From 673a20cb10fae3c6aa3a13b136a3829f0b685a73 Mon Sep 17 00:00:00 2001 From: Rossen Stoyanchev Date: Fri, 4 Jan 2019 22:18:15 -0500 Subject: [PATCH] Defensive initialization of AsyncXMLInputFactory Aalto's InputFactoryImpl already disables loading of external entities by default (property "javax.xml.stream.isSupportingExternalEntities"). This commit goes further by applying the same defensive measures as we do elsewhere for XMLInputFactory, which disables DTD completely. Arguably there is no good reason to enable that by default in WebFlux. --- .../org/springframework/util/xml/StaxUtils.java | 17 ++++++++++++++--- .../http/codec/xml/XmlEventDecoder.java | 6 ++++-- 2 files changed, 18 insertions(+), 5 deletions(-) diff --git a/spring-core/src/main/java/org/springframework/util/xml/StaxUtils.java b/spring-core/src/main/java/org/springframework/util/xml/StaxUtils.java index daca1a82a3..6f9b06cc56 100644 --- a/spring-core/src/main/java/org/springframework/util/xml/StaxUtils.java +++ b/spring-core/src/main/java/org/springframework/util/xml/StaxUtils.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2018 the original author or authors. + * Copyright 2002-2019 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -17,6 +17,7 @@ package org.springframework.util.xml; import java.util.List; +import java.util.function.Supplier; import javax.xml.stream.XMLEventFactory; import javax.xml.stream.XMLEventReader; import javax.xml.stream.XMLEventWriter; @@ -58,11 +59,21 @@ public abstract class StaxUtils { /** * Create an {@link XMLInputFactory} with Spring's defensive setup, * i.e. no support for the resolution of DTDs and external entities. - * @return a new input factory to use + * @return a new defensively initialized input factory instance to use * @since 5.0 */ public static XMLInputFactory createDefensiveInputFactory() { - XMLInputFactory inputFactory = XMLInputFactory.newInstance(); + return createDefensiveInputFactory(XMLInputFactory::newFactory); + } + + /** + * Variant of {@link #createDefensiveInputFactory()} with a custom instance. + * @param instanceSupplier supplier for the input factory instance + * @return a new defensively initialized input factory instance to use + * @since 5.0.12 + */ + public static T createDefensiveInputFactory(Supplier instanceSupplier) { + T inputFactory = instanceSupplier.get(); inputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false); inputFactory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false); inputFactory.setXMLResolver(NO_OP_XML_RESOLVER); diff --git a/spring-web/src/main/java/org/springframework/http/codec/xml/XmlEventDecoder.java b/spring-web/src/main/java/org/springframework/http/codec/xml/XmlEventDecoder.java index 4971353b99..6213fc080b 100644 --- a/spring-web/src/main/java/org/springframework/http/codec/xml/XmlEventDecoder.java +++ b/spring-web/src/main/java/org/springframework/http/codec/xml/XmlEventDecoder.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2018 the original author or authors. + * Copyright 2002-2019 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -127,13 +127,15 @@ public class XmlEventDecoder extends AbstractDecoder { */ private static class AaltoDataBufferToXmlEvent implements Function> { - private static final AsyncXMLInputFactory inputFactory = new InputFactoryImpl(); + private static final AsyncXMLInputFactory inputFactory = + StaxUtils.createDefensiveInputFactory(InputFactoryImpl::new); private final AsyncXMLStreamReader streamReader = inputFactory.createAsyncForByteBuffer(); private final XMLEventAllocator eventAllocator = EventAllocatorImpl.getDefaultInstance(); + @Override public Publisher apply(DataBuffer dataBuffer) { try { -- GitLab