diff --git a/org.hl7.fhir.convertors/src/main/java/org/hl7/fhir/convertors/misc/CDAUtilities.java b/org.hl7.fhir.convertors/src/main/java/org/hl7/fhir/convertors/misc/CDAUtilities.java
index d336c6ae59..c396c0b711 100644
--- a/org.hl7.fhir.convertors/src/main/java/org/hl7/fhir/convertors/misc/CDAUtilities.java
+++ b/org.hl7.fhir.convertors/src/main/java/org/hl7/fhir/convertors/misc/CDAUtilities.java
@@ -51,7 +51,7 @@ public class CDAUtilities {
private final Document doc;
public CDAUtilities(InputStream stream) throws Exception {
- DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
factory.setNamespaceAware(true);
DocumentBuilder builder = factory.newDocumentBuilder();
diff --git a/org.hl7.fhir.convertors/src/main/java/org/hl7/fhir/convertors/misc/CKMImporter.java b/org.hl7.fhir.convertors/src/main/java/org/hl7/fhir/convertors/misc/CKMImporter.java
index 881bad4a95..e4d04ada77 100644
--- a/org.hl7.fhir.convertors/src/main/java/org/hl7/fhir/convertors/misc/CKMImporter.java
+++ b/org.hl7.fhir.convertors/src/main/java/org/hl7/fhir/convertors/misc/CKMImporter.java
@@ -130,7 +130,7 @@ private Document loadXml(String address) throws Exception {
res.checkThrowException();
InputStream xml = new ByteArrayInputStream(res.getContent());
- DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+ DocumentBuilderFactory dbf = XMLUtil.newXXEProtectedDocumentBuilderFactory();
DocumentBuilder db = dbf.newDocumentBuilder();
return db.parse(xml);
}
diff --git a/org.hl7.fhir.convertors/src/main/java/org/hl7/fhir/convertors/misc/CountryCodesConverter.java b/org.hl7.fhir.convertors/src/main/java/org/hl7/fhir/convertors/misc/CountryCodesConverter.java
index 0998e36c54..8b4269f531 100644
--- a/org.hl7.fhir.convertors/src/main/java/org/hl7/fhir/convertors/misc/CountryCodesConverter.java
+++ b/org.hl7.fhir.convertors/src/main/java/org/hl7/fhir/convertors/misc/CountryCodesConverter.java
@@ -357,7 +357,7 @@ private String lang3To2(String lang) {
}
private Document load() throws ParserConfigurationException, SAXException, IOException {
- DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
factory.setNamespaceAware(true);
DocumentBuilder builder = factory.newDocumentBuilder();
diff --git a/org.hl7.fhir.convertors/src/main/java/org/hl7/fhir/convertors/misc/DicomPackageBuilder.java b/org.hl7.fhir.convertors/src/main/java/org/hl7/fhir/convertors/misc/DicomPackageBuilder.java
index 30d8005274..225a241a84 100644
--- a/org.hl7.fhir.convertors/src/main/java/org/hl7/fhir/convertors/misc/DicomPackageBuilder.java
+++ b/org.hl7.fhir.convertors/src/main/java/org/hl7/fhir/convertors/misc/DicomPackageBuilder.java
@@ -131,7 +131,7 @@ private JsonObject buildPackage() {
}
private CodeSystem buildCodeSystem() throws ParserConfigurationException, FileNotFoundException, SAXException, IOException {
- DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
factory.setNamespaceAware(true);
DocumentBuilder builder = factory.newDocumentBuilder();
Document doc = builder.parse(ManagedFileAccess.inStream(Utilities.path(source, "Resources", "Ontology", "DCM", "dcm.owl")));
diff --git a/org.hl7.fhir.convertors/src/main/java/org/hl7/fhir/convertors/misc/ICPC2Importer.java b/org.hl7.fhir.convertors/src/main/java/org/hl7/fhir/convertors/misc/ICPC2Importer.java
index 9a1ddaf29b..62610a17e3 100644
--- a/org.hl7.fhir.convertors/src/main/java/org/hl7/fhir/convertors/misc/ICPC2Importer.java
+++ b/org.hl7.fhir.convertors/src/main/java/org/hl7/fhir/convertors/misc/ICPC2Importer.java
@@ -120,7 +120,7 @@ public void setTargetFileNameVS(String targetFileName) {
}
public void go() throws Exception {
- DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
factory.setNamespaceAware(false);
DocumentBuilder builder = factory.newDocumentBuilder();
Document doc = builder.parse(ManagedFileAccess.inStream(sourceFileName));
diff --git a/org.hl7.fhir.convertors/src/main/java/org/hl7/fhir/convertors/misc/LoincToDEConvertor.java b/org.hl7.fhir.convertors/src/main/java/org/hl7/fhir/convertors/misc/LoincToDEConvertor.java
index e4d909e92e..0e14aa7be0 100644
--- a/org.hl7.fhir.convertors/src/main/java/org/hl7/fhir/convertors/misc/LoincToDEConvertor.java
+++ b/org.hl7.fhir.convertors/src/main/java/org/hl7/fhir/convertors/misc/LoincToDEConvertor.java
@@ -148,7 +148,7 @@ private void log(String string) {
}
private void loadLoinc() throws FileNotFoundException, SAXException, IOException, ParserConfigurationException {
- DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
factory.setNamespaceAware(true);
DocumentBuilder builder = factory.newDocumentBuilder();
diff --git a/org.hl7.fhir.convertors/src/main/java/org/hl7/fhir/convertors/misc/adl/ADLImporter.java b/org.hl7.fhir.convertors/src/main/java/org/hl7/fhir/convertors/misc/adl/ADLImporter.java
index 74733d6e48..81febadee7 100644
--- a/org.hl7.fhir.convertors/src/main/java/org/hl7/fhir/convertors/misc/adl/ADLImporter.java
+++ b/org.hl7.fhir.convertors/src/main/java/org/hl7/fhir/convertors/misc/adl/ADLImporter.java
@@ -1,7 +1,5 @@
package org.hl7.fhir.convertors.misc.adl;
-import java.io.FileInputStream;
-import java.io.FileOutputStream;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
@@ -89,7 +87,7 @@ private static String getParam(String[] args, String name) {
private void execute() throws Exception {
// load config
- DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
factory.setNamespaceAware(true);
DocumentBuilder builder = factory.newDocumentBuilder();
adlConfig = builder.parse(ManagedFileAccess.inStream(config)).getDocumentElement();
diff --git a/org.hl7.fhir.convertors/src/main/java/org/hl7/fhir/convertors/misc/iso21090/ISO21090Importer.java b/org.hl7.fhir.convertors/src/main/java/org/hl7/fhir/convertors/misc/iso21090/ISO21090Importer.java
index 96e258676b..0cda147931 100644
--- a/org.hl7.fhir.convertors/src/main/java/org/hl7/fhir/convertors/misc/iso21090/ISO21090Importer.java
+++ b/org.hl7.fhir.convertors/src/main/java/org/hl7/fhir/convertors/misc/iso21090/ISO21090Importer.java
@@ -317,7 +317,7 @@ private String getDoco(Element en) {
}
private void load() throws ParserConfigurationException, SAXException, IOException {
- DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
factory.setNamespaceAware(false);
DocumentBuilder builder = factory.newDocumentBuilder();
Document doc = builder.parse(ManagedFileAccess.inStream("C:\\work\\projects\\org.hl7.v3.dt\\iso\\iso-21090-datatypes.xsd"));
diff --git a/org.hl7.fhir.dstu2/src/main/java/org/hl7/fhir/dstu2/terminologies/LoincToDEConvertor.java b/org.hl7.fhir.dstu2/src/main/java/org/hl7/fhir/dstu2/terminologies/LoincToDEConvertor.java
