Merge pull request #282 from arunvenmany-ibm/sast_issue_fix_1.0

Sast issue fix 1.0
OpenLiberty · Aug 6, 2024 · 9c600b3 · 9c600b3
2 parents 35c4e63 + 45d9919
commit 9c600b3
Show file tree

Hide file tree

Showing 3 changed files with 55 additions and 33 deletions.
diff --git a/lemminx-liberty/src/main/java/io/openliberty/tools/langserver/lemminx/util/DocumentUtil.java b/lemminx-liberty/src/main/java/io/openliberty/tools/langserver/lemminx/util/DocumentUtil.java
@@ -29,8 +29,10 @@
 import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.transform.OutputKeys;
 import javax.xml.transform.Transformer;
+import javax.xml.transform.TransformerConfigurationException;
 import javax.xml.transform.TransformerFactory;
 import javax.xml.transform.dom.DOMSource;
 import javax.xml.transform.stream.StreamResult;
@@ -41,16 +43,7 @@ public class DocumentUtil {
 
     public static Document getDocument(File inputFile) throws Exception {
         try {
-            DocumentBuilderFactory docFactory = DocumentBuilderFactory.newInstance();
-            docFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-dtd-grammar", false);
-            docFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
-            docFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
-            docFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
-            docFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
-            docFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
-            docFactory.setXIncludeAware(false);
-            docFactory.setNamespaceAware(true);
-            docFactory.setExpandEntityReferences(false);
+            DocumentBuilderFactory docFactory = getDocumentBuilderFactory();
             DocumentBuilder docBuilder = docFactory.newDocumentBuilder();
             return docBuilder.parse(inputFile);
         } catch (Exception e) {
@@ -59,25 +52,44 @@ public static Document getDocument(File inputFile) throws Exception {
         }
     }
 
+    private static DocumentBuilderFactory getDocumentBuilderFactory() throws ParserConfigurationException {
+        DocumentBuilderFactory docFactory = DocumentBuilderFactory.newInstance();
+        docFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-dtd-grammar", false);
+        docFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+        docFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+        docFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+        docFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+        docFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+        docFactory.setXIncludeAware(false);
+        docFactory.setNamespaceAware(true);
+        docFactory.setExpandEntityReferences(false);
+        return docFactory;
+    }
+
     public static void writeDocToXmlFile(Document doc, File inputFile) throws Exception {
-        TransformerFactory transformerFactory = TransformerFactory.newInstance();
+        TransformerFactory transformerFactory = getTransformerFactory();
         // Need to use this xsl to prevent extra lines in the updated xsd file. It is a known issue in Java 9 and up that is not going to be fixed.
         // It was a design decision. Ref link: https://bugs.openjdk.org/browse/JDK-8262285?attachmentViewMode=list
-        InputStream is = DocumentUtil.class.getClassLoader().getResourceAsStream("formatxsd.xsl"); 
+        InputStream is = DocumentUtil.class.getClassLoader().getResourceAsStream("formatxsd.xsl");
         Transformer transformer = transformerFactory.newTransformer(new StreamSource(is));
         transformer.setOutputProperty(OutputKeys.METHOD, "xml");
         transformer.setOutputProperty(OutputKeys.ENCODING, "UTF-8");
         transformer.setOutputProperty(OutputKeys.INDENT, "yes");
         transformer.setOutputProperty(OutputKeys.STANDALONE, "yes");
         transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4");
         transformer.setOutputProperty(OutputKeys.DOCTYPE_PUBLIC, "yes");
-
         doc.setXmlStandalone(true);
         DOMSource source = new DOMSource(doc);
         StreamResult file = new StreamResult(new OutputStreamWriter(new FileOutputStream(inputFile), "UTF-8"));
         transformer.transform(source, file);
     }
 
