Tweak XmlInputFactory settings

fmbenhassine · fmbenhassine · commit c7930184ee45 · 2019-01-11T07:04:35.000+01:00
diff --git a/spring-batch-infrastructure-tests/src/test/java/org/springframework/batch/item/xml/Jaxb2MarshallingTests.java b/spring-batch-infrastructure-tests/src/test/java/org/springframework/batch/item/xml/Jaxb2MarshallingTests.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2010-2014 the original author or authors.
+ * Copyright 2010-2019 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -20,6 +20,7 @@
 import java.io.StringWriter;
 import java.math.BigDecimal;
 
+import javax.xml.XMLConstants;
 import javax.xml.transform.OutputKeys;
 import javax.xml.transform.Source;
 import javax.xml.transform.Transformer;
@@ -48,7 +49,10 @@ protected Marshaller getMarshaller() throws Exception {
 
 	public static String getTextFromSource(Source source) {
 		try {
-			Transformer transformer = TransformerFactory.newInstance().newTransformer();
+			TransformerFactory transformerFactory = TransformerFactory.newInstance();
+			transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+			transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+			Transformer transformer = transformerFactory.newTransformer();
 			transformer.setOutputProperty(OutputKeys.INDENT, "yes");
 			StreamResult stream = new StreamResult(new StringWriter());
 			transformer.transform(source, stream);
diff --git a/spring-batch-infrastructure/src/main/java/org/springframework/batch/item/xml/StaxEventItemReader.java b/spring-batch-infrastructure/src/main/java/org/springframework/batch/item/xml/StaxEventItemReader.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2006-2007 the original author or authors.
+ * Copyright 2006-2019 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -53,6 +53,7 @@
  * The implementation is <b>not</b> thread-safe.
  * 
  * @author Robert Kasanicky
+ * @author Mahmoud Ben Hassine
  */
 public class StaxEventItemReader<T> extends AbstractItemCountingItemStreamItemReader<T> implements
 ResourceAwareItemReaderItemStream<T>, InitializingBean {
@@ -75,6 +76,8 @@ public class StaxEventItemReader<T> extends AbstractItemCountingItemStreamItemRe
 
 	private boolean strict = true;
 
+	private XMLInputFactory xmlInputFactory = StaxUtils.createXmlInputFactory();
+
 	public StaxEventItemReader() {
 		setName(ClassUtils.getShortName(StaxEventItemReader.class));
 	}
@@ -117,6 +120,15 @@ public void setFragmentRootElementNames(String[] fragmentRootElementNames) {
 		}
 	}
 
+	/**
+	 * Set the {@link XMLInputFactory}.
+	 * @param xmlInputFactory to use
+	 */
+	public void setXmlInputFactory(XMLInputFactory xmlInputFactory) {
+		Assert.notNull(xmlInputFactory, "XMLInputFactory must not be null");
+		this.xmlInputFactory = xmlInputFactory;
+	}
+
 	/**
 	 * Ensure that all required dependencies for the ItemReader to run are provided after all properties have been set.
 	 * 
@@ -205,7 +217,7 @@ protected void doOpen() throws Exception {
 		}
 
 		inputStream = resource.getInputStream();
-		eventReader = XMLInputFactory.newInstance().createXMLEventReader(inputStream);
+		eventReader = xmlInputFactory.createXMLEventReader(inputStream);
 		fragmentReader = new DefaultFragmentEventReader(eventReader);
 		noInput = false;
 
diff --git a/spring-batch-infrastructure/src/main/java/org/springframework/batch/item/xml/StaxUtils.java b/spring-batch-infrastructure/src/main/java/org/springframework/batch/item/xml/StaxUtils.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2006-2007 the original author or authors.
+ * Copyright 2006-2019 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -23,6 +23,7 @@
 
 import javax.xml.stream.XMLEventReader;
 import javax.xml.stream.XMLEventWriter;
+import javax.xml.stream.XMLInputFactory;
 import javax.xml.transform.Result;
 import javax.xml.transform.Source;
 import java.lang.reflect.Constructor;
@@ -38,6 +39,7 @@
  * As the only class state maintained is to cache java reflection metadata, which is thread-safe, this class is thread-safe.
  *
  * @author Josh Long
+ * @author Mahmoud Ben Hassine
  *
  */
 public abstract class StaxUtils {
@@ -142,4 +144,11 @@ public static XMLEventReader getXmlEventReader(Source s) throws Exception {
         m.setAccessible(accessible);
         return (XMLEventReader) result;
     }
+
+    public static XMLInputFactory createXmlInputFactory() {
+		XMLInputFactory xmlInputFactory = XMLInputFactory.newInstance();
+		xmlInputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
+		xmlInputFactory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
+		return xmlInputFactory;
+	}
 }
diff --git a/spring-batch-infrastructure/src/test/java/org/springframework/batch/item/xml/StaxEventItemReaderTests.java b/spring-batch-infrastructure/src/test/java/org/springframework/batch/item/xml/StaxEventItemReaderTests.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2008-2014 the original author or authors.
+ * Copyright 2008-2019 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -15,6 +15,8 @@
  */
 package org.springframework.batch.item.xml;
 
+import org.hamcrest.Matchers;
+import org.junit.Assert;
 import org.junit.Before;
 import org.junit.Test;
 import org.springframework.batch.item.ExecutionContext;
@@ -33,12 +35,12 @@
 import javax.xml.namespace.QName;
 import javax.xml.stream.FactoryConfigurationError;
 import javax.xml.stream.XMLEventReader;
-import javax.xml.stream.XMLInputFactory;
 import javax.xml.stream.XMLStreamException;
 import javax.xml.stream.events.EndElement;
 import javax.xml.stream.events.StartElement;
 import javax.xml.stream.events.XMLEvent;
 import javax.xml.transform.Source;
+import java.io.File;
 import java.io.IOException;
 import java.io.InputStream;
 import java.util.ArrayList;
@@ -56,6 +58,8 @@
  * Tests for {@link StaxEventItemReader}.
  * 
  * @author Robert Kasanicky
+ * @author Michael Minella
+ * @author Mahmoud Ben Hassine
  */
 public class StaxEventItemReaderTests {
 
