Browse Source

KERNEL-6368【代码检测】XML注入(XML External Entity Injection)

bugfix/10.0
vito 3 years ago
parent
commit
be0850e46a
  1. 20
      designer-base/src/main/java/com/fr/design/gui/autocomplete/DefaultCompletionProvider.java
  2. 4
      designer-base/src/main/java/com/fr/design/gui/syntax/ui/rsyntaxtextarea/SyntaxScheme.java
  3. 9
      designer-base/src/main/java/com/fr/design/gui/syntax/ui/rsyntaxtextarea/Theme.java
  4. 8
      designer-base/src/main/java/com/fr/design/gui/syntax/ui/rtextarea/Macro.java
  5. 5
      designer-base/src/main/java/com/fr/start/server/FineEmbedServerActivator.java

20
designer-base/src/main/java/com/fr/design/gui/autocomplete/DefaultCompletionProvider.java

@ -24,7 +24,11 @@ import javax.swing.text.Segment;
import javax.xml.parsers.ParserConfigurationException; import javax.xml.parsers.ParserConfigurationException;
import javax.xml.parsers.SAXParser; import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory; import javax.xml.parsers.SAXParserFactory;
import com.fr.log.FineLoggerFactory;
import org.xml.sax.SAXException; import org.xml.sax.SAXException;
import org.xml.sax.SAXNotRecognizedException;
import org.xml.sax.SAXNotSupportedException;
/** /**
@ -81,10 +85,10 @@ public class DefaultCompletionProvider extends AbstractCompletionProvider {
/** /**
* Returns the text just before the current caret position that could be * Returns the text just before the current caret position that could be
* the start of something auto-completable.<p> * the start of something auto-completable.<p>
* * <p>
* This method returns all characters before the caret that are matched * This method returns all characters before the caret that are matched
* by {@link #isValidChar(char)}. * by {@link #isValidChar(char)}.
* * <p>
* {@inheritDoc} * {@inheritDoc}
*/ */
public String getAlreadyEnteredText(JTextComponent comp) { public String getAlreadyEnteredText(JTextComponent comp) {
@ -314,6 +318,15 @@ public class DefaultCompletionProvider extends AbstractCompletionProvider {
//long start = System.currentTimeMillis(); //long start = System.currentTimeMillis();
SAXParserFactory factory = SAXParserFactory.newInstance(); SAXParserFactory factory = SAXParserFactory.newInstance();
try {
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
} catch (ParserConfigurationException | SAXNotSupportedException | SAXNotRecognizedException e) {
FineLoggerFactory.getLogger().warn(e.getMessage(), e);
}
factory.setValidating(true); factory.setValidating(true);
CompletionXMLParser handler = new CompletionXMLParser(this, cl); CompletionXMLParser handler = new CompletionXMLParser(this, cl);
BufferedInputStream bin = new BufferedInputStream(in); BufferedInputStream bin = new BufferedInputStream(in);
@ -357,8 +370,7 @@ public class DefaultCompletionProvider extends AbstractCompletionProvider {
File file = new File(resource); File file = new File(resource);
if (file.isFile()) { if (file.isFile()) {
in = new FileInputStream(file); in = new FileInputStream(file);
} } else {
else {
throw new IOException("No such resource: " + resource); throw new IOException("No such resource: " + resource);
} }
} }

4
designer-base/src/main/java/com/fr/design/gui/syntax/ui/rsyntaxtextarea/SyntaxScheme.java

@ -624,6 +624,10 @@ public class SyntaxScheme implements Cloneable, TokenTypes {
SyntaxSchemeLoader parser = null; SyntaxSchemeLoader parser = null;
try { try {
XMLReader reader = XMLReaderFactory.createXMLReader(); XMLReader reader = XMLReaderFactory.createXMLReader();
reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
parser = new SyntaxSchemeLoader(baseFont); parser = new SyntaxSchemeLoader(baseFont);
parser.baseFont = baseFont; parser.baseFont = baseFont;
reader.setContentHandler(parser); reader.setContentHandler(parser);

9
designer-base/src/main/java/com/fr/design/gui/syntax/ui/rsyntaxtextarea/Theme.java

