🔒️ Enhance XML security (#15)

- 🔒️ Enhance XML security
- ✨ Refactor HTTP response handling
- 📄 Add detailed HTTP endpoints documentation to README

Author: coreequip

.dockerignore

@@ -0,0 +1,3 @@
+**/.DS_Store
+**/LICENSE
+**/*.md

.github/workflows/publish.yml

@@ -35,4 +35,4 @@ jobs:
         run: gradle shadowJar
 
       - name: Build images
-        run: docker buildx build --platform=linux/amd64 --platform=linux/arm64 -t easybill/e-invoice-visualizer:${{github.ref_name}} -t easybill/e-invoice-visualizer:latest  . --push
+        run: docker buildx build --platform=linux/amd64 --platform=linux/arm64 -t easybill/e-invoice-visualizer:${{github.ref_name}} -t easybill/e-invoice-visualizer:latest  . --push

Dockerfile

@@ -1,10 +1,13 @@
 FROM eclipse-temurin:21-alpine
 
+RUN adduser -H -D xrviz xrviz
+USER xrviz
+
 WORKDIR /app
 
-COPY build/libs/xrviz.jar /app/xrviz.jar
-COPY data /app/data
+COPY --chown=xrviz:xrviz build/libs/xrviz.jar /app/xrviz.jar
+COPY --chown=xrviz:xrviz data /app/data
 
 EXPOSE 4000
 
-CMD ["java", "-jar", "/app/xrviz.jar"]
+CMD ["java", "-jar", "xrviz.jar"]

README.md

@@ -1,8 +1,79 @@
+
 # e-invoice-visualizer
 
 ![](version-badge.svg)
 
-CII-/XR-Visualizer. Outputs HTML and PDF.
+This microservice visualizes CII/UBL e-invoices by converting them into HTML or PDF formats. It provides three main HTTP endpoints to interact with the service.
+
+## HTTP Endpoints
+
+### 1. Health Check
+
+Checks the health status of the service.
+
+**Endpoint:**
+```
+GET /health
+```
+
+**Example:**
+```sh
+curl -X GET http://localhost:8080/health
+```
+
+### 2. Convert XML to HTML
+
+Converts a given XML e-invoice to an HTML file.
+
+**Endpoint:**
+```
+POST /convert.html
+```
+**Example response:**
+```json
+{
+  "version": "0.1.10 (ba8cecca)",
+  "freeMemory": 254288368,
+  "totalMemory": 268435456,
+  "uptime": 94859746,
+  "uptimeString": "1d 2h 20m 59s"
+}
+```
+
+**Headers:**
+- `Content-Type: application/xml`
+- `Accept-Language: <language_code>` (optional, e.g., `de` for German)  
+  Valid: `de` or `en`, default: `de`
+
+**Example:**
+```sh
+curl -X POST http://localhost:8080/convert.html \
+     -H "Content-Type: application/xml" \
+     -H "Accept-Language: en" \
+     --data-binary @path/to/your/e-invoice.xml
+```
+
+### 3. Convert XML to PDF
+
+Converts a given XML e-invoice to a PDF file.
+
+**Endpoint:**
+```
+POST /convert.pdf
+```
+
+**Headers:**
+- `Content-Type: application/xml`
+- `Accept-Language: <language_code>` (optional, e.g., `de` for German)  
+  Valid: `de` or `en`, default: `de`
+
+**Example:**
+```sh
+curl -X POST http://localhost:8080/convert.pdf \
+     -H "Content-Type: application/xml" \
+     -H "Accept-Language: en" \
+     --data-binary @path/to/your/e-invoice.xml
+```
 
 ## Build a new version
 
@@ -13,4 +84,4 @@ To build a new version follow these steps:
 3. In necessary, `make` to update external dependencies.
 4. Push changes to the repository.
 5. Create, review and merge a pull request.
-6. Create a new release in GitHub with the new version number as tag.
+6. Create a new release in GitHub with the new version number as tag.

gradle.properties

@@ -1,2 +1,2 @@
-currentVersion=0.1.10
+currentVersion=0.1.11
 mainClassName=io.github.easybill.xrviz.App

src/main/java/io/github/easybill/xrviz/XslTransformer.java

@@ -3,8 +3,10 @@
 import org.apache.fop.apps.*;
 import org.xml.sax.InputSource;
 import org.xml.sax.SAXException;
+import org.xml.sax.XMLReader;
 
