🔒️ Enhance XML security

coreequip · coreequip · commit 66680e9542e1 · 2024-10-16T23:46:25.000+02:00
diff --git a/.dockerignore b/.dockerignore
@@ -0,0 +1,3 @@
+**/.DS_Store
+**/LICENSE
+**/*.md
diff --git a/Dockerfile b/Dockerfile
@@ -1,10 +1,13 @@
 FROM eclipse-temurin:21-alpine
 
+RUN adduser -H -D xrviz xrviz
+USER xrviz
+
 WORKDIR /app
 
-COPY build/libs/xrviz.jar /app/xrviz.jar
-COPY data /app/data
+COPY --chown=xrviz:xrviz build/libs/xrviz.jar /app/xrviz.jar
+COPY --chown=xrviz:xrviz data /app/data
 
 EXPOSE 4000
 
-CMD ["java", "-jar", "/app/xrviz.jar"]
+CMD ["java", "-jar", "xrviz.jar"]
diff --git a/gradle.properties b/gradle.properties
@@ -1,2 +1,2 @@
-currentVersion=0.1.10
+currentVersion=0.1.11
 mainClassName=io.github.easybill.xrviz.App
diff --git a/src/main/java/io/github/easybill/xrviz/XslTransformer.java b/src/main/java/io/github/easybill/xrviz/XslTransformer.java
@@ -3,8 +3,10 @@
 import org.apache.fop.apps.*;
 import org.xml.sax.InputSource;
 import org.xml.sax.SAXException;
+import org.xml.sax.XMLReader;
 
-import javax.xml.transform.Source;
+import javax.xml.parsers.SAXParser;
+import javax.xml.parsers.SAXParserFactory;
 import javax.xml.transform.Transformer;
 import javax.xml.transform.TransformerException;
 import javax.xml.transform.TransformerFactory;
@@ -30,6 +32,22 @@ public class XslTransformer {
     public static final String UBL_I_VALIDATION_STRING = "Invoice";
     public static final String UBL_C_VALIDATION_STRING = "CreditNote";
     public static final Pattern REGEX = Pattern.compile("[<:](CrossIndustryInvoice|Invoice|CreditNote)");
+    private static final XMLReader xmlReader;
+
+    static {
+        try {
+            SAXParserFactory factory = SAXParserFactory.newInstance();
+            SAXParser saxParser = factory.newSAXParser();
+            xmlReader = saxParser.getXMLReader();
+            xmlReader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+            xmlReader.setFeature("http://xml.org/sax/features/external-general-entities", false);
+            xmlReader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+        } catch (Exception e) {
+            logger.log(Level.SEVERE, "Error initializing XMLReader", e);
+            throw new RuntimeException(e);
+        }
+    }
+
 
     enum DocumentType {
         CII("cii-xr.xsl"),
@@ -91,9 +109,9 @@ private static DOMSource transformXmlToXr(String inputXml, DocumentType type) th
         TransformerFactory factory = TransformerFactory.newInstance();
         StreamSource source = new StreamSource("data/xsl/" + type.getXslName());
         Transformer transformer = factory.newTransformer(source);
-        Source xml = new StreamSource(new StringReader(inputXml));
+        SAXSource saxSource = new SAXSource(xmlReader, new InputSource(new StringReader(inputXml)));
         DOMResult domResult = new DOMResult();
-        transformer.transform(xml, domResult);
+        transformer.transform(saxSource, domResult);
         return new DOMSource(domResult.getNode());
     }
 
diff --git a/src/main/java/io/github/easybill/xrviz/handler/HtmlHandler.java b/src/main/java/io/github/easybill/xrviz/handler/HtmlHandler.java
@@ -6,6 +6,7 @@
 
 import javax.xml.transform.TransformerException;
 import java.io.IOException;
+import java.net.HttpURLConnection;
 import java.nio.charset.StandardCharsets;
 
 public class HtmlHandler extends XmlRequestExtractor implements HttpHandler {
@@ -27,7 +28,7 @@ public void handle(HttpExchange exchange) throws IOException {
             exchange.getResponseBody().close();
 
         } catch (TransformerException e) {
-            exchange.sendResponseHeaders(500, -1);
+            exchange.sendResponseHeaders(HttpURLConnection.HTTP_BAD_REQUEST, -1);
 
             logger.severe("Error while transforming XML to HTML: " + e.getMessage());
         }
diff --git a/version-badge.svg b/version-badge.svg
@@ -1,5 +1,5 @@
 <?xml version="1.0"?>
-<svg xmlns="http://www.w3.org/2000/svg" width="90" height="20" role="img" aria-label="Version: 0.1.10">
+<svg xmlns="http://www.w3.org/2000/svg" width="90" height="20" role="img" aria-label="Version: 0.1.11">
   <linearGradient id="s" x2="0" y2="100%">
     <stop offset="0" stop-color="#bbb" stop-opacity=".1"/>
     <stop offset="1" stop-opacity=".1"/>
@@ -15,7 +15,7 @@
   <g fill="#fff" text-anchor="middle" font-family="Verdana,Geneva,DejaVu Sans,sans-serif" text-rendering="geometricPrecision" font-size="110">
     <text aria-hidden="true" x="265" y="150" fill="#010101" fill-opacity=".3" transform="scale(.1)" textLength="410">Version</text>
     <text x="265" y="140" transform="scale(.1)" fill="#fff" textLength="410">Version</text>
-    <text aria-hidden="true" x="695" y="150" fill="#010101" fill-opacity=".3" transform="scale(.1)" textLength="290">0.1.10</text>
-    <text x="695" y="140" transform="scale(.1)" fill="#fff" textLength="290">0.1.10</text>
+    <text aria-hidden="true" x="695" y="150" fill="#010101" fill-opacity=".3" transform="scale(.1)" textLength="290">0.1.11</text>
+    <text x="695" y="140" transform="scale(.1)" fill="#fff" textLength="290">0.1.11</text>
   </g>
 </svg>

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+**/.DS_Store`
	`2`	`+**/LICENSE`
	`3`	`+*/.md`
Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,2 @@`
`1`		`-currentVersion=0.1.10`
	`1`	`+currentVersion=0.1.11`
`2`	`2`	`mainClassName=io.github.easybill.xrviz.App`