@ -22,6 +22,7 @@ import java.lang.reflect.Field;
import javax.swing.UIManager; import javax.swing.UIManager;
import javax.swing.plaf.ColorUIResource; import javax.swing.plaf.ColorUIResource;
import javax.swing.text.StyleContext; import javax.swing.text.StyleContext;
import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.SAXParser; import javax.xml.parsers.SAXParser;
@ -493,6 +494,8 @@ public class Theme {
StreamResult result = new StreamResult(new PrintWriter( StreamResult result = new StreamResult(new PrintWriter(
new UnicodeWriter(bout, "UTF-8"))); new UnicodeWriter(bout, "UTF-8")));
TransformerFactory transFac = TransformerFactory.newInstance(); TransformerFactory transFac = TransformerFactory.newInstance();
transFac.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
transFac.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
Transformer transformer = transFac.newTransformer(); Transformer transformer = transFac.newTransformer();
transformer.setOutputProperty(OutputKeys.INDENT, "yes"); transformer.setOutputProperty(OutputKeys.INDENT, "yes");
transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4");
@ -580,8 +583,12 @@ public class Theme {
public static void load(Theme theme, InputStream in) throws IOException { public static void load(Theme theme, InputStream in) throws IOException {
SAXParserFactory spf = SAXParserFactory.newInstance(); SAXParserFactory spf = SAXParserFactory.newInstance();
spf.setValidating(true);
try { try {
spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
spf.setFeature("http://xml.org/sax/features/external-general-entities", false);
spf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
spf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
spf.setValidating(true);
SAXParser parser = spf.newSAXParser(); SAXParser parser = spf.newSAXParser();
XMLReader reader = parser.getXMLReader(); XMLReader reader = parser.getXMLReader();
XmlHandler handler = new XmlHandler(); XmlHandler handler = new XmlHandler();

8
designer-base/src/main/java/com/fr/design/gui/syntax/ui/rtextarea/Macro.java

@ -14,6 +14,7 @@ import java.io.FileNotFoundException;
import java.io.IOException; import java.io.IOException;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.List; import java.util.List;
import javax.xml.XMLConstants;
import javax.xml.parsers.*; import javax.xml.parsers.*;
import javax.xml.transform.*; import javax.xml.transform.*;
import javax.xml.transform.dom.*; import javax.xml.transform.dom.*;
@ -94,6 +95,11 @@ public class Macro {
DocumentBuilder db = null; DocumentBuilder db = null;
Document doc = null; Document doc = null;
try { try {
dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
dbf.setXIncludeAware(false);
db = dbf.newDocumentBuilder(); db = dbf.newDocumentBuilder();
//InputSource is = new InputSource(new FileReader(file)); //InputSource is = new InputSource(new FileReader(file));
InputSource is = new InputSource(new UnicodeReader( InputSource is = new InputSource(new UnicodeReader(
@ -374,6 +380,8 @@ public class Macro {
StreamResult result = new StreamResult(new File(fileName)); StreamResult result = new StreamResult(new File(fileName));
DOMSource source = new DOMSource(doc); DOMSource source = new DOMSource(doc);
TransformerFactory transFac = TransformerFactory.newInstance(); TransformerFactory transFac = TransformerFactory.newInstance();
transFac.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
transFac.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
Transformer transformer = transFac.newTransformer(); Transformer transformer = transFac.newTransformer();
transformer.setOutputProperty(OutputKeys.INDENT, "yes"); transformer.setOutputProperty(OutputKeys.INDENT, "yes");
transformer.setOutputProperty(OutputKeys.ENCODING, FILE_ENCODING); transformer.setOutputProperty(OutputKeys.ENCODING, FILE_ENCODING);

5
designer-base/src/main/java/com/fr/start/server/FineEmbedServerActivator.java

@ -12,6 +12,7 @@ import com.fr.third.springframework.web.context.support.AnnotationConfigWebAppli
import com.fr.workspace.WorkContext; import com.fr.workspace.WorkContext;
import org.apache.catalina.Context; import org.apache.catalina.Context;
import org.apache.catalina.LifecycleException; import org.apache.catalina.LifecycleException;
import org.apache.catalina.Wrapper;
import org.apache.catalina.loader.WebappLoader; import org.apache.catalina.loader.WebappLoader;
import org.apache.catalina.startup.Tomcat; import org.apache.catalina.startup.Tomcat;
import org.apache.catalina.webresources.StandardRoot; import org.apache.catalina.webresources.StandardRoot;
@ -73,6 +74,10 @@ public class FineEmbedServerActivator extends Activator {
String contextPath = "/" + ProductConstants.getAppFolderName(); String contextPath = "/" + ProductConstants.getAppFolderName();
final Context context = tomcat.addContext(contextPath, docBase); final Context context = tomcat.addContext(contextPath, docBase);
context.setResources(new StandardRoot(context)); context.setResources(new StandardRoot(context));
Wrapper servlet = Tomcat.addServlet(context, "DruidStatView", "com.fr.third.alibaba.druid.support.http.StatViewServlet");
context.addServletMappingDecoded("/druid/*", "DruidStatView");
servlet.setLoadOnStartup(1);
servlet.setOverridable(true);
Tomcat.initWebappDefaults(context); Tomcat.initWebappDefaults(context);
//覆盖tomcat的WebAppClassLoader //覆盖tomcat的WebAppClassLoader
context.setLoader(new FRTomcatLoader()); context.setLoader(new FRTomcatLoader());

Loading…
Cancel
Save