index e6590307ab..5090afb9d8 100644
--- a/org.hl7.fhir.dstu2/src/main/java/org/hl7/fhir/dstu2/terminologies/LoincToDEConvertor.java
+++ b/org.hl7.fhir.dstu2/src/main/java/org/hl7/fhir/dstu2/terminologies/LoincToDEConvertor.java
@@ -162,7 +162,7 @@ private void log(String string) {
}
private void loadLoinc() throws FileNotFoundException, SAXException, IOException, ParserConfigurationException {
- DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
factory.setNamespaceAware(true);
DocumentBuilder builder = factory.newDocumentBuilder();
diff --git a/org.hl7.fhir.dstu2/src/main/java/org/hl7/fhir/dstu2/utils/DigitalSignatures.java b/org.hl7.fhir.dstu2/src/main/java/org/hl7/fhir/dstu2/utils/DigitalSignatures.java
index 8e44427d07..94c7c2f75a 100644
--- a/org.hl7.fhir.dstu2/src/main/java/org/hl7/fhir/dstu2/utils/DigitalSignatures.java
+++ b/org.hl7.fhir.dstu2/src/main/java/org/hl7/fhir/dstu2/utils/DigitalSignatures.java
@@ -60,6 +60,7 @@ WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWIS
import javax.xml.parsers.ParserConfigurationException;
import org.hl7.fhir.exceptions.FHIRException;
+import org.hl7.fhir.utilities.xml.XMLUtil;
import org.hl7.fhir.utilities.xml.XmlGenerator;
import org.w3c.dom.Document;
import org.xml.sax.SAXException;
@@ -73,7 +74,7 @@ public static void main(String[] args)
//
byte[] inputXml = "\r\n\r\n".getBytes();
// load the document that's going to be signed
- DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+ DocumentBuilderFactory dbf = XMLUtil.newXXEProtectedDocumentBuilderFactory();
dbf.setNamespaceAware(true);
DocumentBuilder builder = dbf.newDocumentBuilder();
Document doc = builder.parse(new ByteArrayInputStream(inputXml));
diff --git a/org.hl7.fhir.dstu2/src/main/java/org/hl7/fhir/dstu2/utils/Translations.java b/org.hl7.fhir.dstu2/src/main/java/org/hl7/fhir/dstu2/utils/Translations.java
index f65b799d52..ef474ddb2a 100644
--- a/org.hl7.fhir.dstu2/src/main/java/org/hl7/fhir/dstu2/utils/Translations.java
+++ b/org.hl7.fhir.dstu2/src/main/java/org/hl7/fhir/dstu2/utils/Translations.java
@@ -70,7 +70,7 @@ public void setLang(String lang) {
*/
public void load(String filename)
throws FileNotFoundException, SAXException, IOException, ParserConfigurationException {
- DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
DocumentBuilder builder = factory.newDocumentBuilder();
loadMessages(builder.parse(new CSFileInputStream(filename)));
}
diff --git a/org.hl7.fhir.dstu2/src/test/java/org/hl7/fhir/dstu2/test/TestingUtilities.java b/org.hl7.fhir.dstu2/src/test/java/org/hl7/fhir/dstu2/test/TestingUtilities.java
index 5e5df5d005..ef200a2428 100644
--- a/org.hl7.fhir.dstu2/src/test/java/org/hl7/fhir/dstu2/test/TestingUtilities.java
+++ b/org.hl7.fhir.dstu2/src/test/java/org/hl7/fhir/dstu2/test/TestingUtilities.java
@@ -17,6 +17,7 @@
import org.hl7.fhir.utilities.Utilities;
import org.hl7.fhir.utilities.filesystem.CSFile;
import org.hl7.fhir.utilities.filesystem.ManagedFileAccess;
+import org.hl7.fhir.utilities.xml.XMLUtil;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.NamedNodeMap;
@@ -145,7 +146,7 @@ private static Node skipBlankText(Node node) {
}
private static Document loadXml(String fn) throws Exception {
- DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
diff --git a/org.hl7.fhir.dstu2016may/src/main/java/org/hl7/fhir/dstu2016may/metamodel/XmlParser.java b/org.hl7.fhir.dstu2016may/src/main/java/org/hl7/fhir/dstu2016may/metamodel/XmlParser.java
index fd78719fd5..db97ebbc28 100644
--- a/org.hl7.fhir.dstu2016may/src/main/java/org/hl7/fhir/dstu2016may/metamodel/XmlParser.java
+++ b/org.hl7.fhir.dstu2016may/src/main/java/org/hl7/fhir/dstu2016may/metamodel/XmlParser.java
@@ -36,7 +36,6 @@ WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWIS
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
-import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory;
import javax.xml.transform.Transformer;
import javax.xml.transform.TransformerFactory;
@@ -78,7 +77,7 @@ public XmlParser(IWorkerContext context) {
public Element parse(InputStream stream) throws Exception {
Document doc = null;
try {
- DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
// xxe protection
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
@@ -95,16 +94,10 @@ public Element parse(InputStream stream) throws Exception {
DocumentBuilder docBuilder = factory.newDocumentBuilder();
doc = docBuilder.newDocument();
DOMResult domResult = new DOMResult(doc);
- SAXParserFactory spf = SAXParserFactory.newInstance();
+ SAXParserFactory spf = XMLUtil.newXXEProtectedSaxParserFactory();
spf.setNamespaceAware(true);
spf.setValidating(false);
- SAXParser saxParser = spf.newSAXParser();
- XMLReader xmlReader = saxParser.getXMLReader();
- // xxe protection
- spf.setFeature("http://xml.org/sax/features/external-general-entities", false);
- spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
- xmlReader.setFeature("http://xml.org/sax/features/external-general-entities", false);
- xmlReader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+ XMLReader xmlReader = XMLUtil.getXXEProtectedXMLReader(spf);
XmlLocationAnnotator locationAnnotator = new XmlLocationAnnotator(xmlReader, doc);
InputSource inputSource = new InputSource(stream);
diff --git a/org.hl7.fhir.dstu2016may/src/main/java/org/hl7/fhir/dstu2016may/terminologies/ICPC2Importer.java b/org.hl7.fhir.dstu2016may/src/main/java/org/hl7/fhir/dstu2016may/terminologies/ICPC2Importer.java
index 74b386816f..7ad2f1b49b 100644
--- a/org.hl7.fhir.dstu2016may/src/main/java/org/hl7/fhir/dstu2016may/terminologies/ICPC2Importer.java
+++ b/org.hl7.fhir.dstu2016may/src/main/java/org/hl7/fhir/dstu2016may/terminologies/ICPC2Importer.java
@@ -116,7 +116,7 @@ public void setTargetFileNameVS(String targetFileName) {
}
public void go() throws Exception {
- DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
factory.setNamespaceAware(false);
DocumentBuilder builder = factory.newDocumentBuilder();
Document doc = builder.parse(ManagedFileAccess.inStream(sourceFileName));
diff --git a/org.hl7.fhir.dstu2016may/src/main/java/org/hl7/fhir/dstu2016may/terminologies/LoincToDEConvertor.java b/org.hl7.fhir.dstu2016may/src/main/java/org/hl7/fhir/dstu2016may/terminologies/LoincToDEConvertor.java
index 0c29dfdf94..5a1e036239 100644
--- a/org.hl7.fhir.dstu2016may/src/main/java/org/hl7/fhir/dstu2016may/terminologies/LoincToDEConvertor.java
+++ b/org.hl7.fhir.dstu2016may/src/main/java/org/hl7/fhir/dstu2016may/terminologies/LoincToDEConvertor.java
@@ -162,7 +162,7 @@ private void log(String string) {
}
