Skip to content

Commit

Permalink
Sast issue fix 1.0 (#294)
Browse files Browse the repository at this point in the history 
* adding property to xmlreader of lemminx

Signed-off-by: Arun Venmany <Arun.Kumar.V.N@ibm.com>

* using streamsource in xmleventreader of lemminx

Signed-off-by: Arun Venmany <Arun.Kumar.V.N@ibm.com>

* using access extenal dtd property as not allowed in xmleventreader of lemminx

Signed-off-by: Arun Venmany <Arun.Kumar.V.N@ibm.com>

* adding property to xmlreader of lemminx

Signed-off-by: Arun Venmany <Arun.Kumar.V.N@ibm.com>

* using access extenal dtd property as not allowed in xmleventreader of lemminx

Signed-off-by: Arun Venmany <Arun.Kumar.V.N@ibm.com>

* using access extenal dtd property as not allowed in xmleventreader of lemminx

Signed-off-by: Arun Venmany <Arun.Kumar.V.N@ibm.com>

* using access extenal schema property

Signed-off-by: Arun Venmany <Arun.Kumar.V.N@ibm.com>

* reader moved to private method

Signed-off-by: Arun Venmany <Arun.Kumar.V.N@ibm.com>

* reader moved to private method

Signed-off-by: Arun Venmany <Arun.Kumar.V.N@ibm.com>

* reader moved to private method

Signed-off-by: Arun Venmany <Arun.Kumar.V.N@ibm.com>

* reader moved to private

Signed-off-by: Arun Venmany <Arun.Kumar.V.N@ibm.com>

* removing try with resources

Signed-off-by: Arun Venmany <Arun.Kumar.V.N@ibm.com>

* moving readelementvalues reader to private method

Signed-off-by: Arun Venmany <Arun.Kumar.V.N@ibm.com>

* moving readelementvalues reader to private method

Signed-off-by: Arun Venmany <Arun.Kumar.V.N@ibm.com>

* moving readelementvalues reader to private method

Signed-off-by: Arun Venmany <Arun.Kumar.V.N@ibm.com>

* incorparating review comments

Signed-off-by: Arun Venmany <Arun.Kumar.V.N@ibm.com>

* incorparating review comments

Signed-off-by: Arun Venmany <Arun.Kumar.V.N@ibm.com>

---------

Signed-off-by: Arun Venmany <Arun.Kumar.V.N@ibm.com>
  • Loading branch information
@arunvenmany-ibm
arunvenmany-ibm authored Aug 7, 2024
1 parent 9c600b3 commit 656e5a8
Show file tree
Hide file tree
Showing 3 changed files with 114 additions and 58 deletions.
12 changes: 10 additions & 2 deletions lemminx-liberty/src/main/java/io/openliberty/tools/langserver/lemminx/util/DocumentUtil.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -80,13 +80,21 @@ public static void writeDocToXmlFile(Document doc, File inputFile) throws Except
transformer.setOutputProperty(OutputKeys.DOCTYPE_PUBLIC, "yes");
doc.setXmlStandalone(true);
DOMSource source = new DOMSource(doc);
StreamResult file = new StreamResult(new OutputStreamWriter(new FileOutputStream(inputFile), "UTF-8"));
transformer.transform(source, file);
try {
StreamResult file = new StreamResult(new OutputStreamWriter(new FileOutputStream(inputFile), "UTF-8"));
transformer.transform(source, file);
} catch (Exception ex) {
LOGGER.warning("Received exception during post processing of schema file " + inputFile.getAbsolutePath() + " : " + ex.getMessage());
}
}

private static TransformerFactory getTransformerFactory() throws TransformerConfigurationException {
TransformerFactory transformerFactory = TransformerFactory.newInstance();
transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
// XMLConstants.ACCESS_EXTERNAL_DTD uses an empty string to deny all access to external references;
transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
// XMLConstants.ACCESS_EXTERNAL_STYLESHEET uses an empty string to deny all access to external references;
transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
return transformerFactory;
}

