xmlbeans/CVE-2021-23926-2.patch

From a2604e07eeb04bd9a88f8624c3b8efd57b88237c Mon Sep 17 00:00:00 2001
From: PJ Fanning <fanningpj@apache.org>
Date: Sun, 10 Jun 2018 10:38:41 +0000
Subject: [PATCH 2/2] use safe XML parsers

git-svn-id: https://svn.apache.org/repos/asf/xmlbeans/trunk@1833263 13f79535-47bb-0310-9956-ffa450edef68
---
 .../xmlbeans/impl/common/StaxHelper.java      | 78 +++++++++++++++++++
 .../impl/tool/StreamInstanceValidator.java    |  3 +-
 2 files changed, 80 insertions(+), 1 deletion(-)
 create mode 100644 src/common/org/apache/xmlbeans/impl/common/StaxHelper.java

diff --git a/src/common/org/apache/xmlbeans/impl/common/StaxHelper.java b/src/common/org/apache/xmlbeans/impl/common/StaxHelper.java
new file mode 100644
index 00000000..b6a960ca
--- /dev/null
+++ b/src/common/org/apache/xmlbeans/impl/common/StaxHelper.java
@@ -0,0 +1,78 @@
+/*   Copyright 2017, 2018 The Apache Software Foundation
+ *
+ *   Licensed under the Apache License, Version 2.0 (the "License");
+ *   you may not use this file except in compliance with the License.
+ *   You may obtain a copy of the License at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing, software
+ *   distributed under the License is distributed on an "AS IS" BASIS,
+ *   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *   See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+package org.apache.xmlbeans.impl.common;
+
+import javax.xml.stream.XMLEventFactory;
+import javax.xml.stream.XMLInputFactory;
+import javax.xml.stream.XMLOutputFactory;
+
+
+/**
+ * Provides handy methods for working with StAX parsers and readers
+ */
+public final class StaxHelper {
+    private static final XBLogger logger = XBLogFactory.getLogger(StaxHelper.class);
+
+    private StaxHelper() {}
+
+    /**
+     * Creates a new StAX XMLInputFactory, with sensible defaults
+     */
+    public static XMLInputFactory newXMLInputFactory() {
+        XMLInputFactory factory = XMLInputFactory.newFactory();
+        trySetProperty(factory, XMLInputFactory.IS_NAMESPACE_AWARE, true);
+        trySetProperty(factory, XMLInputFactory.IS_VALIDATING, false);
+        trySetProperty(factory, XMLInputFactory.SUPPORT_DTD, false);
+        trySetProperty(factory, XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
+        return factory;
+    }
+
+    /**
+     * Creates a new StAX XMLOutputFactory, with sensible defaults
+     */
+    public static XMLOutputFactory newXMLOutputFactory() {
+        XMLOutputFactory factory = XMLOutputFactory.newFactory();
+        trySetProperty(factory, XMLOutputFactory.IS_REPAIRING_NAMESPACES, true);
+        return factory;
+    }
+
+    /**
+     * Creates a new StAX XMLEventFactory, with sensible defaults
+     */
+    public static XMLEventFactory newXMLEventFactory() {
+        return XMLEventFactory.newFactory();
+    }
+            
+    private static void trySetProperty(XMLInputFactory factory, String feature, boolean flag) {
+        try {
+            factory.setProperty(feature, flag);
+        } catch (Exception e) {
+            logger.log(XBLogger.WARN, "StAX Property unsupported", feature, e);
+        } catch (AbstractMethodError ame) {
+            logger.log(XBLogger.WARN, "Cannot set StAX property because outdated StAX parser in classpath", feature, ame);
+        }
+    }
+
+    private static void trySetProperty(XMLOutputFactory factory, String feature, boolean flag) {
+        try {
+            factory.setProperty(feature, flag);
+        } catch (Exception e) {
+            logger.log(XBLogger.WARN, "StAX Property unsupported", feature, e);
+        } catch (AbstractMethodError ame) {
+            logger.log(XBLogger.WARN, "Cannot set StAX property because outdated StAX parser in classpath", feature, ame);
+        }
+    }
+}
diff --git a/src/xmlcomp/org/apache/xmlbeans/impl/tool/StreamInstanceValidator.java b/src/xmlcomp/org/apache/xmlbeans/impl/tool/StreamInstanceValidator.java
index e6463f51..28d97318 100644
--- a/src/xmlcomp/org/apache/xmlbeans/impl/tool/StreamInstanceValidator.java
+++ b/src/xmlcomp/org/apache/xmlbeans/impl/tool/StreamInstanceValidator.java
@@ -21,6 +21,7 @@ import org.apache.xmlbeans.XmlException;
 import org.apache.xmlbeans.XmlObject;
 import org.apache.xmlbeans.XmlOptions;
 import org.apache.xmlbeans.XmlError;
+import org.apache.xmlbeans.impl.common.StaxHelper;
 import org.apache.xmlbeans.impl.validator.ValidatingXMLStreamReader;
 
 import javax.xml.stream.XMLInputFactory;
@@ -39,7 +40,7 @@ import java.util.HashSet;
 
 public class StreamInstanceValidator
 {
-    private static final XMLInputFactory XML_INPUT_FACTORY = XMLInputFactory.newInstance();
+    private static final XMLInputFactory XML_INPUT_FACTORY = StaxHelper.newXMLInputFactory();
 
     public static void printUsage()
     {
-- 
2.23.0