Pull request #3800: KERNEL-6368【代码检测】XML注入(XML External Entity Injection)

Merge in DESIGN/design from ~VITO/c-design:KERNEL-6368 to bugfix/10.0

* commit 'be0850e46a6bd224fade40fed6f5ba853f9e8093':
  KERNEL-6368【代码检测】XML注入(XML External Entity Injection)

designer-base/src/main/java/com/fr/design/gui/autocomplete/DefaultCompletionProvider.java

@@ -24,7 +24,11 @@ import javax.swing.text.Segment;
 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.parsers.SAXParser;
 import javax.xml.parsers.SAXParserFactory;
+
+import com.fr.log.FineLoggerFactory;
 import org.xml.sax.SAXException;
+import org.xml.sax.SAXNotRecognizedException;
+import org.xml.sax.SAXNotSupportedException;
 
 
 /**
@@ -81,10 +85,10 @@ public class DefaultCompletionProvider extends AbstractCompletionProvider {
     /**
      * Returns the text just before the current caret position that could be
      * the start of something auto-completable.<p>
-	 *
+     * <p>
      * This method returns all characters before the caret that are matched
      * by  {@link #isValidChar(char)}.
-	 *
+     * <p>
      * {@inheritDoc}
      */
     public String getAlreadyEnteredText(JTextComponent comp) {
@@ -314,6 +318,15 @@ public class DefaultCompletionProvider extends AbstractCompletionProvider {
         //long start = System.currentTimeMillis();
 
         SAXParserFactory factory = SAXParserFactory.newInstance();
+        try {
+            factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+            factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+            factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+            factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+        } catch (ParserConfigurationException | SAXNotSupportedException | SAXNotRecognizedException e) {
+            FineLoggerFactory.getLogger().warn(e.getMessage(), e);
+        }
+
         factory.setValidating(true);
         CompletionXMLParser handler = new CompletionXMLParser(this, cl);
         BufferedInputStream bin = new BufferedInputStream(in);
@@ -357,8 +370,7 @@ public class DefaultCompletionProvider extends AbstractCompletionProvider {
             File file = new File(resource);
             if (file.isFile()) {
                 in = new FileInputStream(file);
-			}
-			else {
+            } else {
                 throw new IOException("No such resource: " + resource);
             }
         }

designer-base/src/main/java/com/fr/design/gui/syntax/ui/rsyntaxtextarea/SyntaxScheme.java

@@ -624,6 +624,10 @@ public class SyntaxScheme implements Cloneable, TokenTypes {
 			SyntaxSchemeLoader parser = null;
 			try {
 				XMLReader reader = XMLReaderFactory.createXMLReader();
+				reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+				reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+				reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
+				reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
 				parser = new SyntaxSchemeLoader(baseFont);
 				parser.baseFont = baseFont;
 				reader.setContentHandler(parser);

designer-base/src/main/java/com/fr/design/gui/syntax/ui/rsyntaxtextarea/Theme.java

@@ -22,6 +22,7 @@ import java.lang.reflect.Field;
 import javax.swing.UIManager;
 import javax.swing.plaf.ColorUIResource;
 import javax.swing.text.StyleContext;
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.SAXParser;
@@ -493,6 +494,8 @@ public class Theme {
 			StreamResult result = new StreamResult(new PrintWriter(
 					new UnicodeWriter(bout, "UTF-8")));
 			TransformerFactory transFac = TransformerFactory.newInstance();
+			transFac.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+			transFac.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
 			Transformer transformer = transFac.newTransformer();
 			transformer.setOutputProperty(OutputKeys.INDENT, "yes");
 			transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4");
@@ -580,8 +583,12 @@ public class Theme {
 
 	    public static void load(Theme theme, InputStream in) throws IOException {
 			SAXParserFactory spf = SAXParserFactory.newInstance();
-			spf.setValidating(true);
 			try {
+				spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+				spf.setFeature("http://xml.org/sax/features/external-general-entities", false);
+				spf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+				spf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+				spf.setValidating(true);
 				SAXParser parser = spf.newSAXParser();
 				XMLReader reader = parser.getXMLReader();
 				XmlHandler handler = new XmlHandler();

designer-base/src/main/java/com/fr/design/gui/syntax/ui/rtextarea/Macro.java

@@ -14,6 +14,7 @@ import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.util.ArrayList;
 import java.util.List;
+import javax.xml.XMLConstants;
 import javax.xml.parsers.*;
 import javax.xml.transform.*;
 import javax.xml.transform.dom.*;
@@ -94,6 +95,11 @@ public class Macro {
 		DocumentBuilder db = null;
 		Document doc = null;
 		try {
+			dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+			dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
+			dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+			dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+			dbf.setXIncludeAware(false);
 			db = dbf.newDocumentBuilder();
 			//InputSource is = new InputSource(new FileReader(file));
 			InputSource is = new InputSource(new UnicodeReader(
@@ -374,6 +380,8 @@ public class Macro {
 			StreamResult result = new StreamResult(new File(fileName));
 			DOMSource source = new DOMSource(doc);
 			TransformerFactory transFac = TransformerFactory.newInstance();
+			transFac.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+			transFac.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
 			Transformer transformer = transFac.newTransformer();
 			transformer.setOutputProperty(OutputKeys.INDENT, "yes");
 			transformer.setOutputProperty(OutputKeys.ENCODING, FILE_ENCODING);

designer-base/src/main/java/com/fr/start/server/FineEmbedServerActivator.java

@@ -12,6 +12,7 @@ import com.fr.third.springframework.web.context.support.AnnotationConfigWebAppli
 import com.fr.workspace.WorkContext;
 import org.apache.catalina.Context;
 import org.apache.catalina.LifecycleException;
+import org.apache.catalina.Wrapper;
 import org.apache.catalina.loader.WebappLoader;
 import org.apache.catalina.startup.Tomcat;
 import org.apache.catalina.webresources.StandardRoot;
@@ -73,6 +74,10 @@ public class FineEmbedServerActivator extends Activator {
         String contextPath = "/" + ProductConstants.getAppFolderName();
         final Context context = tomcat.addContext(contextPath, docBase);
         context.setResources(new StandardRoot(context));
+        Wrapper servlet = Tomcat.addServlet(context, "DruidStatView", "com.fr.third.alibaba.druid.support.http.StatViewServlet");
+        context.addServletMappingDecoded("/druid/*", "DruidStatView");
+        servlet.setLoadOnStartup(1);
+        servlet.setOverridable(true);
         Tomcat.initWebappDefaults(context);
         //覆盖tomcat的WebAppClassLoader
         context.setLoader(new FRTomcatLoader());