Expand Down
83 changes: 56 additions & 27 deletions lemminx-liberty/src/main/java/io/openliberty/tools/langserver/lemminx/util/XmlReader.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@
import java.util.Set;
import java.util.logging.Logger;

import javax.xml.XMLConstants;
import javax.xml.stream.XMLEventReader;
import javax.xml.stream.XMLInputFactory;
import javax.xml.stream.XMLStreamException;
Expand All @@ -50,38 +51,50 @@ public static boolean hasServerRoot(Path filePath) {
return hasServerRoot(filePath.toFile());
}

public static boolean hasServerRoot(File xmlFile) {
private static boolean hasServerRoot(File xmlFile) {
if (!xmlFile.exists() || xmlFile.length() == 0) {
return false;
}

try {
XMLInputFactory factory = getXmlInputFactory();
return hasSeverRootValues(factory,xmlFile);
} catch (Exception e) {
LOGGER.severe("Unable to access XML file "+ xmlFile.getAbsolutePath());
}

XMLEventReader reader = null;
return false;
}

try (FileInputStream fis = new FileInputStream(xmlFile)) {
reader = factory.createXMLEventReader(fis);
while (reader.hasNext()) {
XMLEvent nextEvent = reader.nextEvent();
if (nextEvent.isStartElement()) {
return isServerElement(nextEvent);
}
private static boolean hasSeverRootValues(XMLInputFactory factory, File xmlFile) {
XMLEventReader reader=null;
FileInputStream fis = null;
try {
fis = new FileInputStream(xmlFile);

reader = factory.createXMLEventReader(fis);
while (reader.hasNext()) {
XMLEvent nextEvent = reader.nextEvent();
if (nextEvent.isStartElement()) {
return isServerElement(nextEvent);
}
} catch (XMLStreamException | FileNotFoundException e) {
LOGGER.severe("Error received trying to read XML file: " + xmlFile.getAbsolutePath());
} finally {
if (reader != null) {
try {
reader.close();
} catch (Exception ignored) {
}
}
} catch (XMLStreamException | FileNotFoundException e) {
LOGGER.severe("Error received trying to read XML file: " + xmlFile.getAbsolutePath());
} finally {
if (fis != null) {
try {
fis.close();
} catch (Exception ignored) {
}
}
} catch (Exception e) {
LOGGER.severe("Unable to access XML file "+ xmlFile.getAbsolutePath());
}
if (reader != null) {
try {
reader.close();
} catch (Exception ignored) {
}
}
}

return false;
}

Expand All @@ -92,6 +105,10 @@ private static XMLInputFactory getXmlInputFactory() {
factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, Boolean.FALSE);
factory.setProperty(XMLInputFactory.SUPPORT_DTD, Boolean.FALSE);
factory.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES, Boolean.FALSE);
// XMLConstants.ACCESS_EXTERNAL_DTD an empty string to deny all access to external references;
factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
// XMLConstants.ACCESS_EXTERNAL_SCHEMA uses an empty string to deny all access to external references;
factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
} catch (Exception e) {
LOGGER.warning("Could not set properties on XMLInputFactory.");
}
Expand All @@ -114,10 +131,18 @@ public static Map<String, String> getElementValues(Path file, Set<String> elemen
}
Map<String, String> returnValues = new HashMap<String, String> ();

XMLInputFactory factory = XMLInputFactory.newInstance();
XMLInputFactory factory = getXmlInputFactory();
readElementValues(file, elementNames, factory, returnValues);
return returnValues;
}

private static void readElementValues(Path file, Set<String> elementNames, XMLInputFactory factory, Map<String, String> returnValues) {
XMLEventReader reader = null;
FileInputStream fis = null;
try {
reader = factory.createXMLEventReader(new FileInputStream(file.toFile()));
fis = new FileInputStream(file.toFile());
reader = factory.createXMLEventReader(fis);

