Package mondrian.util

Class XmlParserFactoryProducer

java.lang.Object

mondrian.util.XmlParserFactoryProducer

public class XmlParserFactoryProducer
extends Object

Class was created to prevent XXE Security Vulnerabilities http://jira.pentaho.com/browse/PPP-3506 Created by Yury_Bakhmutski on 10/21/2016.

Constructor Summary

Constructors

Constructor	Description
XmlParserFactoryProducer()

Method Summary

Modifier and Type	Method	Description
static DocumentBuilderFactory	createSecureDocBuilderFactory()	Creates an instance of DocumentBuilderFactory class with enabled XMLConstants.FEATURE_SECURE_PROCESSING property.
static SAXParserFactory	createSecureSAXParserFactory()	Creates an instance of SAXParserFactory class with enabled XMLConstants.FEATURE_SECURE_PROCESSING property.
static org.dom4j.io.SAXReader	getSAXReader(EntityResolver resolver)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

XmlParserFactoryProducer

public XmlParserFactoryProducer()

Method Detail

createSecureDocBuilderFactory

public static DocumentBuilderFactory createSecureDocBuilderFactory()
                                                            throws ParserConfigurationException

Creates an instance of DocumentBuilderFactory class with enabled XMLConstants.FEATURE_SECURE_PROCESSING property. Enabling this feature prevents from some XXE attacks (e.g. XML bomb) See PPP-3506 for more details.

Throws:

ParserConfigurationException - if feature can't be enabled

createSecureSAXParserFactory

public static SAXParserFactory createSecureSAXParserFactory()
                                                     throws SAXNotSupportedException,
                                                            SAXNotRecognizedException,
                                                            ParserConfigurationException

Creates an instance of SAXParserFactory class with enabled XMLConstants.FEATURE_SECURE_PROCESSING property. Enabling this feature prevents from some XXE attacks (e.g. XML bomb)

Throws:

ParserConfigurationException - if a parser cannot be created which satisfies the requested configuration.

SAXNotRecognizedException - When the underlying XMLReader does not recognize the property name.

SAXNotSupportedException - When the underlying XMLReader recognizes the property name but doesn't support the property.

getSAXReader

public static org.dom4j.io.SAXReader getSAXReader(EntityResolver resolver)