-import javax.xml.transform.Source;
+import javax.xml.parsers.SAXParser;
+import javax.xml.parsers.SAXParserFactory;
 import javax.xml.transform.Transformer;
 import javax.xml.transform.TransformerException;
 import javax.xml.transform.TransformerFactory;
@@ -30,6 +32,22 @@ public class XslTransformer {
     public static final String UBL_I_VALIDATION_STRING = "Invoice";
     public static final String UBL_C_VALIDATION_STRING = "CreditNote";
     public static final Pattern REGEX = Pattern.compile("[<:](CrossIndustryInvoice|Invoice|CreditNote)");
+    private static final XMLReader xmlReader;
+
+    static {
+        try {
+            SAXParserFactory factory = SAXParserFactory.newInstance();
+            SAXParser saxParser = factory.newSAXParser();
+            xmlReader = saxParser.getXMLReader();
+            xmlReader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+            xmlReader.setFeature("http://xml.org/sax/features/external-general-entities", false);
+            xmlReader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+        } catch (Exception e) {
+            logger.log(Level.SEVERE, "Error initializing XMLReader", e);
+            throw new RuntimeException(e);
+        }
+    }
+
 
     enum DocumentType {
         CII("cii-xr.xsl"),
@@ -91,9 +109,9 @@ private static DOMSource transformXmlToXr(String inputXml, DocumentType type) th
         TransformerFactory factory = TransformerFactory.newInstance();
         StreamSource source = new StreamSource("data/xsl/" + type.getXslName());
         Transformer transformer = factory.newTransformer(source);
-        Source xml = new StreamSource(new StringReader(inputXml));
+        SAXSource saxSource = new SAXSource(xmlReader, new InputSource(new StringReader(inputXml)));
         DOMResult domResult = new DOMResult();
-        transformer.transform(xml, domResult);
+        transformer.transform(saxSource, domResult);
         return new DOMSource(domResult.getNode());
     }
 

src/main/java/io/github/easybill/xrviz/handler/HtmlHandler.java

@@ -6,6 +6,7 @@
 
 import javax.xml.transform.TransformerException;
 import java.io.IOException;
+import java.net.HttpURLConnection;
 import java.nio.charset.StandardCharsets;
 
 public class HtmlHandler extends XmlRequestExtractor implements HttpHandler {
@@ -19,16 +20,12 @@ public void handle(HttpExchange exchange) throws IOException {
                 return;
             }
 
-            byte[] response = XslTransformer.transformToHtml(xml.get(), getLanguage(exchange)).getBytes(StandardCharsets.UTF_8);
-
-            exchange.getResponseHeaders().set("Content-Type", "text/html");
-            exchange.sendResponseHeaders(200, response.length);
-            exchange.getResponseBody().write(response);
-            exchange.getResponseBody().close();
+            sendResponse(exchange,
+                XslTransformer.transformToHtml(xml.get(), getLanguage(exchange)).getBytes(StandardCharsets.UTF_8),
+                HttpURLConnection.HTTP_OK, "text/html");
 
         } catch (TransformerException e) {
-            exchange.sendResponseHeaders(500, -1);
-
+            sendResponse(exchange, e.getMessage().getBytes(), HttpURLConnection.HTTP_BAD_REQUEST, "text/plain");
             logger.severe("Error while transforming XML to HTML: " + e.getMessage());
         }
     }

src/main/java/io/github/easybill/xrviz/handler/PdfHandler.java

@@ -7,6 +7,7 @@
 
 import javax.xml.transform.TransformerException;
 import java.io.IOException;
+import java.net.HttpURLConnection;
 
 public class PdfHandler extends XmlRequestExtractor implements HttpHandler {
     @Override
@@ -19,17 +20,13 @@ public void handle(HttpExchange exchange) throws IOException {
                 return;
             }
 