private void loadLoinc() throws FileNotFoundException, SAXException, IOException, ParserConfigurationException {
- DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
factory.setNamespaceAware(true);
DocumentBuilder builder = factory.newDocumentBuilder();
diff --git a/org.hl7.fhir.dstu2016may/src/main/java/org/hl7/fhir/dstu2016may/utils/DigitalSignatures.java b/org.hl7.fhir.dstu2016may/src/main/java/org/hl7/fhir/dstu2016may/utils/DigitalSignatures.java
index 350cc59f13..9d4aa18aa0 100644
--- a/org.hl7.fhir.dstu2016may/src/main/java/org/hl7/fhir/dstu2016may/utils/DigitalSignatures.java
+++ b/org.hl7.fhir.dstu2016may/src/main/java/org/hl7/fhir/dstu2016may/utils/DigitalSignatures.java
@@ -60,6 +60,7 @@ WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWIS
import javax.xml.parsers.ParserConfigurationException;
import org.hl7.fhir.exceptions.FHIRException;
+import org.hl7.fhir.utilities.xml.XMLUtil;
import org.hl7.fhir.utilities.xml.XmlGenerator;
import org.w3c.dom.Document;
import org.xml.sax.SAXException;
@@ -73,7 +74,7 @@ public static void main(String[] args) throws SAXException, IOException, ParserC
//
byte[] inputXml = "\r\n\r\n".getBytes();
// load the document that's going to be signed
- DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+ DocumentBuilderFactory dbf = XMLUtil.newXXEProtectedDocumentBuilderFactory();
dbf.setNamespaceAware(true);
DocumentBuilder builder = dbf.newDocumentBuilder();
Document doc = builder.parse(new ByteArrayInputStream(inputXml));
diff --git a/org.hl7.fhir.dstu2016may/src/main/java/org/hl7/fhir/dstu2016may/utils/Translations.java b/org.hl7.fhir.dstu2016may/src/main/java/org/hl7/fhir/dstu2016may/utils/Translations.java
index cf75392920..6c24118d3f 100644
--- a/org.hl7.fhir.dstu2016may/src/main/java/org/hl7/fhir/dstu2016may/utils/Translations.java
+++ b/org.hl7.fhir.dstu2016may/src/main/java/org/hl7/fhir/dstu2016may/utils/Translations.java
@@ -70,7 +70,7 @@ public void setLang(String lang) {
*/
public void load(String filename)
throws FileNotFoundException, SAXException, IOException, ParserConfigurationException {
- DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
DocumentBuilder builder = factory.newDocumentBuilder();
loadMessages(builder.parse(new CSFileInputStream(filename)));
}
diff --git a/org.hl7.fhir.dstu2016may/src/test/java/org/hl7/fhir/dstu2016may/test/TestingUtilities.java b/org.hl7.fhir.dstu2016may/src/test/java/org/hl7/fhir/dstu2016may/test/TestingUtilities.java
index 74e11a0146..2568019943 100644
--- a/org.hl7.fhir.dstu2016may/src/test/java/org/hl7/fhir/dstu2016may/test/TestingUtilities.java
+++ b/org.hl7.fhir.dstu2016may/src/test/java/org/hl7/fhir/dstu2016may/test/TestingUtilities.java
@@ -17,6 +17,7 @@
import org.hl7.fhir.utilities.Utilities;
import org.hl7.fhir.utilities.filesystem.CSFile;
import org.hl7.fhir.utilities.filesystem.ManagedFileAccess;
+import org.hl7.fhir.utilities.xml.XMLUtil;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.NamedNodeMap;
@@ -145,7 +146,7 @@ private static Node skipBlankText(Node node) {
}
private static Document loadXml(String fn) throws Exception {
- DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
diff --git a/org.hl7.fhir.dstu3/src/main/java/org/hl7/fhir/dstu3/elementmodel/XmlParser.java b/org.hl7.fhir.dstu3/src/main/java/org/hl7/fhir/dstu3/elementmodel/XmlParser.java
index 3e160f815a..258735c926 100644
--- a/org.hl7.fhir.dstu3/src/main/java/org/hl7/fhir/dstu3/elementmodel/XmlParser.java
+++ b/org.hl7.fhir.dstu3/src/main/java/org/hl7/fhir/dstu3/elementmodel/XmlParser.java
@@ -41,7 +41,6 @@ WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWIS
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
-import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory;
import javax.xml.transform.Transformer;
import javax.xml.transform.TransformerFactory;
@@ -97,7 +96,7 @@ public void setAllowXsiLocation(boolean allowXsiLocation) {
public Element parse(InputStream stream) throws FHIRFormatError, DefinitionException, FHIRException, IOException {
Document doc = null;
try {
- DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
// xxe protection
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
@@ -114,18 +113,11 @@ public Element parse(InputStream stream) throws FHIRFormatError, DefinitionExcep
DocumentBuilder docBuilder = factory.newDocumentBuilder();
doc = docBuilder.newDocument();
DOMResult domResult = new DOMResult(doc);
- SAXParserFactory spf = SAXParserFactory.newInstance();
+ SAXParserFactory spf = XMLUtil.newXXEProtectedSaxParserFactory();
spf.setNamespaceAware(true);
spf.setValidating(false);
- // xxe protection
- spf.setFeature("http://xml.org/sax/features/external-general-entities", false);
- spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
- SAXParser saxParser = spf.newSAXParser();
- XMLReader xmlReader = saxParser.getXMLReader();
- // xxe protection
- xmlReader.setFeature("http://xml.org/sax/features/external-general-entities", false);
- xmlReader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
-
+ XMLReader xmlReader = XMLUtil.getXXEProtectedXMLReader(spf);
+
XmlLocationAnnotator locationAnnotator = new XmlLocationAnnotator(xmlReader, doc);
InputSource inputSource = new InputSource(stream);
SAXSource saxSource = new SAXSource(locationAnnotator, inputSource);
diff --git a/org.hl7.fhir.dstu3/src/main/java/org/hl7/fhir/dstu3/terminologies/LoincToDEConvertor.java b/org.hl7.fhir.dstu3/src/main/java/org/hl7/fhir/dstu3/terminologies/LoincToDEConvertor.java
index 344d74cd41..24528c24f4 100644
--- a/org.hl7.fhir.dstu3/src/main/java/org/hl7/fhir/dstu3/terminologies/LoincToDEConvertor.java
+++ b/org.hl7.fhir.dstu3/src/main/java/org/hl7/fhir/dstu3/terminologies/LoincToDEConvertor.java
@@ -154,7 +154,7 @@ private void log(String string) {
}
private void loadLoinc() throws FileNotFoundException, SAXException, IOException, ParserConfigurationException {
- DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
factory.setNamespaceAware(true);
DocumentBuilder builder = factory.newDocumentBuilder();
diff --git a/org.hl7.fhir.dstu3/src/main/java/org/hl7/fhir/dstu3/utils/DigitalSignatures.java b/org.hl7.fhir.dstu3/src/main/java/org/hl7/fhir/dstu3/utils/DigitalSignatures.java
index 80de2eb73b..b7f33b00ad 100644
--- a/org.hl7.fhir.dstu3/src/main/java/org/hl7/fhir/dstu3/utils/DigitalSignatures.java
+++ b/org.hl7.fhir.dstu3/src/main/java/org/hl7/fhir/dstu3/utils/DigitalSignatures.java
@@ -62,6 +62,7 @@ WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWIS
import javax.xml.parsers.ParserConfigurationException;
import org.hl7.fhir.exceptions.FHIRException;
