Skip to content

Commit

Permalink
Fix external links in XSLT transforms (#948)
Browse files Browse the repository at this point in the history 
* Fix XXE issue

* Use release version of core
  • Loading branch information
@dotasek
dotasek authored Aug 27, 2024
1 parent b5f2954 commit e5db459
Show file tree
Hide file tree
Showing 6 changed files with 43 additions and 6 deletions.
6 changes: 6 additions & 0 deletions org.hl7.fhir.publisher.core/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -147,6 +147,12 @@
<version>1.18.32</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.assertj</groupId>
<artifactId>assertj-core</artifactId>
<version>3.22.0</version>
<scope>test</scope>
</dependency>
<!-- TODO, figure out why this causes issues -->
<!-- <dependency>-->
<!-- <groupId>org.eclipse.jgit</groupId>-->
Expand Down
2 changes: 1 addition & 1 deletion org.hl7.fhir.publisher.core/src/main/java/org/hl7/fhir/igtools/publisher/XSLTransformer.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ public void warning(TransformerException arg0) throws TransformerException {


public byte[] transform(byte[] source, byte[] xslt) throws TransformerException {
TransformerFactory f = TransformerFactory.newInstance();
TransformerFactory f = org.hl7.fhir.utilities.xml.XMLUtil.newXXEProtectedTransformerFactory();
f.setErrorListener(new MyErrorListener());
StreamSource xsrc = new StreamSource(new ByteArrayInputStream(xslt));
Transformer t = f.newTransformer(xsrc);
Expand Down
2 changes: 1 addition & 1 deletion ...ir.publisher.core/src/main/java/org/hl7/fhir/igtools/publisher/utils/PackageReleaser.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -816,7 +816,7 @@ private void release(String dest, String source, VersionDecision vd, SimpleDateF
}

private void saveXml(FileOutputStream stream) throws TransformerException, IOException {
TransformerFactory factory = TransformerFactory.newInstance();
TransformerFactory factory = org.hl7.fhir.utilities.xml.XMLUtil.newXXEProtectedTransformerFactory();
Transformer transformer = factory.newTransformer();
Result result = new StreamResult(stream);
Source source = new DOMSource(rss);
Expand Down
2 changes: 1 addition & 1 deletion ...r.publisher.core/src/main/java/org/hl7/fhir/igtools/publisher/utils/TemplateReleaser.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -541,7 +541,7 @@ private void release(String dest, String source, VersionDecision vd, SimpleDateF
}

private void saveXml(FileOutputStream stream) throws TransformerException, IOException {
TransformerFactory factory = TransformerFactory.newInstance();
TransformerFactory factory = org.hl7.fhir.utilities.xml.XMLUtil.newXXEProtectedTransformerFactory();
Transformer transformer = factory.newTransformer();
Result result = new StreamResult(stream);
Source source = new DOMSource(rss);
Expand Down
23 changes: 20 additions & 3 deletions org.hl7.fhir.publisher.core/src/test/java/tests/XSLTransformerTest.java
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,11 @@
package tests;

import static org.junit.jupiter.api.Assertions.assertArrayEquals;
import static org.junit.jupiter.api.Assertions.assertThrows;
import static org.assertj.core.api.Assertions.assertThat;

import java.io.IOException;
import java.nio.charset.StandardCharsets;

import javax.xml.transform.TransformerException;

Expand All @@ -12,17 +15,31 @@

public class XSLTransformerTest {
@Test
public void test() throws IOException, TransformerException {
public void testNormalTransformSucceeds() throws IOException, TransformerException {
byte[] source = getLineSeparatorNormalizedBytes("/xslt/unicom-index.xml");
byte[] transform = getLineSeparatorNormalizedBytes("/xslt/unicom-transform.xslt");

XSLTransformer XSLTransformer = new XSLTransformer(false);
byte[] actual = XSLTransformer.transform(source, transform);
XSLTransformer xslTransformer = new XSLTransformer(false);
byte[] actual = xslTransformer.transform(source, transform);
System.out.println(new String(actual, StandardCharsets.UTF_8));
byte[] expected = getLineSeparatorNormalizedBytes("/xslt/unicom-expected.xml");

assertArrayEquals(actual, expected);
}

@Test
void testEvilXMLThrowsException() throws IOException {
byte[] source = getLineSeparatorNormalizedBytes("/xslt/unicom-index-evil.xml");
byte[] transform = getLineSeparatorNormalizedBytes("/xslt/unicom-transform.xslt");

TransformerException exception = assertThrows(TransformerException.class, () -> {
XSLTransformer xslTransformer = new XSLTransformer(false);
xslTransformer.transform(source, transform);
} );

assertThat(exception.getMessage()).contains("External Entity");
}

private byte[] getLineSeparatorNormalizedBytes(String fileName) throws IOException {
return new String(IOUtils.toByteArray(this.getClass().getResource(fileName))).replace(System.lineSeparator(), "\n").getBytes();
}
Expand Down
14 changes: 14 additions & 0 deletions org.hl7.fhir.publisher.core/src/test/resources/xslt/unicom-index-evil.xml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
<!DOCTYPE foo [<!ENTITY example SYSTEM "/etc/passwd"> ]>

<div xmlns="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://hl7.org/fhir" lang="en">
<data value="">&example;</data>
<a name="scope"> </a>
<p>
This is FHIR Implementation Guide for UNICOM project, created to assist work with pilot product list product data in FHIR.
</p>

<p>
The specification herewith documented is a demo working specification, and may not be used for any implementation purposes.
No liability can be inferred from the use or misuse of this specification, or its consequences.
</p>
</div>

0 comments on commit e5db459

Please sign in to comment.