) processing.
Change-Id: Ib9ccb5b120955ddeb80ac1c03512340c324e67ce
Signed-off-by: Matthew Khouzam <matthew.khouzam@ericsson.com>
Reviewed-on: https://git.eclipse.org/r/147148
Tested-by: CI Bot
Reviewed-by: Bernd Hufmann <bernd.hufmann@ericsson.com>
Tested-by: Bernd Hufmann <bernd.hufmann@ericsson.com>
19 files changed, 103 insertions, 51 deletions
diff --git a/common/org.eclipse.tracecompass.common.core.tests/src/org/eclipse/tracecompass/common/core/tests/xml/TestTransform.java b/common/org.eclipse.tracecompass.common.core.tests/src/org/eclipse/tracecompass/common/core/tests/xml/TestTransform.java index 9a7c822cf5..511bafc0d0 100644 --- a/common/org.eclipse.tracecompass.common.core.tests/src/org/eclipse/tracecompass/common/core/tests/xml/TestTransform.java +++ b/common/org.eclipse.tracecompass.common.core.tests/src/org/eclipse/tracecompass/common/core/tests/xml/TestTransform.java @@ -94,7 +94,7 @@ public class TestTransform { private static void testExploit(String attackVector) throws SAXException, IOException, ParserConfigurationException, TransformerException { Transformer newSafeTransformer = XmlUtils.newSecureTransformer(); assertNotNull(newSafeTransformer); - DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); + DocumentBuilderFactory dbf = XmlUtils.newSafeDocumentBuilderFactory(); Document document = dbf.newDocumentBuilder().parse(new InputSource(new StringReader(attackVector))); newSafeTransformer.setOutputProperty(OutputKeys.METHOD, "xml"); newSafeTransformer.setOutputProperty(OutputKeys.INDENT, "yes"); diff --git a/common/org.eclipse.tracecompass.common.core/src/org/eclipse/tracecompass/common/core/xml/XmlUtils.java b/common/org.eclipse.tracecompass.common.core/src/org/eclipse/tracecompass/common/core/xml/XmlUtils.java index afeaa79c42..f2e17f6639 100644 --- a/common/org.eclipse.tracecompass.common.core/src/org/eclipse/tracecompass/common/core/xml/XmlUtils.java +++ b/common/org.eclipse.tracecompass.common.core/src/org/eclipse/tracecompass/common/core/xml/XmlUtils.java @@ -10,10 +10,14 @@ package org.eclipse.tracecompass.common.core.xml; import javax.xml.XMLConstants; +import javax.xml.parsers.DocumentBuilderFactory; +import javax.xml.parsers.ParserConfigurationException; import javax.xml.transform.Transformer; import javax.xml.transform.TransformerConfigurationException; import javax.xml.transform.TransformerFactory; +import org.eclipse.tracecompass.internal.common.core.Activator; + /** * XML Utilities. Useful to avoid copy-pasting secure code generation. Utils * here should be OASP compliant. @@ -53,4 +57,67 @@ public final class XmlUtils { factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); return factory.newTransformer(); } + + /** + * Create a document builder factory that is safe according to the OWASP + * injection prevention cheat sheet. + * + * @return the documentBuilderFactory + * @since 4.1 + */ + public static DocumentBuilderFactory newSafeDocumentBuilderFactory() { + String feature = null; + DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); + try { + // This one is from Sonar (squid:S2755) + dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); + // This is the PRIMARY defense. If DTDs (doctypes) are disallowed, + // almost all + // XML entity attacks are prevented + // Xerces 2 only - + // http://xerces.apache.org/xerces2-j/features.html#disallow-doctype-decl + feature = "http://apache.org/xml/features/disallow-doctype-decl"; //$NON-NLS-1$ + dbf.setFeature(feature, true); + + // If you can't completely disable DTDs, then at least do the + // following: + // Xerces 1 - + // http://xerces.apache.org/xerces-j/features.html#external-general-entities + // Xerces 2 - + // http://xerces.apache.org/xerces2-j/features.html#external-general-entities + // JDK7+ - http://xml.org/sax/features/external-general-entities + feature = "http://xml.org/sax/features/external-general-entities"; //$NON-NLS-1$ + dbf.setFeature(feature, false); + + // Xerces 1 - + // http://xerces.apache.org/xerces-j/features.html#external-parameter-entities + // Xerces 2 - + // http://xerces.apache.org/xerces2-j/features.html#external-parameter-entities + // JDK7+ - http://xml.org/sax/features/external-parameter-entities + feature = "http://xml.org/sax/features/external-parameter-entities"; //$NON-NLS-1$ + dbf.setFeature(feature, false); + + // Disable external DTDs as well + feature = "http://apache.org/xml/features/nonvalidating/load-external-dtd"; //$NON-NLS-1$ + dbf.setFeature(feature, false); + + // and these as well, per Timothy Morgan's 2014 paper: "XML Schema, + // DTD, and Entity Attacks" + dbf.setXIncludeAware(false); + dbf.setExpandEntityReferences(false); + + // And, per Timothy Morgan: + // "If for some reason support for inline DOCTYPEs are a requirement, then ensure + // the entity settings are disabled (as shown above) and beware that SSRF attacks + // (http://cwe.mitre.org/data/definitions/918.html) + // and denial of service attacks (such as billion laughs or decompression bombs via + // "jar:") are a risk." + + } catch (ParserConfigurationException e) { + // This should catch a failed setFeature feature + Activator.instance().logInfo("ParserConfigurationException was thrown. The feature '" + feature //$NON-NLS-1$ + + "' is probably not supported by your XML processor.", e); //$NON-NLS-1$ + } + return dbf; + } } diff --git a/lttng/org.eclipse.tracecompass.lttng2.control.core/src/org/eclipse/tracecompass/lttng2/control/core/session/SessionConfigGenerator.java b/lttng/org.eclipse.tracecompass.lttng2.control.core/src/org/eclipse/tracecompass/lttng2/control/core/session/SessionConfigGenerator.java index 8141aec2bf..fb38e25921 100644 --- a/lttng/org.eclipse.tracecompass.lttng2.control.core/src/org/eclipse/tracecompass/lttng2/control/core/session/SessionConfigGenerator.java +++ b/lttng/org.eclipse.tracecompass.lttng2.control.core/src/org/eclipse/tracecompass/lttng2/control/core/session/SessionConfigGenerator.java @@ -18,7 +18,6 @@ import java.util.Set; import javax.xml.XMLConstants; import javax.xml.parsers.DocumentBuilder; -import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.ParserConfigurationException; import javax.xml.transform.OutputKeys; import javax.xml.transform.Source; @@ -174,8 +173,7 @@ public final class SessionConfigGenerator { * On an parser configuration error */ private static @NonNull Document generateSessionConfig(Iterable<ISessionInfo> sessions) throws IllegalArgumentException, ParserConfigurationException { - DocumentBuilderFactory docFactory = DocumentBuilderFactory.newInstance(); - DocumentBuilder docBuilder = docFactory.newDocumentBuilder(); + DocumentBuilder docBuilder = XmlUtils.newSafeDocumentBuilderFactory().newDocumentBuilder(); Document document = docBuilder.newDocument(); diff --git a/lttng/org.eclipse.tracecompass.lttng2.control.ui/src/org/eclipse/tracecompass/internal/lttng2/control/ui/views/service/LTTngControlServiceMI.java b/lttng/org.eclipse.tracecompass.lttng2.control.ui/src/org/eclipse/tracecompass/internal/lttng2/control/ui/views/service/LTTngControlServiceMI.java index f515731689..db98276c53 100644 --- a/lttng/org.eclipse.tracecompass.lttng2.control.ui/src/org/eclipse/tracecompass/internal/lttng2/control/ui/views/service/LTTngControlServiceMI.java +++ b/lttng/org.eclipse.tracecompass.lttng2.control.ui/src/org/eclipse/tracecompass/internal/lttng2/control/ui/views/service/LTTngControlServiceMI.java @@ -36,6 +36,7 @@ import org.eclipse.core.runtime.Platform; import org.eclipse.jdt.annotation.NonNull; import org.eclipse.jdt.annotation.Nullable; import org.eclipse.osgi.util.NLS; +import org.eclipse.tracecompass.common.core.xml.XmlUtils; import org.eclipse.tracecompass.internal.lttng2.control.core.model.IBaseEventInfo; import org.eclipse.tracecompass.internal.lttng2.control.core.model.IChannelInfo; import org.eclipse.tracecompass.internal.lttng2.control.core.model.IDomainInfo; @@ -115,7 +116,8 @@ public class LTTngControlServiceMI extends LTTngControlService { super(shell); setVersion(version); - DocumentBuilderFactory docBuilderFactory = DocumentBuilderFactory.newInstance(); + DocumentBuilderFactory docBuilderFactory = XmlUtils.newSafeDocumentBuilderFactory(); + docBuilderFactory.setExpandEntityReferences(false); docBuilderFactory.setValidating(false); if (isSchemaValidationEnabled()) { @@ -189,7 +191,7 @@ public class LTTngControlServiceMI extends LTTngControlService { * when xml extraction fail */ public static LttngVersion parseVersion(ICommandResult commandResult) throws ExecutionException { - DocumentBuilderFactory docBuilderFactory = DocumentBuilderFactory.newInstance(); + DocumentBuilderFactory docBuilderFactory = XmlUtils.newSafeDocumentBuilderFactory(); DocumentBuilder documentBuilder; try { documentBuilder = docBuilderFactory.newDocumentBuilder(); diff --git a/tmf/org.eclipse.tracecompass.tmf.analysis.xml.core.tests/META-INF/MANIFEST.MF b/tmf/org.eclipse.tracecompass.tmf.analysis.xml.core.tests/META-INF/MANIFEST.MF index dc87ba71f2..37cdb8b827 100644 --- a/tmf/org.eclipse.tracecompass.tmf.analysis.xml.core.tests/META-INF/MANIFEST.MF +++ b/tmf/org.eclipse.tracecompass.tmf.analysis.xml.core.tests/META-INF/MANIFEST.MF @@ -18,6 +18,7 @@ Require-Bundle: org.junit, org.eclipse.tracecompass.analysis.timing.core, org.eclipse.tracecompass.datastore.core, org.eclipse.test.performance, + org.eclipse.tracecompass.common.core, org.eclipse.jdt.annotation;bundle-version="[2.0.0,3.0.0)";resolution:=optional Bundle-RequiredExecutionEnvironment: JavaSE-1.8 Bundle-ActivationPolicy: lazy diff --git a/tmf/org.eclipse.tracecompass.tmf.analysis.xml.core.tests/common/org/eclipse/tracecompass/tmf/analysis/xml/core/tests/common/TmfXmlTestUtils.java b/tmf/org.eclipse.tracecompass.tmf.analysis.xml.core.tests/common/org/eclipse/tracecompass/tmf/analysis/xml/core/tests/common/TmfXmlTestUtils.java index 007c10479e..fe3232891d 100644 --- a/tmf/org.eclipse.tracecompass.tmf.analysis.xml.core.tests/common/org/eclipse/tracecompass/tmf/analysis/xml/core/tests/common/TmfXmlTestUtils.java +++ b/tmf/org.eclipse.tracecompass.tmf.analysis.xml.core.tests/common/org/eclipse/tracecompass/tmf/analysis/xml/core/tests/common/TmfXmlTestUtils.java @@ -19,7 +19,6 @@ import java.util.List; import java.util.Objects; import javax.xml.parsers.DocumentBuilder; -import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.ParserConfigurationException; import org.eclipse.jdt.annotation.NonNull; @@ -94,7 +93,7 @@ public final class TmfXmlTestUtils { * Exception thrown by parser */ public static List<@NonNull Element> getXmlElements(String elementName, String xmlString) throws SAXException, IOException, ParserConfigurationException { - DocumentBuilder builder = DocumentBuilderFactory.newInstance().newDocumentBuilder(); + DocumentBuilder builder = org.eclipse.tracecompass.common.core.xml.XmlUtils.newSafeDocumentBuilderFactory().newDocumentBuilder(); InputSource src = new InputSource(); src.setCharacterStream(new StringReader(xmlString)); diff --git a/tmf/org.eclipse.tracecompass.tmf.analysis.xml.core/src/org/eclipse/tracecompass/internal/tmf/analysis/xml/core/module/XmlUtils.java b/tmf/org.eclipse.tracecompass.tmf.analysis.xml.core/src/org/eclipse/tracecompass/internal/tmf/analysis/xml/core/module/XmlUtils.java index a89b94b3bb..78744e8c88 100644 --- a/tmf/org.eclipse.tracecompass.tmf.analysis.xml.core/src/org/eclipse/tracecompass/internal/tmf/analysis/xml/core/module/XmlUtils.java +++ b/tmf/org.eclipse.tracecompass.tmf.analysis.xml.core/src/org/eclipse/tracecompass/internal/tmf/analysis/xml/core/module/XmlUtils.java @@ -531,7 +531,7 @@ public class XmlUtils { * If any IO errors occur. */ public static Document getDocumentFromFile(File file) throws ParserConfigurationException, SAXException, IOException { - DocumentBuilderFactory dbFactory = DocumentBuilderFactory.newInstance(); + DocumentBuilderFactory dbFactory = org.eclipse.tracecompass.common.core.xml.XmlUtils.newSafeDocumentBuilderFactory(); Document doc = dbFactory.newDocumentBuilder().parse(file); doc.getDocumentElement().normalize(); return doc; diff --git a/tmf/org.eclipse.tracecompass.tmf.core/src/org/eclipse/tracecompass/internal/tmf/core/markers/MarkerConfigXmlParser.java