+import org.hl7.fhir.utilities.xml.XMLUtil;
import org.hl7.fhir.utilities.xml.XmlGenerator;
import org.w3c.dom.Document;
import org.xml.sax.SAXException;
@@ -74,7 +75,7 @@ public static void main(String[] args) throws SAXException, IOException, ParserC
//
byte[] inputXml = "\r\n\r\n".getBytes();
// load the document that's going to be signed
- DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+ DocumentBuilderFactory dbf = XMLUtil.newXXEProtectedDocumentBuilderFactory();
dbf.setNamespaceAware(true);
DocumentBuilder builder = dbf.newDocumentBuilder();
Document doc = builder.parse(new ByteArrayInputStream(inputXml));
diff --git a/org.hl7.fhir.dstu3/src/main/java/org/hl7/fhir/dstu3/utils/Translations.java b/org.hl7.fhir.dstu3/src/main/java/org/hl7/fhir/dstu3/utils/Translations.java
index 017ab8bffd..46489fdfa1 100644
--- a/org.hl7.fhir.dstu3/src/main/java/org/hl7/fhir/dstu3/utils/Translations.java
+++ b/org.hl7.fhir.dstu3/src/main/java/org/hl7/fhir/dstu3/utils/Translations.java
@@ -1,33 +1,33 @@
package org.hl7.fhir.dstu3.utils;
-/*
- Copyright (c) 2011+, HL7, Inc.
- All rights reserved.
-
- Redistribution and use in source and binary forms, with or without modification,
- are permitted provided that the following conditions are met:
-
- * Redistributions of source code must retain the above copyright notice, this
- list of conditions and the following disclaimer.
- * Redistributions in binary form must reproduce the above copyright notice,
- this list of conditions and the following disclaimer in the documentation
- and/or other materials provided with the distribution.
- * Neither the name of HL7 nor the names of its contributors may be used to
- endorse or promote products derived from this software without specific
- prior written permission.
-
- THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
- ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
- WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
- INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
- WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- POSSIBILITY OF SUCH DAMAGE.
-
- */
+/*
+ Copyright (c) 2011+, HL7, Inc.
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without modification,
+ are permitted provided that the following conditions are met:
+
+ * Redistributions of source code must retain the above copyright notice, this
+ list of conditions and the following disclaimer.
+ * Redistributions in binary form must reproduce the above copyright notice,
+ this list of conditions and the following disclaimer in the documentation
+ and/or other materials provided with the distribution.
+ * Neither the name of HL7 nor the names of its contributors may be used to
+ endorse or promote products derived from this software without specific
+ prior written permission.
+
+ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+
+ */
@@ -71,7 +71,7 @@ public void setLang(String lang) {
* @throws Exception
*/
public void load(String filename) throws FileNotFoundException, SAXException, IOException, ParserConfigurationException {
- DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
DocumentBuilder builder = factory.newDocumentBuilder();
loadMessages(builder.parse(new CSFileInputStream(filename)));
}
diff --git a/org.hl7.fhir.dstu3/src/test/java/org/hl7/fhir/dstu3/test/support/TestingUtilities.java b/org.hl7.fhir.dstu3/src/test/java/org/hl7/fhir/dstu3/test/support/TestingUtilities.java
index 09c950bc73..ebbb18fa73 100644
--- a/org.hl7.fhir.dstu3/src/test/java/org/hl7/fhir/dstu3/test/support/TestingUtilities.java
+++ b/org.hl7.fhir.dstu3/src/test/java/org/hl7/fhir/dstu3/test/support/TestingUtilities.java
@@ -20,6 +20,7 @@
import org.hl7.fhir.utilities.filesystem.CSFile;
import org.hl7.fhir.utilities.filesystem.ManagedFileAccess;
import org.hl7.fhir.utilities.tests.BaseTestingUtilities;
+import org.hl7.fhir.utilities.xml.XMLUtil;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.NamedNodeMap;
@@ -176,7 +177,7 @@ private static Document loadXml(String fn) throws Exception {
}
private static Document loadXml(InputStream fn) throws Exception {
- DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
diff --git a/org.hl7.fhir.r4/src/main/java/org/hl7/fhir/r4/elementmodel/XmlParser.java b/org.hl7.fhir.r4/src/main/java/org/hl7/fhir/r4/elementmodel/XmlParser.java
index c6675bc87d..7d02685420 100644
--- a/org.hl7.fhir.r4/src/main/java/org/hl7/fhir/r4/elementmodel/XmlParser.java
+++ b/org.hl7.fhir.r4/src/main/java/org/hl7/fhir/r4/elementmodel/XmlParser.java
@@ -39,7 +39,6 @@ WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWIS
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
-import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory;
import javax.xml.transform.Transformer;
import javax.xml.transform.TransformerFactory;
@@ -96,7 +95,7 @@ public void setAllowXsiLocation(boolean allowXsiLocation) {
public Element parse(InputStream stream) throws FHIRFormatError, DefinitionException, FHIRException, IOException {
Document doc = null;
try {
- DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
// xxe protection
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
@@ -113,17 +112,10 @@ public Element parse(InputStream stream) throws FHIRFormatError, DefinitionExcep
DocumentBuilder docBuilder = factory.newDocumentBuilder();
doc = docBuilder.newDocument();
DOMResult domResult = new DOMResult(doc);
- SAXParserFactory spf = SAXParserFactory.newInstance();
+ SAXParserFactory spf = XMLUtil.newXXEProtectedSaxParserFactory();
spf.setNamespaceAware(true);
spf.setValidating(false);
- // xxe protection
- spf.setFeature("http://xml.org/sax/features/external-general-entities", false);
- spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
- SAXParser saxParser = spf.newSAXParser();
- XMLReader xmlReader = saxParser.getXMLReader();
- // xxe protection
- xmlReader.setFeature("http://xml.org/sax/features/external-general-entities", false);
- xmlReader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+ XMLReader xmlReader = XMLUtil.getXXEProtectedXMLReader(spf);
XmlLocationAnnotator locationAnnotator = new XmlLocationAnnotator(xmlReader, doc);
InputSource inputSource = new InputSource(stream);
diff --git a/org.hl7.fhir.r4/src/main/java/org/hl7/fhir/r4/terminologies/LoincToDEConvertor.java b/org.hl7.fhir.r4/src/main/java/org/hl7/fhir/r4/terminologies/LoincToDEConvertor.java
index 9ccf08f41d..94ee1ce89c 100644
--- a/org.hl7.fhir.r4/src/main/java/org/hl7/fhir/r4/terminologies/LoincToDEConvertor.java
+++ b/org.hl7.fhir.r4/src/main/java/org/hl7/fhir/r4/terminologies/LoincToDEConvertor.java
