_lastRecord = rec;
}
+ @SuppressWarnings({"squid:S2068"})
public RecordInputStream createDecryptingStream(InputStream original) {
String userPassword = Biff8EncryptionKey.getCurrentUserPassword();
if (userPassword == null) {
* if false the n-1 hash value is applied first
* @return the hashed password
*/
+ @SuppressWarnings({"squid:S2068"})
public static byte[] hashPassword(String password, HashAlgorithm hashAlgorithm, byte[] salt, int spinCount, boolean iteratorFirst) {
// If no password was given, use the default
if (password == null) {
import org.apache.poi.util.GenericRecordUtil;
public abstract class Decryptor implements Cloneable, GenericRecord {
+ @SuppressWarnings({"squid:S2068"})
public static final String DEFAULT_PASSWORD="VelvetSweatshop";
public static final String DEFAULT_POIFS_ENTRY="EncryptedPackage";
package org.apache.poi.util;
+import java.util.function.Consumer;
+
import javax.xml.stream.XMLEventFactory;
import javax.xml.stream.XMLInputFactory;
import javax.xml.stream.XMLOutputFactory;
public final class StaxHelper {
private static final POILogger logger = POILogFactory.getLogger(StaxHelper.class);
- private StaxHelper() {}
+ private StaxHelper() {
+ }
/**
* Creates a new StAX XMLInputFactory, with sensible defaults
*/
+ @SuppressWarnings({"squid:S2755"})
public static XMLInputFactory newXMLInputFactory() {
XMLInputFactory factory = XMLInputFactory.newInstance();
- trySetProperty(factory, XMLInputFactory.IS_NAMESPACE_AWARE, true);
- trySetProperty(factory, XMLInputFactory.IS_VALIDATING, false);
- trySetProperty(factory, XMLInputFactory.SUPPORT_DTD, false);
- trySetProperty(factory, XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
+ trySet(XMLInputFactory.IS_NAMESPACE_AWARE, (n) -> factory.setProperty(n, true));
+ trySet(XMLInputFactory.IS_VALIDATING, (n) -> factory.setProperty(n, false));
+ trySet(XMLInputFactory.SUPPORT_DTD, (n) -> factory.setProperty(n, false));
+ trySet(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, (n) -> factory.setProperty(n, false));
return factory;
}
*/
public static XMLOutputFactory newXMLOutputFactory() {
XMLOutputFactory factory = XMLOutputFactory.newInstance();
- trySetProperty(factory, XMLOutputFactory.IS_REPAIRING_NAMESPACES, true);
+ trySet(XMLOutputFactory.IS_REPAIRING_NAMESPACES, (n) -> factory.setProperty(n, true));
return factory;
}
// this method seems safer on Android than getFactory()
return XMLEventFactory.newInstance();
}
-
- private static void trySetProperty(XMLInputFactory factory, String feature, boolean flag) {
- try {
- factory.setProperty(feature, flag);
- } catch (Exception e) {
- logger.log(POILogger.WARN, "StAX Property unsupported", feature, e);
- } catch (AbstractMethodError ame) {
- logger.log(POILogger.WARN, "Cannot set StAX property because outdated StAX parser in classpath", feature, ame);
- }
- }
- private static void trySetProperty(XMLOutputFactory factory, String feature, boolean flag) {
+ private static void trySet(String name, Consumer<String> securityFeature) {
try {
- factory.setProperty(feature, flag);
+ securityFeature.accept(name);
} catch (Exception e) {
- logger.log(POILogger.WARN, "StAX Property unsupported", feature, e);
+ logger.log(POILogger.WARN, "StAX Property unsupported", name, e);
} catch (AbstractMethodError ame) {
- logger.log(POILogger.WARN, "Cannot set StAX property because outdated StAX parser in classpath", feature, ame);
+ logger.log(POILogger.WARN, "Cannot set StAX property because outdated StAX parser in classpath", name, ame);
}
}
}
import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
/**
* Helper methods for working with javax.xml classes.