while (reader.hasNext()) {
XMLEvent event = reader.nextEvent();
if (!event.isStartElement()) {
Expand All @@ -131,21 +156,25 @@ public static Map<String, String> getElementValues(Path file, Set<String> elemen
returnValues.put(elementName, value.getData());
}
}
}
}
} catch (FileNotFoundException e) {
LOGGER.severe("Unable to access file "+ file.toFile().getName());
} catch (XMLStreamException e) {
LOGGER.severe("Error received trying to read XML file " + file.toFile().getName() + " : "+e.getMessage());
} finally {
if (fis != null) {
try {
fis.close();
} catch (Exception ignored) {
}
}
if (reader != null) {
try {
reader.close();
} catch (Exception ignored) {
} catch (Exception ignored) {
}
}
}

return returnValues;
}

protected static String getElementName(XMLEvent event) {
Expand Down
77 changes: 48 additions & 29 deletions liberty-ls/src/main/java/io/openliberty/tools/langserver/utils/XmlReader.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,41 +54,57 @@ public static Map<String, String> getElementValues(File file, Set<String> elemen
return returnValues;
}

readElementValues(file, elementNames, returnValues);

return returnValues;
}

private static void readElementValues(File file, Set<String> elementNames, Map<String, String> returnValues) {
XMLInputFactory factory = getXmlInputFactory();
try {
readElements(file, elementNames, returnValues, factory);
} catch (Exception e) {
LOGGER.severe("Unable to access XML file "+ file.getAbsolutePath());
}
}

private static void readElements(File file, Set<String> elementNames, Map<String, String> returnValues, XMLInputFactory factory) {
XMLEventReader reader = null;
FileInputStream fis = null;
try {
try (FileInputStream fis = new FileInputStream(file)) {
reader = factory.createXMLEventReader(fis);
while (reader.hasNext()) {
XMLEvent nextEvent = reader.nextEvent();
if (!nextEvent.isStartElement()) {
continue;
}
String elementName = getElementName(nextEvent);
if (elementNames.contains(elementName) && reader.hasNext()) {
XMLEvent elementContent = reader.nextEvent();
if (elementContent.isCharacters()) {
Characters value = elementContent.asCharacters();
returnValues.put(elementName, value.getData());
}
}
fis = new FileInputStream(file);
reader = factory.createXMLEventReader(fis);
while (reader.hasNext()) {
XMLEvent nextEvent = reader.nextEvent();
if (!nextEvent.isStartElement()) {
continue;
}
} catch (XMLStreamException | FileNotFoundException e) {
LOGGER.severe("Error received trying to read XML file: " + file.getName() +
"\n\tError" + e.getMessage());
} finally {
if (reader != null) {
try {
reader.close();
} catch (Exception ignored) {
String elementName = getElementName(nextEvent);
if (elementNames.contains(elementName) && reader.hasNext()) {
XMLEvent elementContent = reader.nextEvent();
if (elementContent.isCharacters()) {
Characters value = elementContent.asCharacters();
returnValues.put(elementName, value.getData());
}
}
}
} catch (Exception e) {
LOGGER.severe("Unable to access XML file "+ file.getAbsolutePath());
}
} catch (XMLStreamException | FileNotFoundException e) {
LOGGER.severe("Error received trying to read XML file: " + file.getName() +
"\n\tError" + e.getMessage());
} finally {
if (reader != null) {
try {
reader.close();
} catch (Exception ignored) {
}
}
if (fis != null) {
try {
fis.close();
} catch (Exception ignored) {
}
}
}

return returnValues;
}

private static XMLInputFactory getXmlInputFactory() {
Expand All @@ -98,7 +114,10 @@ private static XMLInputFactory getXmlInputFactory() {
factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, Boolean.FALSE);
factory.setProperty(XMLInputFactory.SUPPORT_DTD, Boolean.FALSE);
factory.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES, Boolean.FALSE);

// XMLConstants.ACCESS_EXTERNAL_DTD an empty string to deny all access to external references;
factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
// XMLConstants.ACCESS_EXTERNAL_SCHEMA uses an empty string to deny all access to external references;
factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
} catch (Exception e) {
LOGGER.warning("Could not set properties on XMLInputFactory.");
}
Expand Down

0 comments on commit 656e5a8

Please sign in to comment.