@@ -156,7 +156,7 @@ private void log(String string) {
}
private void loadLoinc() throws FileNotFoundException, SAXException, IOException, ParserConfigurationException {
- DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
factory.setNamespaceAware(true);
DocumentBuilder builder = factory.newDocumentBuilder();
diff --git a/org.hl7.fhir.r4/src/main/java/org/hl7/fhir/r4/test/utils/TestingUtilities.java b/org.hl7.fhir.r4/src/main/java/org/hl7/fhir/r4/test/utils/TestingUtilities.java
index 74aef99ae7..bb01633335 100644
--- a/org.hl7.fhir.r4/src/main/java/org/hl7/fhir/r4/test/utils/TestingUtilities.java
+++ b/org.hl7.fhir.r4/src/main/java/org/hl7/fhir/r4/test/utils/TestingUtilities.java
@@ -59,6 +59,7 @@ WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWIS
import org.hl7.fhir.utilities.tests.BaseTestingUtilities;
import org.hl7.fhir.utilities.tests.ResourceLoaderTests;
import org.hl7.fhir.utilities.tests.TestConfig;
+import org.hl7.fhir.utilities.xml.XMLUtil;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.NamedNodeMap;
@@ -256,7 +257,7 @@ private static Document loadXml(String fn) throws Exception {
}
private static Document loadXml(InputStream fn) throws Exception {
- DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
diff --git a/org.hl7.fhir.r4/src/main/java/org/hl7/fhir/r4/utils/DigitalSignatures.java b/org.hl7.fhir.r4/src/main/java/org/hl7/fhir/r4/utils/DigitalSignatures.java
index 684dcf7c16..31427122be 100644
--- a/org.hl7.fhir.r4/src/main/java/org/hl7/fhir/r4/utils/DigitalSignatures.java
+++ b/org.hl7.fhir.r4/src/main/java/org/hl7/fhir/r4/utils/DigitalSignatures.java
@@ -60,6 +60,7 @@ WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWIS
import org.hl7.fhir.utilities.Utilities;
import org.hl7.fhir.utilities.filesystem.ManagedFileAccess;
+import org.hl7.fhir.utilities.xml.XMLUtil;
import org.hl7.fhir.utilities.xml.XmlGenerator;
import org.w3c.dom.Document;
@@ -88,7 +89,7 @@ public static void main(String[] args) throws Exception {
//
byte[] inputXml = "\r\n\r\n".getBytes();
// load the document that's going to be signed
- DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+ DocumentBuilderFactory dbf = XMLUtil.newXXEProtectedDocumentBuilderFactory();
dbf.setNamespaceAware(true);
DocumentBuilder builder = dbf.newDocumentBuilder();
Document doc = builder.parse(new ByteArrayInputStream(inputXml));
diff --git a/org.hl7.fhir.r4/src/main/java/org/hl7/fhir/r4/utils/Translations.java b/org.hl7.fhir.r4/src/main/java/org/hl7/fhir/r4/utils/Translations.java
index b425b5dc02..2498f9f687 100644
--- a/org.hl7.fhir.r4/src/main/java/org/hl7/fhir/r4/utils/Translations.java
+++ b/org.hl7.fhir.r4/src/main/java/org/hl7/fhir/r4/utils/Translations.java
@@ -70,7 +70,7 @@ public void setLang(String lang) {
*/
public void load(String filename)
throws FileNotFoundException, SAXException, IOException, ParserConfigurationException {
- DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
DocumentBuilder builder = factory.newDocumentBuilder();
loadMessages(builder.parse(new CSFileInputStream(filename)));
}
diff --git a/org.hl7.fhir.r4b/src/main/java/org/hl7/fhir/r4b/elementmodel/XmlParser.java b/org.hl7.fhir.r4b/src/main/java/org/hl7/fhir/r4b/elementmodel/XmlParser.java
index 0dacab0648..475d8fdc71 100644
--- a/org.hl7.fhir.r4b/src/main/java/org/hl7/fhir/r4b/elementmodel/XmlParser.java
+++ b/org.hl7.fhir.r4b/src/main/java/org/hl7/fhir/r4b/elementmodel/XmlParser.java
@@ -39,7 +39,6 @@ WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWIS
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
-import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory;
import javax.xml.transform.Transformer;
import javax.xml.transform.TransformerFactory;
@@ -52,7 +51,6 @@ WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWIS
import org.hl7.fhir.r4b.conformance.ProfileUtilities;
import org.hl7.fhir.r4b.context.IWorkerContext;
import org.hl7.fhir.r4b.elementmodel.Element.SpecialElement;
-import org.hl7.fhir.r4b.elementmodel.ParserBase.NamedElement;
import org.hl7.fhir.r4b.formats.FormatUtilities;
import org.hl7.fhir.r4b.formats.IParser.OutputStyle;
import org.hl7.fhir.r4b.model.DateTimeType;
@@ -111,7 +109,7 @@ public List parse(InputStream stream)
List res = new ArrayList<>();
Document doc = null;
try {
- DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
// xxe protection
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
@@ -136,17 +134,10 @@ public List parse(InputStream stream)
DocumentBuilder docBuilder = factory.newDocumentBuilder();
doc = docBuilder.newDocument();
DOMResult domResult = new DOMResult(doc);
- SAXParserFactory spf = SAXParserFactory.newInstance();
+ SAXParserFactory spf = XMLUtil.newXXEProtectedSaxParserFactory();
spf.setNamespaceAware(true);
spf.setValidating(false);
- // xxe protection
- spf.setFeature("http://xml.org/sax/features/external-general-entities", false);
- spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
- SAXParser saxParser = spf.newSAXParser();
- XMLReader xmlReader = saxParser.getXMLReader();
- // xxe protection
- xmlReader.setFeature("http://xml.org/sax/features/external-general-entities", false);
- xmlReader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+ XMLReader xmlReader = XMLUtil.getXXEProtectedXMLReader(spf);
XmlLocationAnnotator locationAnnotator = new XmlLocationAnnotator(xmlReader, doc);
InputSource inputSource = new InputSource(stream);
diff --git a/org.hl7.fhir.r4b/src/main/java/org/hl7/fhir/r4b/terminologies/LoincToDEConvertor.java b/org.hl7.fhir.r4b/src/main/java/org/hl7/fhir/r4b/terminologies/LoincToDEConvertor.java
index 1daebdcdb1..a38b2d16a6 100644
--- a/org.hl7.fhir.r4b/src/main/java/org/hl7/fhir/r4b/terminologies/LoincToDEConvertor.java
+++ b/org.hl7.fhir.r4b/src/main/java/org/hl7/fhir/r4b/terminologies/LoincToDEConvertor.java
@@ -156,7 +156,7 @@ private void log(String string) {
}
private void loadLoinc() throws FileNotFoundException, SAXException, IOException, ParserConfigurationException {
- DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
factory.setNamespaceAware(true);
DocumentBuilder builder = factory.newDocumentBuilder();
diff --git a/org.hl7.fhir.r4b/src/main/java/org/hl7/fhir/r4b/test/utils/TestingUtilities.java b/org.hl7.fhir.r4b/src/main/java/org/hl7/fhir/r4b/test/utils/TestingUtilities.java
index c0fbe40e97..eb5e6906c8 100644
--- a/org.hl7.fhir.r4b/src/main/java/org/hl7/fhir/r4b/test/utils/TestingUtilities.java
+++ b/org.hl7.fhir.r4b/src/main/java/org/hl7/fhir/r4b/test/utils/TestingUtilities.java
@@ -23,6 +23,7 @@
import org.hl7.fhir.utilities.npm.FilesystemPackageCacheManager;