+    private static TransformerFactory getTransformerFactory() throws TransformerConfigurationException {
+        TransformerFactory transformerFactory = TransformerFactory.newInstance();
+        transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
+        return transformerFactory;
+    }
+
     public static void removeExtraneousAnyAttributeElements(File schemaFile) {
         try {
             Document doc = getDocument(schemaFile);

diff --git a/lemminx-liberty/src/main/java/io/openliberty/tools/langserver/lemminx/util/XmlReader.java b/lemminx-liberty/src/main/java/io/openliberty/tools/langserver/lemminx/util/XmlReader.java
@@ -1,5 +1,5 @@
 /*******************************************************************************
-* Copyright (c) 2023 IBM Corporation and others.
+* Copyright (c) 2023, 2024 IBM Corporation and others.
 *
 * This program and the accompanying materials are made available under the
 * terms of the Eclipse Public License v. 2.0 which is available at
@@ -56,14 +56,7 @@ public static boolean hasServerRoot(File xmlFile) {
         }
 
         try {
-            XMLInputFactory factory = XMLInputFactory.newInstance();
-            try {
-                factory.setProperty(XMLInputFactory.IS_VALIDATING, Boolean.FALSE);
-                factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, Boolean.FALSE);
-                factory.setProperty(XMLInputFactory.SUPPORT_DTD, Boolean.FALSE);
-            } catch (Exception e) {
-                LOGGER.warning("Could not set properties on XMLInputFactory.");
-            }
+            XMLInputFactory factory = getXmlInputFactory();
 
             XMLEventReader reader = null;
 
@@ -92,6 +85,19 @@ public static boolean hasServerRoot(File xmlFile) {
         return false;
     }
 
+    private static XMLInputFactory getXmlInputFactory() {
+        XMLInputFactory factory = XMLInputFactory.newInstance();
+        try {
+            factory.setProperty(XMLInputFactory.IS_VALIDATING, Boolean.FALSE);
+            factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, Boolean.FALSE);
+            factory.setProperty(XMLInputFactory.SUPPORT_DTD, Boolean.FALSE);
+            factory.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES, Boolean.FALSE);
+        } catch (Exception e) {
+            LOGGER.warning("Could not set properties on XMLInputFactory.");
+        }
+        return factory;
+    }
+
     public static String getElementValue(Path file, String elementName) {
         Set<String> names = new HashSet<String> ();
         names.add(elementName);

diff --git a/liberty-ls/src/main/java/io/openliberty/tools/langserver/utils/XmlReader.java b/liberty-ls/src/main/java/io/openliberty/tools/langserver/utils/XmlReader.java
@@ -54,17 +54,7 @@ public static Map<String, String> getElementValues(File file, Set<String> elemen
             return returnValues;
         }
 
-        XMLInputFactory factory = XMLInputFactory.newInstance();
-        try {
-            factory.setProperty(XMLInputFactory.IS_VALIDATING, Boolean.FALSE);
-            factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, Boolean.FALSE);
-            factory.setProperty(XMLInputFactory.SUPPORT_DTD, Boolean.FALSE);
-            factory.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES, Boolean.FALSE);
-
-        } catch (Exception e) {
-            LOGGER.warning("Could not set properties on XMLInputFactory.");
-        }
-
+        XMLInputFactory factory = getXmlInputFactory();
         XMLEventReader reader = null;
         try {
             try (FileInputStream fis = new FileInputStream(file)) {
@@ -101,6 +91,20 @@ public static Map<String, String> getElementValues(File file, Set<String> elemen
         return returnValues;
     }
 
+    private static XMLInputFactory getXmlInputFactory() {
+        XMLInputFactory factory = XMLInputFactory.newInstance();
+        try {
+            factory.setProperty(XMLInputFactory.IS_VALIDATING, Boolean.FALSE);
+            factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, Boolean.FALSE);
+            factory.setProperty(XMLInputFactory.SUPPORT_DTD, Boolean.FALSE);
+            factory.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES, Boolean.FALSE);
+
+        } catch (Exception e) {
+            LOGGER.warning("Could not set properties on XMLInputFactory.");
+        }
+        return factory;
+    }
+
     protected static String getElementName(XMLEvent event) {
         return event.asStartElement().getName().getLocalPart();
     }