@@ -329,7 +333,7 @@ public void testMultiFragmentNestedRestart() throws Exception {
 	@Test
 	public void testMoveCursorToNextFragment() throws XMLStreamException, FactoryConfigurationError, IOException {
 		Resource resource = new ByteArrayResource(xml.getBytes());
-		XMLEventReader reader = XMLInputFactory.newInstance().createXMLEventReader(resource.getInputStream());
+		XMLEventReader reader = StaxUtils.createXmlInputFactory().createXMLEventReader(resource.getInputStream());
 
 		final int EXPECTED_NUMBER_OF_FRAGMENTS = 2;
 		for (int i = 0; i < EXPECTED_NUMBER_OF_FRAGMENTS; i++) {
@@ -346,7 +350,7 @@ public void testMoveCursorToNextFragment() throws XMLStreamException, FactoryCon
 	@Test
 	public void testMoveCursorToNextFragmentOnEmpty() throws XMLStreamException, FactoryConfigurationError, IOException {
 		Resource resource = new ByteArrayResource(emptyXml.getBytes());
-		XMLEventReader reader = XMLInputFactory.newInstance().createXMLEventReader(resource.getInputStream());
+		XMLEventReader reader = StaxUtils.createXmlInputFactory().createXMLEventReader(resource.getInputStream());
 
 		assertFalse(source.moveCursorToNextFragment(reader));
 	}
@@ -357,7 +361,7 @@ public void testMoveCursorToNextFragmentOnEmpty() throws XMLStreamException, Fac
 	@Test
 	public void testMoveCursorToNextFragmentOnMissing() throws XMLStreamException, FactoryConfigurationError, IOException {
 		Resource resource = new ByteArrayResource(missingXml.getBytes());
-		XMLEventReader reader = XMLInputFactory.newInstance().createXMLEventReader(resource.getInputStream());
+		XMLEventReader reader = StaxUtils.createXmlInputFactory().createXMLEventReader(resource.getInputStream());
 		assertFalse(source.moveCursorToNextFragment(reader));
 	}
 
@@ -577,6 +581,39 @@ public void exceptionDuringUnmarshalling() throws Exception {
 		assertNull(source.read());
 	}
 
+	@Test
+	public void testDtdXml() {
+		String xmlWithDtd = "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<!DOCTYPE rohit [\n<!ENTITY entityex SYSTEM \"file://" +
+				new File("src/test/resources/org/springframework/batch/support/existing.txt").getAbsolutePath() +
+				"\">\n]>\n<abc>&entityex;</abc>";
+		StaxEventItemReader<String> reader = new StaxEventItemReader<>();
+		reader.setName("foo");
+		reader.setResource(new ByteArrayResource(xmlWithDtd.getBytes()));
+		reader.setUnmarshaller(new MockFragmentUnmarshaller() {
+			@Override
+			public Object unmarshal(Source source) throws XmlMappingException {
+				try {
+					XMLEventReader xmlEventReader = StaxUtils.getXmlEventReader(source);
+					xmlEventReader.nextEvent();
+					xmlEventReader.nextEvent();
+					return xmlEventReader.getElementText();
+				} catch (Exception e) {
+					throw new RuntimeException(e);
+				}
+			}
+		});
+		reader.setFragmentRootElementName("abc");
+
+		reader.open(new ExecutionContext());
+
+		try {
+			reader.read();
+			fail("Should fail when XML contains DTD");
+		} catch (Exception e) {
+			Assert.assertThat(e.getMessage(), Matchers.containsString("Undeclared general entity"));
+		}
+	}
+
 	/**
 	 * Stub emulating problems during unmarshalling.
 	 */
diff --git a/spring-batch-infrastructure/src/test/java/org/springframework/batch/item/xml/stax/DefaultFragmentEventReaderTests.java b/spring-batch-infrastructure/src/test/java/org/springframework/batch/item/xml/stax/DefaultFragmentEventReaderTests.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2008-2012 the original author or authors.
+ * Copyright 2008-2019 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -18,20 +18,21 @@
 import java.util.NoSuchElementException;
 
 import javax.xml.stream.XMLEventReader;
-import javax.xml.stream.XMLInputFactory;
 import javax.xml.stream.XMLStreamException;
 import javax.xml.stream.events.XMLEvent;
 
 import junit.framework.TestCase;
 
 import org.springframework.batch.item.xml.EventHelper;
+import org.springframework.batch.item.xml.StaxUtils;
 import org.springframework.core.io.ByteArrayResource;
 import org.springframework.core.io.Resource;
 
 /**
  * Tests for {@link DefaultFragmentEventReader}.
  * 
  * @author Robert Kasanicky
+ * @author Mahmoud Ben Hassine
  */
 public class DefaultFragmentEventReaderTests extends TestCase {
 
@@ -50,7 +51,7 @@ public class DefaultFragmentEventReaderTests extends TestCase {
     @Override
 	protected void setUp() throws Exception {
 		Resource input = new ByteArrayResource(xml.getBytes());
-		eventReader = XMLInputFactory.newInstance().createXMLEventReader(
+		eventReader = StaxUtils.createXmlInputFactory().createXMLEventReader(
 				input.getInputStream());
 		fragmentReader = new DefaultFragmentEventReader(eventReader);
 	}