import org.hl7.fhir.utilities.tests.BaseTestingUtilities;
+import org.hl7.fhir.utilities.xml.XMLUtil;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.NamedNodeMap;
@@ -269,7 +270,7 @@ private static Document loadXml(String fn) throws Exception {
}
private static Document loadXml(InputStream fn) throws Exception {
- DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
diff --git a/org.hl7.fhir.r4b/src/main/java/org/hl7/fhir/r4b/utils/DigitalSignatures.java b/org.hl7.fhir.r4b/src/main/java/org/hl7/fhir/r4b/utils/DigitalSignatures.java
index 6fe69f3a11..74087d9455 100644
--- a/org.hl7.fhir.r4b/src/main/java/org/hl7/fhir/r4b/utils/DigitalSignatures.java
+++ b/org.hl7.fhir.r4b/src/main/java/org/hl7/fhir/r4b/utils/DigitalSignatures.java
@@ -60,6 +60,7 @@ WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWIS
import org.hl7.fhir.utilities.Utilities;
import org.hl7.fhir.utilities.filesystem.ManagedFileAccess;
+import org.hl7.fhir.utilities.xml.XMLUtil;
import org.hl7.fhir.utilities.xml.XmlGenerator;
import org.w3c.dom.Document;
@@ -88,7 +89,7 @@ public static void main(String[] args) throws Exception {
//
byte[] inputXml = "\r\n\r\n".getBytes();
// load the document that's going to be signed
- DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+ DocumentBuilderFactory dbf = XMLUtil.newXXEProtectedDocumentBuilderFactory();
dbf.setNamespaceAware(true);
DocumentBuilder builder = dbf.newDocumentBuilder();
Document doc = builder.parse(new ByteArrayInputStream(inputXml));
diff --git a/org.hl7.fhir.r4b/src/main/java/org/hl7/fhir/r4b/utils/Translations.java b/org.hl7.fhir.r4b/src/main/java/org/hl7/fhir/r4b/utils/Translations.java
index 808e218ecd..cd20814d61 100644
--- a/org.hl7.fhir.r4b/src/main/java/org/hl7/fhir/r4b/utils/Translations.java
+++ b/org.hl7.fhir.r4b/src/main/java/org/hl7/fhir/r4b/utils/Translations.java
@@ -70,7 +70,7 @@ public void setLang(String lang) {
*/
public void load(String filename)
throws FileNotFoundException, SAXException, IOException, ParserConfigurationException {
- DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
DocumentBuilder builder = factory.newDocumentBuilder();
loadMessages(builder.parse(new CSFileInputStream(filename)));
}
diff --git a/org.hl7.fhir.r5/src/main/java/org/hl7/fhir/r5/elementmodel/XmlParser.java b/org.hl7.fhir.r5/src/main/java/org/hl7/fhir/r5/elementmodel/XmlParser.java
index 4669b60951..3d7f43a64a 100644
--- a/org.hl7.fhir.r5/src/main/java/org/hl7/fhir/r5/elementmodel/XmlParser.java
+++ b/org.hl7.fhir.r5/src/main/java/org/hl7/fhir/r5/elementmodel/XmlParser.java
@@ -44,7 +44,6 @@ WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWIS
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
-import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory;
import javax.xml.transform.Transformer;
import javax.xml.transform.TransformerFactory;
@@ -126,7 +125,7 @@ public List parse(InputStream inStream) throws FHIRFormatErro
ByteArrayInputStream stream = new ByteArrayInputStream(content);
Document doc = null;
try {
- DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
// xxe protection
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
@@ -150,17 +149,11 @@ public List parse(InputStream inStream) throws FHIRFormatErro
DocumentBuilder docBuilder = factory.newDocumentBuilder();
doc = docBuilder.newDocument();
DOMResult domResult = new DOMResult(doc);
- SAXParserFactory spf = SAXParserFactory.newInstance();
+ SAXParserFactory spf = XMLUtil.newXXEProtectedSaxParserFactory();
spf.setNamespaceAware(true);
spf.setValidating(false);
- // xxe protection
- spf.setFeature("http://xml.org/sax/features/external-general-entities", false);
- spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
- SAXParser saxParser = spf.newSAXParser();
- XMLReader xmlReader = saxParser.getXMLReader();
- // xxe protection
- xmlReader.setFeature("http://xml.org/sax/features/external-general-entities", false);
- xmlReader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+
+ XMLReader xmlReader = XMLUtil.getXXEProtectedXMLReader(spf);
XmlLocationAnnotator locationAnnotator = new XmlLocationAnnotator(xmlReader, doc);
InputSource inputSource = new InputSource(stream);
diff --git a/org.hl7.fhir.r5/src/main/java/org/hl7/fhir/r5/test/utils/CompareUtilities.java b/org.hl7.fhir.r5/src/main/java/org/hl7/fhir/r5/test/utils/CompareUtilities.java
index 63a857ce75..db134c0bb8 100644
--- a/org.hl7.fhir.r5/src/main/java/org/hl7/fhir/r5/test/utils/CompareUtilities.java
+++ b/org.hl7.fhir.r5/src/main/java/org/hl7/fhir/r5/test/utils/CompareUtilities.java
@@ -15,6 +15,7 @@
import org.hl7.fhir.utilities.json.model.JsonProperty;
import org.hl7.fhir.utilities.json.parser.JsonParser;
import org.hl7.fhir.utilities.settings.FhirSettings;
+import org.hl7.fhir.utilities.xml.XMLUtil;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.NamedNodeMap;
@@ -205,7 +206,7 @@ private Document loadXml(String fn) throws Exception {
}
private Document loadXml(InputStream fn) throws Exception {
- DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
diff --git a/org.hl7.fhir.r5/src/main/java/org/hl7/fhir/r5/utils/DigitalSignatures.java b/org.hl7.fhir.r5/src/main/java/org/hl7/fhir/r5/utils/DigitalSignatures.java
index 8b09b1691b..6d8c658922 100644
--- a/org.hl7.fhir.r5/src/main/java/org/hl7/fhir/r5/utils/DigitalSignatures.java
+++ b/org.hl7.fhir.r5/src/main/java/org/hl7/fhir/r5/utils/DigitalSignatures.java
@@ -62,6 +62,7 @@ WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWIS
import org.hl7.fhir.utilities.Utilities;
import org.hl7.fhir.utilities.filesystem.ManagedFileAccess;
+import org.hl7.fhir.utilities.xml.XMLUtil;
import org.hl7.fhir.utilities.xml.XmlGenerator;
import org.w3c.dom.Document;
@@ -91,7 +92,7 @@ public static void main(String[] args) throws Exception {
//
byte[] inputXml = "\r\n\r\n".getBytes();
// load the document that's going to be signed
- DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+ DocumentBuilderFactory dbf = XMLUtil.newXXEProtectedDocumentBuilderFactory();
dbf.setNamespaceAware(true);
DocumentBuilder builder = dbf.newDocumentBuilder();
Document doc = builder.parse(new ByteArrayInputStream(inputXml));
diff --git a/org.hl7.fhir.r5/src/main/java/org/hl7/fhir/r5/utils/Translations.java b/org.hl7.fhir.r5/src/main/java/org/hl7/fhir/r5/utils/Translations.java
index 5d193e9468..fdac4e3474 100644
--- a/org.hl7.fhir.r5/src/main/java/org/hl7/fhir/r5/utils/Translations.java
+++ b/org.hl7.fhir.r5/src/main/java/org/hl7/fhir/r5/utils/Translations.java
@@ -1,33 +1,33 @@
package org.hl7.fhir.r5.utils;
-/*
- Copyright (c) 2011+, HL7, Inc.
