Hi, I'm facing a blocker in a SonarQube violation - Disable access to external entities in XML parsing

Question

Tried with the fix given in sonarqube.

        *TransformerFactory tfactory = TransformerFactory.newInstance();
        tfactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
        tfactory.setAttribute(javax.xml.XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
        return tfactory;*

But I'm facing a runtime exception on setAttribute: "java.lang.IllegalArgumentException: Unknown configuration property http://javax.xml.XMLConstants/property/accessExternalDTD"

This seems to be because of a bug in the version of saxon jar im using [9.7] . And its working fine on saxon 10.3 . Please refer https://saxonica.plan.io/issues/4729 for this bug.

Below are my questions:

1. Is there any way to make it work on my existing saxon version (without upgrading it to 10.x). Tried using transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true) but sonarqube is not satisfied as it expects above fix.

2. If upgrading to 10.x is the only way, then below is the challenge im facing:

   I'm overriding a method from TraceListener for some business logics. But the method signature got changed on latest version like below:

   Class - net.sf.saxon.lib.TraceListener

   Saxon 9.7 -> public void enter(InstructionInfo instruction, XPathContext context)

   Saxon 10.x -> public void enter(Traceable instruction, java.util.Map<java.lang.String,java.lang.Object> properties, XPathContext context)

   My current Code:

   *@Override
   public void enter(InstructionInfo instruction, XPathContext context) {
    int data = instruction.getConstructType();
    if ((data == 155) || (data == 200)) {
        .......logic......
    }
   }*
   

My new code will be :

   *@Override
   public void enter(Traceable instruction,           
    java.util.Map<java.lang.String,java.lang.Object> properties, XPathContext context){
    --> what to use here for getConstructType()
    if ((data == 155) || (data == 200)) {
        .......logic......
    }
   }*

So the problem is 10.x jar doesn't have getConstructType() method in its Traceable class or InstructionInfo class. How do I use getConstructType() in 10.x version?

P.S : It will be very helpful if the 1st question gets answered i.e) if I can be able to resolve with my current version of jar as new version requires testing of all the functionalities throughout the project :( Hope someone can help me, thanks in advance.

Answer 1

TransformerFactory tf = TransformerFactory.newInstance();
tf.setAttribute(“http://javax.xml.XMLConstants/property/accessExternalDTD”,””);
tf.setAttribute("http://javax.xml.XMLConstants/property/accessExternalStylesheet",””);
Transformer transformer = tf.newTransformer();

reference: https://community.veracode.com/s/article/Java-Remediation-Guidance-for-XXE

Answer 2

First point: to be a little argumentative, it is NOT a bug in Saxon 9.7. The Javadoc for TransformerFactory (in Java 8) says "All implementations that implement JAXP 1.5 or newer are required to support the XMLConstants.ACCESS_EXTERNAL_DTD and XMLConstants.ACCESS_EXTERNAL_STYLESHEET properties." but Saxon 9.7 never claimed to implement JAXP 1.5, it only claimed to implement JAXP 1.3.

Saying "I want to stay on an old release of Saxon but I can't, because I want a version that supports a new feature of JAXP" is very understandable, but not actually very logical.

One solution to this is to add your own implementation of the TransformerFactory API, which intercepts the attempt to set this property and doesn't pass it on to Saxon.

Note that this property is in the wrong place anyway. DTD processing is the responsibility of the XML parser, not the XSLT processor. The specification doesn't make it clear exactly what effect it's supposed to have. If the XSLT processor instantiates the XML parser, it seems reasonable that it should pass the property on, but what should it do if it's not accepted? And should it pass it on at all if the XML parser is created by the user application rather than by the XSLT processor? Generally it's a very frustrating exercise trying to implement rules like this in the JAXP specification, which are often very fuzzily specified.

I would encourage you generally to try to keep abreast of new Saxon releases to avoid hitting problems which have already been solved. Yes, it's true that we occasionally revise the design of some of the "system programming" interfaces such as the TraceListener interface. The 10.3 version of this interface replaces InstructionInfo with Traceable, and to find out what kind of Traceable is involved, you should use instanceof.

When we do make changes, we often introduce a new API in one major version and drop the old API in the following version. If you jump forward three major releases in one go (9.7 to 10, skipping 9.8 and 9.9) then you're not able to take advantage of these transition aids.