-            byte[] response = XslTransformer.transformToPdf(xml.get(), getLanguage(exchange));
-
-            exchange.getResponseHeaders().set("Content-Type", "application/pdf");
-            exchange.sendResponseHeaders(200, response.length);
-            exchange.getResponseBody().write(response);
-            exchange.getResponseBody().close();
+            sendResponse(exchange,
+                XslTransformer.transformToPdf(xml.get(), getLanguage(exchange)),
+                HttpURLConnection.HTTP_OK, "application/pdf");
 
         } catch (TransformerException | SAXException e) {
-            exchange.sendResponseHeaders(500, -1);
-
             logger.severe("Error while transforming XML to PDF: " + e.getMessage());
+            sendResponse(exchange, e.getMessage().getBytes(), HttpURLConnection.HTTP_BAD_REQUEST, "text/plain");
         }
     }
 }

src/main/java/io/github/easybill/xrviz/handler/StatusHandler.java

@@ -5,11 +5,10 @@
 import io.github.easybill.xrviz.Config;
 
 import java.io.IOException;
+import java.net.HttpURLConnection;
 import java.nio.charset.StandardCharsets;
 
-import static io.github.easybill.xrviz.handler.XmlRequestExtractor.logger;
-
-public class StatusHandler implements HttpHandler {
+public class StatusHandler extends XmlRequestExtractor implements HttpHandler {
 
     public static final String JSON_RESPONSE = """
         {"version":"%s","freeMemory":%d,"totalMemory":%d,"uptime":%d,"uptimeString":"%s"}""";
@@ -29,13 +28,10 @@ public void handle(HttpExchange exchange) throws IOException {
                 uptime.upStr()
             ).getBytes(StandardCharsets.UTF_8);
 
-            exchange.getResponseHeaders().set("Content-Type", "application/json");
-            exchange.sendResponseHeaders(200, response.length);
-            exchange.getResponseBody().write(response);
-            exchange.getResponseBody().close();
+            sendResponse(exchange, response, HttpURLConnection.HTTP_OK, "application/json");
         } else {
             logger.warning("Wrong method request for health check: " + exchange.getRequestMethod());
-            exchange.sendResponseHeaders(405, -1); // 405 Method Not Allowed
+            exchange.sendResponseHeaders(HttpURLConnection.HTTP_BAD_METHOD, -1);
         }
 
     }

src/main/java/io/github/easybill/xrviz/handler/XmlRequestExtractor.java

@@ -32,7 +32,7 @@ Optional<String> validate(HttpExchange exchange) throws IOException {
         String encoding = detector.getDetectedCharset();
         detector.reset();
 
-        Charset charset = null;
+        Charset charset;
         try {
             charset = (encoding != null) ? Charset.forName(encoding) : StandardCharsets.UTF_8;
         } catch (IllegalArgumentException e) {
@@ -60,7 +60,18 @@ Optional<String> validate(HttpExchange exchange) throws IOException {
 
     String getLanguage(HttpExchange exchange) {
         String acceptLanguage = exchange.getRequestHeaders().getFirst("Accept-Language");
-        return acceptLanguage != null && acceptLanguage.toLowerCase().contains("en") ? "en" : "de";
+        return acceptLanguage != null && acceptLanguage.toLowerCase().startsWith("en") ? "en" : "de";
+    }
+
+    void sendResponse(HttpExchange exchange, byte[] response, int responseCode, String contentType) {
+        try {
+            exchange.getResponseHeaders().set("Content-Type", contentType);
+            exchange.sendResponseHeaders(responseCode, response.length);
+            exchange.getResponseBody().write(response);
+            exchange.getResponseBody().close();
+        } catch (IOException e) {
+            logger.severe("Error while sending response: " + e.getMessage());
+        }
     }
 
     private boolean isXMLValid(String xml) {

src/test/http/api-test.http

@@ -94,3 +94,16 @@ Content-Type: application/xml
 Accept-Language: de
 
 < ./broken-encoding.xml
+
+### Generate a HTML file from a XML with XEE
+POST {{baseUrl}}/convert.html
+Content-Type: application/xml
+Accept-Language: de
+
+< ./base-example-utf8-xee.xml
+> {%
+    client.test("Request executed with 400", function () {
+        client.assert(response.status === 400, "Response status is not 400");
+        client.assert(response.body.toString().includes('SXXP0003'), "Response body does not contain SXXP0003");
+    });
+%}