- All rights reserved.
-
- Redistribution and use in source and binary forms, with or without modification,
- are permitted provided that the following conditions are met:
-
- * Redistributions of source code must retain the above copyright notice, this
- list of conditions and the following disclaimer.
- * Redistributions in binary form must reproduce the above copyright notice,
- this list of conditions and the following disclaimer in the documentation
- and/or other materials provided with the distribution.
- * Neither the name of HL7 nor the names of its contributors may be used to
- endorse or promote products derived from this software without specific
- prior written permission.
-
- THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
- ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
- WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
- INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
- WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- POSSIBILITY OF SUCH DAMAGE.
-
- */
+/*
+ Copyright (c) 2011+, HL7, Inc.
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without modification,
+ are permitted provided that the following conditions are met:
+
+ * Redistributions of source code must retain the above copyright notice, this
+ list of conditions and the following disclaimer.
+ * Redistributions in binary form must reproduce the above copyright notice,
+ this list of conditions and the following disclaimer in the documentation
+ and/or other materials provided with the distribution.
+ * Neither the name of HL7 nor the names of its contributors may be used to
+ endorse or promote products derived from this software without specific
+ prior written permission.
+
+ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+
+ */
@@ -71,7 +71,7 @@ public void setLang(String lang) {
* @throws Exception
*/
public void load(String filename) throws FileNotFoundException, SAXException, IOException, ParserConfigurationException {
- DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
DocumentBuilder builder = factory.newDocumentBuilder();
loadMessages(builder.parse(new CSFileInputStream(filename)));
}
diff --git a/org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/TranslatorXml.java b/org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/TranslatorXml.java
index 89e1d545ab..c7b957fabf 100644
--- a/org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/TranslatorXml.java
+++ b/org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/TranslatorXml.java
@@ -69,7 +69,7 @@ public TranslatorXml(String filename) throws ParserConfigurationException, SAXEx
private void load(String filename) throws ParserConfigurationException, SAXException, IOException {
- DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
factory.setNamespaceAware(false);
DocumentBuilder builder = factory.newDocumentBuilder();
Document xml = builder.parse(ManagedFileAccess.file(filename));
diff --git a/org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/xls/XLSXmlNormaliser.java b/org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/xls/XLSXmlNormaliser.java
index 270d9700bc..958d6ea4af 100644
--- a/org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/xls/XLSXmlNormaliser.java
+++ b/org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/xls/XLSXmlNormaliser.java
@@ -221,7 +221,7 @@ private void check(boolean test, String message) throws FHIRException {
private Document parseXml(InputStream in) throws FHIRException, ParserConfigurationException, SAXException, IOException {
- DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
factory.setNamespaceAware(true);
DocumentBuilder builder = factory.newDocumentBuilder();
return builder.parse(in);
diff --git a/org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/xls/XLSXmlParser.java b/org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/xls/XLSXmlParser.java
index 02258608d8..a6b6b05d72 100644
--- a/org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/xls/XLSXmlParser.java
+++ b/org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/xls/XLSXmlParser.java
@@ -1,33 +1,33 @@
package org.hl7.fhir.utilities.xls;
-/*
- Copyright (c) 2011+, HL7, Inc.
- All rights reserved.
-
- Redistribution and use in source and binary forms, with or without modification,
- are permitted provided that the following conditions are met:
-
- * Redistributions of source code must retain the above copyright notice, this
- list of conditions and the following disclaimer.
- * Redistributions in binary form must reproduce the above copyright notice,
- this list of conditions and the following disclaimer in the documentation
- and/or other materials provided with the distribution.
- * Neither the name of HL7 nor the names of its contributors may be used to
- endorse or promote products derived from this software without specific
- prior written permission.
-
- THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
- ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
- WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
- INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
- WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- POSSIBILITY OF SUCH DAMAGE.
-
- */
+/*
+ Copyright (c) 2011+, HL7, Inc.
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without modification,
+ are permitted provided that the following conditions are met:
+
+ * Redistributions of source code must retain the above copyright notice, this
+ list of conditions and the following disclaimer.
+ * Redistributions in binary form must reproduce the above copyright notice,
+ this list of conditions and the following disclaimer in the documentation
+ and/or other materials provided with the distribution.
+ * Neither the name of HL7 nor the names of its contributors may be used to
+ endorse or promote products derived from this software without specific
+ prior written permission.