b/tmf/org.eclipse.tracecompass.tmf.core/src/org/eclipse/tracecompass/internal/tmf/core/markers/MarkerConfigXmlParser.java index e1737d4395..03e4c34e3b 100644 --- a/tmf/org.eclipse.tracecompass.tmf.core/src/org/eclipse/tracecompass/internal/tmf/core/markers/MarkerConfigXmlParser.java +++ b/tmf/org.eclipse.tracecompass.tmf.core/src/org/eclipse/tracecompass/internal/tmf/core/markers/MarkerConfigXmlParser.java @@ -36,6 +36,7 @@ import org.eclipse.core.runtime.ISafeRunnable; import org.eclipse.core.runtime.Platform; import org.eclipse.core.runtime.SafeRunner; import org.eclipse.jdt.annotation.NonNull; +import org.eclipse.tracecompass.common.core.xml.XmlUtils; import org.eclipse.tracecompass.internal.tmf.core.Activator; import org.eclipse.tracecompass.internal.tmf.core.markers.Marker.PeriodicMarker; import org.eclipse.tracecompass.internal.tmf.core.markers.SubMarker.SplitMarker; @@ -133,7 +134,7 @@ public class MarkerConfigXmlParser { List<MarkerSet> markerSets = new ArrayList<>(); try { - DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); + DocumentBuilderFactory dbf = XmlUtils.newSafeDocumentBuilderFactory(); dbf.setValidating(false); dbf.setNamespaceAware(true); SchemaFactory schemaFactory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI); diff --git a/tmf/org.eclipse.tracecompass.tmf.core/src/org/eclipse/tracecompass/tmf/core/filter/xml/TmfFilterXMLParser.java b/tmf/org.eclipse.tracecompass.tmf.core/src/org/eclipse/tracecompass/tmf/core/filter/xml/TmfFilterXMLParser.java index 7692528556..64e6acc82e 100644 --- a/tmf/org.eclipse.tracecompass.tmf.core/src/org/eclipse/tracecompass/tmf/core/filter/xml/TmfFilterXMLParser.java +++ b/tmf/org.eclipse.tracecompass.tmf.core/src/org/eclipse/tracecompass/tmf/core/filter/xml/TmfFilterXMLParser.java @@ -42,12 +42,13 @@ public class TmfFilterXMLParser { */ public TmfFilterXMLParser(final String uri) throws SAXException, IOException { - SAXParserFactory m_parserFactory = null; - m_parserFactory = SAXParserFactory.newInstance(); - m_parserFactory.setNamespaceAware(true); - + SAXParserFactory m_parserFactory = SAXParserFactory.newInstance(); XMLReader saxReader = null; try { + m_parserFactory.setFeature("http://xml.org/sax/features/external-general-entities", false); //$NON-NLS-1$ + m_parserFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false); //$NON-NLS-1$ + m_parserFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); //$NON-NLS-1$ + m_parserFactory.setNamespaceAware(true); saxReader = m_parserFactory.newSAXParser().getXMLReader(); saxReader.setContentHandler(new TmfFilterContentHandler()); diff --git a/tmf/org.eclipse.tracecompass.tmf.core/src/org/eclipse/tracecompass/tmf/core/filter/xml/TmfFilterXMLWriter.java b/tmf/org.eclipse.tracecompass.tmf.core/src/org/eclipse/tracecompass/tmf/core/filter/xml/TmfFilterXMLWriter.java index cf66ac9b95..4e8ede4b39 100644 --- a/tmf/org.eclipse.tracecompass.tmf.core/src/org/eclipse/tracecompass/tmf/core/filter/xml/TmfFilterXMLWriter.java +++ b/tmf/org.eclipse.tracecompass.tmf.core/src/org/eclipse/tracecompass/tmf/core/filter/xml/TmfFilterXMLWriter.java @@ -59,7 +59,7 @@ public class TmfFilterXMLWriter { * cannot be created which satisfies the configuration requested. */ public TmfFilterXMLWriter(final ITmfFilterTreeNode root) throws ParserConfigurationException { - DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance(); + DocumentBuilderFactory documentBuilderFactory = XmlUtils.newSafeDocumentBuilderFactory(); DocumentBuilder documentBuilder = documentBuilderFactory.newDocumentBuilder(); document = documentBuilder.newDocument(); diff --git a/tmf/org.eclipse.tracecompass.tmf.core/src/org/eclipse/tracecompass/tmf/core/parsers/custom/CustomTxtTraceDefinition.java b/tmf/org.eclipse.tracecompass.tmf.core/src/org/eclipse/tracecompass/tmf/core/parsers/custom/CustomTxtTraceDefinition.java index 0616f6639b..a836856403 100644 --- a/tmf/org.eclipse.tracecompass.tmf.core/src/org/eclipse/tracecompass/tmf/core/parsers/custom/CustomTxtTraceDefinition.java +++ b/tmf/org.eclipse.tracecompass.tmf.core/src/org/eclipse/tracecompass/tmf/core/parsers/custom/CustomTxtTraceDefinition.java @@ -32,7 +32,6 @@ import java.util.regex.Pattern; import java.util.regex.PatternSyntaxException; import javax.xml.parsers.DocumentBuilder; -import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.ParserConfigurationException; import javax.xml.transform.OutputKeys; import javax.xml.transform.Transformer; @@ -512,8 +511,7 @@ public class CustomTxtTraceDefinition extends CustomTraceDefinition { @Override public void save(String path) { try { - DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); - DocumentBuilder db = dbf.newDocumentBuilder(); + DocumentBuilder db = XmlUtils.newSafeDocumentBuilderFactory().newDocumentBuilder(); // The following allows xml parsing without access to the dtd db.setEntityResolver(createEmptyEntityResolver()); @@ -695,8 +693,7 @@ public class CustomTxtTraceDefinition extends CustomTraceDefinition { */ public static CustomTxtTraceDefinition[] loadAll(String path) { try { - DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); - DocumentBuilder db = dbf.newDocumentBuilder(); + DocumentBuilder db = XmlUtils.newSafeDocumentBuilderFactory().newDocumentBuilder(); // The following allows xml parsing without access to the dtd db.setEntityResolver(createEmptyEntityResolver()); @@ -748,8 +745,7 @@ public class CustomTxtTraceDefinition extends CustomTraceDefinition { */ public static CustomTxtTraceDefinition load(String categoryName, String definitionName) { try { - DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); - DocumentBuilder db = dbf.newDocumentBuilder(); + DocumentBuilder db = XmlUtils.newSafeDocumentBuilderFactory().newDocumentBuilder(); // The following allows xml parsing without access to the dtd db.setEntityResolver(createEmptyEntityResolver()); @@ -899,8 +895,7 @@ public class CustomTxtTraceDefinition extends CustomTraceDefinition { */ public static void delete(String categoryName, String definitionName) { try { - DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); - DocumentBuilder db = dbf.newDocumentBuilder(); + DocumentBuilder db = XmlUtils.newSafeDocumentBuilderFactory().newDocumentBuilder(); // The following allows xml parsing without access to the dtd db.setEntityResolver(createEmptyEntityResolver()); diff --git a/tmf/org.eclipse.tracecompass.tmf.core/src/org/eclipse/tracecompass/tmf/core/parsers/custom/CustomXmlTrace.java b/tmf/org.eclipse.tracecompass.tmf.core/src/org/eclipse/tracecompass/tmf/core/parsers/custom/CustomXmlTrace.java index 9f6074e422..c9548f0fd1 100644 --- a/tmf/org.eclipse.tracecompass.tmf.core/src/org/eclipse/tracecompass/tmf/core/parsers/custom/CustomXmlTrace.java +++ b/tmf/org.eclipse.tracecompass.tmf.core/src/org/eclipse/tracecompass/tmf/core/parsers/custom/CustomXmlTrace.java @@ -23,7 +23,6 @@ import java.nio.ByteBuffer; import java.util.Arrays; import javax.xml.parsers.DocumentBuilder; -import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.ParserConfigurationException; import org.eclipse.core.resources.IProject; @@ -31,6 +30,7 @@ import org.eclipse.core.resources.IResource; import org.eclipse.core.runtime.IStatus; import org.eclipse.core.runtime.Status; import org.eclipse.jdt.annotation.NonNull; +import org.eclipse.tracecompass.common.core.xml.XmlUtils; import org.eclipse.tracecompass.internal.tmf.core.Activator; import org.eclipse.tracecompass.internal.tmf.core.parsers.custom.CustomEventAspects; import org.eclipse.tracecompass.tmf.core.event.ITmfEvent; @@ -307,8 +307,7 @@ public class CustomXmlTrace extends TmfTrace implements ITmfPersistentlyIndexabl private Element parseElementBuffer(final StringBuffer elementBuffer) { try { - final DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); - final DocumentBuilder db = dbf.newDocumentBuilder(); + final DocumentBuilder db = XmlUtils.newSafeDocumentBuilderFactory().newDocumentBuilder(); // The following allows xml parsing without access to the dtd final EntityResolver resolver = (publicId, systemId) -> { diff --git a/tmf/org.eclipse.tracecompass.tmf.core/src/org/eclipse/tracecompass/tmf/core/parsers/custom/CustomXmlTraceDefinition.java