*/
-public final class XMLHelper
-{
+public final class XMLHelper {
private static POILogger logger = POILogFactory.getLogger(XMLHelper.class);
-
+
+ @FunctionalInterface
+ private interface SecurityFeature {
+ void accept(String name) throws ParserConfigurationException;
+ }
+
/**
* Creates a new DocumentBuilderFactory, with sensible defaults
+ *
+ * @see <a href="https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html">OWASP XXE</a>
*/
+ @SuppressWarnings({"squid:S2755"})
public static DocumentBuilderFactory getDocumentBuilderFactory() {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.setExpandEntityReferences(false);
- trySetSAXFeature(factory, XMLConstants.FEATURE_SECURE_PROCESSING, true);
- trySetSAXFeature(factory, "http://xml.org/sax/features/external-general-entities", false);
- trySetSAXFeature(factory, "http://xml.org/sax/features/external-parameter-entities", false);
- trySetSAXFeature(factory, "http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
- trySetSAXFeature(factory, "http://apache.org/xml/features/nonvalidating/load-dtd-grammar", false);
+ trySet(XMLConstants.FEATURE_SECURE_PROCESSING, (n) -> factory.setFeature(n, true));
+ trySet(XMLConstants.ACCESS_EXTERNAL_SCHEMA, (n) -> factory.setAttribute(n, ""));
+ trySet(XMLConstants.ACCESS_EXTERNAL_DTD, (n) -> factory.setAttribute(n, ""));
+ trySet("http://xml.org/sax/features/external-general-entities", (n) -> factory.setFeature(n, false));
+ trySet("http://xml.org/sax/features/external-parameter-entities", (n) -> factory.setFeature(n, false));
+ trySet("http://apache.org/xml/features/nonvalidating/load-external-dtd", (n) -> factory.setFeature(n, false));
+ trySet("http://apache.org/xml/features/nonvalidating/load-dtd-grammar", (n) -> factory.setFeature(n, false));
+ trySet("http://apache.org/xml/features/disallow-doctype-decl", (n) -> factory.setFeature(n, true));
+ trySet("XIncludeAware", (n) -> factory.setXIncludeAware(false));
return factory;
}
-
- private static void trySetSAXFeature(DocumentBuilderFactory documentBuilderFactory, String feature, boolean enabled) {
+
+ private static void trySet(String name, SecurityFeature feature) {
try {
- documentBuilderFactory.setFeature(feature, enabled);
+ feature.accept(name);
} catch (Exception e) {
- logger.log(POILogger.WARN, "SAX Feature unsupported", feature, e);
+ logger.log(POILogger.WARN, "SAX Feature unsupported", name, e);
} catch (AbstractMethodError ame) {
- logger.log(POILogger.WARN, "Cannot set SAX feature because outdated XML parser in classpath", feature, ame);
+ logger.log(POILogger.WARN, "Cannot set SAX feature because outdated XML parser in classpath", name, ame);
}
}
-
-
}
import javax.xml.validation.SchemaFactory;
import javax.xml.validation.Validator;
+import org.apache.poi.ooxml.util.DocumentHelper;
import org.apache.poi.ooxml.util.TransformerHelper;
import org.apache.poi.ss.usermodel.CellType;
import org.apache.poi.ss.usermodel.DateUtil;
-import org.apache.poi.ooxml.util.DocumentHelper;
import org.apache.poi.util.LocaleUtil;
import org.apache.poi.util.POILogFactory;
import org.apache.poi.util.POILogger;
public class XSSFExportToXml implements Comparator<String>{
private static final POILogger LOG = POILogFactory.getLogger(XSSFExportToXml.class);
+
+ @FunctionalInterface
+ private interface SecurityFeature {
+ void accept(String name) throws SAXException;
+ }
+
+
private XSSFMap map;
private final HashMap<String, Integer> indexMap = new HashMap<>();
/**
* @return true, if document is valid
* @throws SAXException If validating the document fails
*/
+ @SuppressWarnings({"squid:S2755"})
private boolean isValid(Document xml) throws SAXException{
try {
- String language = "http://www.w3.org/2001/XMLSchema";
- SchemaFactory factory = SchemaFactory.newInstance(language);
- trySetFeature(factory, XMLConstants.FEATURE_SECURE_PROCESSING, true);
+ SchemaFactory factory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
+ trySet(XMLConstants.FEATURE_SECURE_PROCESSING, (n) -> factory.setFeature(n, true));
+ trySet(XMLConstants.ACCESS_EXTERNAL_DTD, (n) -> factory.setProperty(n,""));
+ trySet(XMLConstants.ACCESS_EXTERNAL_SCHEMA, (n) -> factory.setProperty(n,""));
Source source = new DOMSource(map.getSchema());
Schema schema = factory.newSchema(source);
return complexTypeNode;
}
- private static void trySetFeature(SchemaFactory sf, String feature, boolean enabled) {
+ private static void trySet(String name, SecurityFeature securityFeature) {
try {
- sf.setFeature(feature, enabled);
+ securityFeature.accept(name);
} catch (Exception e) {
- LOG.log(POILogger.WARN, "SchemaFactory Feature unsupported", feature, e);
+ LOG.log(POILogger.WARN, "SchemaFactory feature unsupported", name, e);
} catch (AbstractMethodError ame) {
- LOG.log(POILogger.WARN, "Cannot set SchemaFactory feature because outdated XML parser in classpath", feature, ame);
+ LOG.log(POILogger.WARN, "Cannot set SchemaFactory feature because outdated XML parser in classpath", name, ame);
}
}
}