+
+ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+
+ */
@@ -166,7 +166,7 @@ public XLSXmlParser(InputStream in, String name) throws FHIRException {
private Document parseXml(InputStream in) throws FHIRException {
try {
- DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
factory.setNamespaceAware(true);
DocumentBuilder builder = factory.newDocumentBuilder();
return builder.parse(in);
diff --git a/org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/xml/XMLUtil.java b/org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/xml/XMLUtil.java
index 371f44705f..17e8b87774 100644
--- a/org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/xml/XMLUtil.java
+++ b/org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/xml/XMLUtil.java
@@ -32,7 +32,6 @@ WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWIS
import java.io.ByteArrayInputStream;
-import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
@@ -43,9 +42,7 @@ WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWIS
import java.util.Set;
import javax.xml.XMLConstants;
-import javax.xml.parsers.DocumentBuilder;
-import javax.xml.parsers.DocumentBuilderFactory;
-import javax.xml.parsers.ParserConfigurationException;
+import javax.xml.parsers.*;
import javax.xml.transform.Result;
import javax.xml.transform.Source;
import javax.xml.transform.Transformer;
@@ -65,10 +62,15 @@ WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWIS
import org.w3c.dom.ls.DOMImplementationLS;
import org.w3c.dom.ls.LSSerializer;
import org.xml.sax.SAXException;
+import org.xml.sax.SAXNotRecognizedException;
+import org.xml.sax.SAXNotSupportedException;
+import org.xml.sax.XMLReader;
public class XMLUtil {
public static final String SPACE_CHAR = "\u00A0";
+ public static final String SAX_FEATURES_EXTERNAL_GENERAL_ENTITIES = "http://xml.org/sax/features/external-general-entities";
+ public static final String APACHE_XML_FEATURES_DISALLOW_DOCTYPE_DECL = "http://apache.org/xml/features/disallow-doctype-decl";
public static boolean isNMToken(String name) {
if (name == null)
@@ -437,28 +439,28 @@ public static boolean hasNamedChild(Element e, String name) {
}
public static Document parseToDom(String content) throws ParserConfigurationException, SAXException, IOException {
- DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
factory.setNamespaceAware(false);
DocumentBuilder builder = factory.newDocumentBuilder();
return builder.parse(new ByteArrayInputStream(content.getBytes()));
}
public static Document parseToDom(byte[] content) throws ParserConfigurationException, SAXException, IOException {
- DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
factory.setNamespaceAware(false);
DocumentBuilder builder = factory.newDocumentBuilder();
return builder.parse(new ByteArrayInputStream(content));
}
public static Document parseToDom(byte[] content, boolean ns) throws ParserConfigurationException, SAXException, IOException {
- DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
factory.setNamespaceAware(ns);
DocumentBuilder builder = factory.newDocumentBuilder();
return builder.parse(new ByteArrayInputStream(content));
}
public static Document parseFileToDom(String filename) throws ParserConfigurationException, SAXException, IOException {
- DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
factory.setNamespaceAware(false);
DocumentBuilder builder = factory.newDocumentBuilder();
FileInputStream fs = ManagedFileAccess.inStream(filename);
@@ -470,7 +472,7 @@ public static Document parseFileToDom(String filename) throws ParserConfiguratio
}
public static Document parseFileToDom(String filename, boolean ns) throws ParserConfigurationException, SAXException, IOException {
- DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
factory.setNamespaceAware(ns);
DocumentBuilder builder = factory.newDocumentBuilder();
FileInputStream fs = ManagedFileAccess.inStream(filename);
@@ -503,13 +505,42 @@ public static String getNamedChildAttribute(Element element, String name, String
}
public static TransformerFactory newXXEProtectedTransformerFactory() {
- TransformerFactory transformerFactory = TransformerFactory.newInstance();
+ final TransformerFactory transformerFactory = TransformerFactory.newInstance();
transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
return transformerFactory;
}
+ public static DocumentBuilderFactory newXXEProtectedDocumentBuilderFactory() throws ParserConfigurationException {
+ final DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
+ documentBuilderFactory.setFeature(APACHE_XML_FEATURES_DISALLOW_DOCTYPE_DECL, true);
+ documentBuilderFactory.setXIncludeAware(false);
+ return documentBuilderFactory;
+ }
+
+ public static SAXParserFactory newXXEProtectedSaxParserFactory() throws SAXNotSupportedException, SAXNotRecognizedException, ParserConfigurationException {
+ final SAXParserFactory spf = SAXParserFactory.newInstance();
+ spf.setFeature(SAX_FEATURES_EXTERNAL_GENERAL_ENTITIES, false);
+ spf.setFeature(APACHE_XML_FEATURES_DISALLOW_DOCTYPE_DECL, true);
+ return spf;
+ }
+
+ public static XMLReader getXXEProtectedXMLReader(SAXParserFactory spf) throws ParserConfigurationException, SAXException {
+ final SAXParser saxParser = spf.newSAXParser();
+ final XMLReader xmlReader = saxParser.getXMLReader();
+ final boolean externalGeneralEntitiesFeatureValue = spf.getFeature(SAX_FEATURES_EXTERNAL_GENERAL_ENTITIES);
+ if (externalGeneralEntitiesFeatureValue) {
+ throw new IllegalArgumentException("SAXParserFactory has insecure feature setting:" + SAX_FEATURES_EXTERNAL_GENERAL_ENTITIES+ "=" + externalGeneralEntitiesFeatureValue);
+ }
+ final boolean disallowDocTypeDeclFeatureValue = spf.getFeature(APACHE_XML_FEATURES_DISALLOW_DOCTYPE_DECL);
+ if (!disallowDocTypeDeclFeatureValue) {
+ throw new IllegalArgumentException("SAXParserFactory has insecure feature setting:" + APACHE_XML_FEATURES_DISALLOW_DOCTYPE_DECL + "=" + disallowDocTypeDeclFeatureValue);
+ }
+ xmlReader.setFeature(SAX_FEATURES_EXTERNAL_GENERAL_ENTITIES, false);
+ xmlReader.setFeature(APACHE_XML_FEATURES_DISALLOW_DOCTYPE_DECL, true);
+ return xmlReader;
+ }
public static void writeDomToFile(Document doc, String filename) throws TransformerException, IOException {
TransformerFactory transformerFactory = XMLUtil.newXXEProtectedTransformerFactory();
Transformer transformer = transformerFactory.newTransformer();
diff --git a/org.hl7.fhir.validation/src/main/java/org/hl7/fhir/validation/ValidatorUtils.java b/org.hl7.fhir.validation/src/main/java/org/hl7/fhir/validation/ValidatorUtils.java
index 29b7ce21f9..d1101fa1e8 100644
--- a/org.hl7.fhir.validation/src/main/java/org/hl7/fhir/validation/ValidatorUtils.java
+++ b/org.hl7.fhir.validation/src/main/java/org/hl7/fhir/validation/ValidatorUtils.java
@@ -37,6 +37,7 @@
import org.hl7.fhir.utilities.filesystem.ManagedFileAccess;
import org.hl7.fhir.utilities.i18n.I18nConstants;
import org.hl7.fhir.utilities.validation.ValidationMessage;
+import org.hl7.fhir.utilities.xml.XMLUtil;
import org.hl7.fhir.validation.cli.utils.AsteriskFilter;
import org.hl7.fhir.validation.cli.utils.Common;
import org.w3c.dom.Document;
@@ -115,7 +116,7 @@ public static BaseLoaderR5 loaderForVersion(String version, ILoaderKnowledgeProv
}
protected static Document parseXml(byte[] cnt) throws ParserConfigurationException, SAXException, IOException {
- DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
// xxe protection
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
diff --git a/org.hl7.fhir.validation/src/test/java/org/hl7/fhir/conversion/tests/UtilitiesXTests.java b/org.hl7.fhir.validation/src/test/java/org/hl7/fhir/conversion/tests/UtilitiesXTests.java
index 15649aceb5..0e12abb77d 100644
--- a/org.hl7.fhir.validation/src/test/java/org/hl7/fhir/conversion/tests/UtilitiesXTests.java
+++ b/org.hl7.fhir.validation/src/test/java/org/hl7/fhir/conversion/tests/UtilitiesXTests.java
@@ -64,6 +64,7 @@ WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWIS
import org.hl7.fhir.utilities.filesystem.CSFile;
import org.hl7.fhir.utilities.filesystem.ManagedFileAccess;
import org.hl7.fhir.utilities.npm.FilesystemPackageCacheManager;
+import org.hl7.fhir.utilities.xml.XMLUtil;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.NamedNodeMap;
@@ -277,7 +278,7 @@ private static Document loadXml(String fn) throws Exception {
}
private static Document loadXml(InputStream fn) throws Exception {
- DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ DocumentBuilderFactory factory = XMLUtil.newXXEProtectedDocumentBuilderFactory();
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);