b/tmf/org.eclipse.tracecompass.tmf.core/src/org/eclipse/tracecompass/tmf/core/parsers/custom/CustomXmlTraceDefinition.java index 7277fc03be..f01dba978a 100644 --- a/tmf/org.eclipse.tracecompass.tmf.core/src/org/eclipse/tracecompass/tmf/core/parsers/custom/CustomXmlTraceDefinition.java +++ b/tmf/org.eclipse.tracecompass.tmf.core/src/org/eclipse/tracecompass/tmf/core/parsers/custom/CustomXmlTraceDefinition.java @@ -30,7 +30,6 @@ import java.util.Set; import java.util.TreeSet; import javax.xml.parsers.DocumentBuilder; -import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.ParserConfigurationException; import javax.xml.transform.OutputKeys; import javax.xml.transform.Transformer; @@ -163,9 +162,7 @@ public class CustomXmlTraceDefinition extends CustomTraceDefinition { @Override public void save(String path) { try { - DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); - DocumentBuilder db = dbf.newDocumentBuilder(); - + DocumentBuilder db = XmlUtils.newSafeDocumentBuilderFactory().newDocumentBuilder(); // The following allows xml parsing without access to the dtd db.setEntityResolver(createEmptyEntityResolver()); @@ -374,8 +371,7 @@ public class CustomXmlTraceDefinition extends CustomTraceDefinition { */ public static CustomXmlTraceDefinition[] loadAll(InputStream stream) { try { - DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); - DocumentBuilder db = dbf.newDocumentBuilder(); + DocumentBuilder db = XmlUtils.newSafeDocumentBuilderFactory().newDocumentBuilder(); // The following allows xml parsing without access to the dtd db.setEntityResolver(createEmptyEntityResolver()); @@ -418,8 +414,7 @@ public class CustomXmlTraceDefinition extends CustomTraceDefinition { */ public static CustomXmlTraceDefinition load(String categoryName, String definitionName) { try { - DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); - DocumentBuilder db = dbf.newDocumentBuilder(); + DocumentBuilder db = XmlUtils.newSafeDocumentBuilderFactory().newDocumentBuilder(); // The following allows xml parsing without access to the dtd EntityResolver resolver = (publicId, systemId) -> { @@ -598,8 +593,7 @@ public class CustomXmlTraceDefinition extends CustomTraceDefinition { */ public static void delete(String categoryName, String definitionName) { try { - DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); - DocumentBuilder db = dbf.newDocumentBuilder(); + DocumentBuilder db = XmlUtils.newSafeDocumentBuilderFactory().newDocumentBuilder(); // The following allows xml parsing without access to the dtd EntityResolver resolver = (publicId, systemId) -> { diff --git a/tmf/org.eclipse.tracecompass.tmf.remote.ui/src/org/eclipse/tracecompass/internal/tmf/remote/ui/wizards/fetch/model/RemoteImportProfilesReader.java b/tmf/org.eclipse.tracecompass.tmf.remote.ui/src/org/eclipse/tracecompass/internal/tmf/remote/ui/wizards/fetch/model/RemoteImportProfilesReader.java index 2b13bda80d..ce2a448433 100644 --- a/tmf/org.eclipse.tracecompass.tmf.remote.ui/src/org/eclipse/tracecompass/internal/tmf/remote/ui/wizards/fetch/model/RemoteImportProfilesReader.java +++ b/tmf/org.eclipse.tracecompass.tmf.remote.ui/src/org/eclipse/tracecompass/internal/tmf/remote/ui/wizards/fetch/model/RemoteImportProfilesReader.java @@ -20,7 +20,6 @@ import java.util.ArrayList; import java.util.List; import javax.xml.XMLConstants; -import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.ParserConfigurationException; import javax.xml.transform.stream.StreamSource; import javax.xml.validation.Schema; @@ -30,6 +29,7 @@ import javax.xml.validation.Validator; import org.eclipse.core.runtime.FileLocator; import org.eclipse.core.runtime.Path; import org.eclipse.jdt.annotation.NonNull; +import org.eclipse.tracecompass.common.core.xml.XmlUtils; import org.eclipse.tracecompass.internal.tmf.remote.ui.Activator; import org.eclipse.tracecompass.internal.tmf.ui.project.wizards.tracepkg.TracePackageElement; import org.eclipse.tracecompass.internal.tmf.ui.project.wizards.tracepkg.importexport.ManifestReader; @@ -128,7 +128,7 @@ public class RemoteImportProfilesReader { List<TracePackageElement> packageElements = new ArrayList<>(); RemoteImportProfileElement profile = null; - Document doc = DocumentBuilderFactory.newInstance().newDocumentBuilder().parse( + Document doc = XmlUtils.newSafeDocumentBuilderFactory().newDocumentBuilder().parse( inputStream); NodeList profileNodes = doc.getDocumentElement().getElementsByTagName( diff --git a/tmf/org.eclipse.tracecompass.tmf.remote.ui/src/org/eclipse/tracecompass/internal/tmf/remote/ui/wizards/fetch/model/RemoteImportProfilesWriter.java b/tmf/org.eclipse.tracecompass.tmf.remote.ui/src/org/eclipse/tracecompass/internal/tmf/remote/ui/wizards/fetch/model/RemoteImportProfilesWriter.java index b015991a35..27f50722a7 100644 --- a/tmf/org.eclipse.tracecompass.tmf.remote.ui/src/org/eclipse/tracecompass/internal/tmf/remote/ui/wizards/fetch/model/RemoteImportProfilesWriter.java +++ b/tmf/org.eclipse.tracecompass.tmf.remote.ui/src/org/eclipse/tracecompass/internal/tmf/remote/ui/wizards/fetch/model/RemoteImportProfilesWriter.java @@ -14,7 +14,6 @@ package org.eclipse.tracecompass.internal.tmf.remote.ui.wizards.fetch.model; import java.io.StringWriter; -import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.ParserConfigurationException; import javax.xml.transform.OutputKeys; import javax.xml.transform.Transformer; @@ -53,7 +52,7 @@ public class RemoteImportProfilesWriter { public static String writeProfilesToXML(TracePackageElement[] profiles) throws ParserConfigurationException, TransformerException { - Document doc = DocumentBuilderFactory.newInstance().newDocumentBuilder().newDocument(); + Document doc = XmlUtils.newSafeDocumentBuilderFactory().newDocumentBuilder().newDocument(); Element profilesElement = doc.createElement(RemoteImportProfileConstants.PROFILES_ELEMENT); doc.appendChild(profilesElement); Element versionElement = doc.createElement(RemoteImportProfileConstants.VERSION_ELEMENT); diff --git a/tmf/org.eclipse.tracecompass.tmf.ui/src/org/eclipse/tracecompass/internal/tmf/ui/parsers/wizards/CustomXmlParserInputWizardPage.java b/tmf/org.eclipse.tracecompass.tmf.ui/src/org/eclipse/tracecompass/internal/tmf/ui/parsers/wizards/CustomXmlParserInputWizardPage.java index e7dbac45e6..3b927a6cd9 100644 --- a/tmf/org.eclipse.tracecompass.tmf.ui/src/org/eclipse/tracecompass/internal/tmf/ui/parsers/wizards/CustomXmlParserInputWizardPage.java +++ b/tmf/org.eclipse.tracecompass.tmf.ui/src/org/eclipse/tracecompass/internal/tmf/ui/parsers/wizards/CustomXmlParserInputWizardPage.java @@ -25,7 +25,6 @@ import java.util.List; import java.util.Map.Entry; import javax.xml.parsers.DocumentBuilder; -import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.ParserConfigurationException; import org.eclipse.core.resources.IFile; @@ -74,6 +73,7 @@ import org.eclipse.swt.widgets.Group; import org.eclipse.swt.widgets.Label; import org.eclipse.swt.widgets.Shell; import org.eclipse.swt.widgets.Text; +import org.eclipse.tracecompass.common.core.xml.XmlUtils; import org.eclipse.tracecompass.internal.tmf.ui.Activator; import org.eclipse.tracecompass.internal.tmf.ui.Messages; import org.eclipse.tracecompass.tmf.core.parsers.custom.CustomTraceDefinition; @@ -749,8 +749,7 @@ public class CustomXmlParserInputWizardPage extends WizardPage { private void parseXmlInput(final String string) { try { - DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); - DocumentBuilder db = dbf.newDocumentBuilder(); + DocumentBuilder db = XmlUtils.newSafeDocumentBuilderFactory().newDocumentBuilder(); // The following allows xml parsing without access to the dtd EntityResolver resolver = (publicId, systemId) -> { diff --git a/tmf/org.eclipse.tracecompass.tmf.ui/src/org/eclipse/tracecompass/internal/tmf/ui/project/wizards/tracepkg/importexport/ManifestReader.java b/tmf/org.eclipse.tracecompass.tmf.ui/src/org/eclipse/tracecompass/internal/tmf/ui/project/wizards/tracepkg/importexport/ManifestReader.java index 00140bab35..c1567f6a0c 100644 --- a/tmf/org.eclipse.tracecompass.tmf.ui/src/org/eclipse/tracecompass/internal/tmf/ui/project/wizards/tracepkg/importexport/ManifestReader.java +++ b/tmf/org.eclipse.tracecompass.tmf.ui/src/org/eclipse/tracecompass/internal/tmf/ui/project/wizards/tracepkg/importexport/ManifestReader.java @@ -22,7 +22,6 @@ import java.util.List; import java.util.Map; import javax.xml.XMLConstants; -import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.ParserConfigurationException; import javax.xml.transform.stream.StreamSource; import javax.xml.validation.Schema; @@ -32,6 +31,7 @@ import javax.xml.validation.Validator; import org.eclipse.core.runtime.FileLocator; import org.eclipse.core.runtime.Path; import org.eclipse.jdt.annotation.NonNull; +import org.eclipse.tracecompass.common.core.xml.XmlUtils; import org.eclipse.tracecompass.internal.tmf.ui.Activator; import org.eclipse.tracecompass.internal.tmf.ui.project.wizards.tracepkg.ITracePackageConstants; import org.eclipse.tracecompass.internal.tmf.ui.project.wizards.tracepkg.TracePackageBookmarkElement; @@ -113,7 +113,7 @@ public class ManifestReader { * when an error occurs when parsing */ public static TracePackageElement[] loadElementsFromManifest(InputStream inputStream) throws IOException, SAXException, ParserConfigurationException { - Document doc = DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(inputStream); + Document doc = XmlUtils.newSafeDocumentBuilderFactory().newDocumentBuilder().parse(inputStream); Element rootElement = doc.getDocumentElement(); return loadElementsFromNode(rootElement); } diff --git a/tmf/org.eclipse.tracecompass.tmf.ui/src/org/eclipse/tracecompass/internal/tmf/ui/project/wizards/tracepkg/importexport/TracePackageExportOperation.java b/tmf/org.eclipse.tracecompass.tmf.ui/src/org/eclipse/tracecompass/internal/tmf/ui/project/wizards/tracepkg/importexport/TracePackageExportOperation.java index 6e4bcd52af..b9be1db712 100644 --- a/tmf/org.eclipse.tracecompass.tmf.ui/src/org/eclipse/tracecompass/internal/tmf/ui/project/wizards/tracepkg/importexport/TracePackageExportOperation.java +++ b/tmf/org.eclipse.tracecompass.tmf.ui/src/org/eclipse/tracecompass/internal/tmf/ui/project/wizards/tracepkg/importexport/TracePackageExportOperation.java @@ -20,7 +20,6 @@ import java.util.HashSet; import java.util.List; import java.util.Set; -import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.transform.OutputKeys; import javax.xml.transform.Transformer; import javax.xml.transform.dom.DOMSource; @@ -112,7 +111,7 @@ public class TracePackageExportOperation extends AbstractTracePackageOperation { fExportFolder = createExportFolder(progressMonitor); - Document doc = DocumentBuilderFactory.newInstance().newDocumentBuilder().newDocument(); + Document doc = XmlUtils.newSafeDocumentBuilderFactory().newDocumentBuilder().newDocument(); Element createElement = doc.createElement(ITracePackageConstants.TMF_EXPORT_ELEMENT); Node tmfNode = doc.appendChild(createElement); diff --git a/tmf/org.eclipse.tracecompass.tmf.ui/src/org/eclipse/tracecompass/tmf/ui/views/colors/ColorSettingsXML.java b/tmf/org.eclipse.tracecompass.tmf.ui/src/org/eclipse/tracecompass/tmf/ui/views/colors/ColorSettingsXML.java index 1d645c0d54..0789155ab1 100644 --- a/tmf/org.eclipse.tracecompass.tmf.ui/src/org/eclipse/tracecompass/tmf/ui/views/colors/ColorSettingsXML.java +++ b/tmf/org.eclipse.tracecompass.tmf.ui/src/org/eclipse/tracecompass/tmf/ui/views/colors/ColorSettingsXML.java @@ -19,7 +19,6 @@ import java.util.ArrayList; import java.util.List; import javax.xml.parsers.DocumentBuilder; -import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.ParserConfigurationException; import javax.xml.parsers.SAXParserFactory; import javax.xml.transform.Transformer; @@ -70,8 +69,7 @@ public class ColorSettingsXML { */ public static void save(String pathName, ColorSetting[] colorSettings) { try { - DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance(); - DocumentBuilder documentBuilder = documentBuilderFactory.newDocumentBuilder(); + DocumentBuilder documentBuilder = XmlUtils.newSafeDocumentBuilderFactory().newDocumentBuilder(); Document document = documentBuilder.newDocument(); Element rootElement = document.createElement(COLOR_SETTINGS_TAG); |