fix(core): correct schema validation for hints and grok documents when used with schema locations

Signed-off-by: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>

Author: chadlwilson

core/src/main/java/org/owasp/dependencycheck/Engine.java

@@ -140,14 +140,6 @@ public class Engine implements FileFilter, AutoCloseable {
      * A reference to the database.
      */
     private CveDB database = null;
-    /**
-     * Used to store the value of
-     * System.getProperty("javax.xml.accessExternalSchema") - ODC may change the
-     * value of this system property at runtime. We store the value to reset the
-     * property to its original value.
-     */
-    private final String accessExternalSchema;
-
     /**
      * Creates a new {@link Mode#STANDALONE} Engine.
      *
@@ -188,8 +180,6 @@ public Engine(@NotNull final ClassLoader serviceClassLoader, @NotNull final Mode
         this.settings = settings;
         this.serviceClassLoader = serviceClassLoader;
         this.mode = mode;
-        this.accessExternalSchema = System.getProperty("javax.xml.accessExternalSchema");
-
         initializeEngine();
     }
 
@@ -215,11 +205,6 @@ public void close() {
                 database = null;
             }
         }
-        if (accessExternalSchema != null) {
-            System.setProperty("javax.xml.accessExternalSchema", accessExternalSchema);
-        } else {
-            System.clearProperty("javax.xml.accessExternalSchema");
-        }
         JCS.shutdown();
     }
 

core/src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java

@@ -506,9 +506,8 @@ private void ensureParentDirectoryExists(File file) throws ReportException {
      * Reformats the given XML file.
      *
      * @param path the path to the XML file to be reformatted
-     * @throws ReportException thrown if the given JSON file is malformed
      */
-    private void pretifyXml(String path) throws ReportException {
+    private void pretifyXml(String path) {
         final String outputPath = path + ".pretty";
         final File in = new File(path);
         final File out = new File(outputPath);
@@ -520,10 +519,7 @@ private void pretifyXml(String path) throws ReportException {
             transformer.setOutputProperty(OutputKeys.INDENT, "yes");
             transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "2");
 
-            final SAXSource saxs = new SAXSource(new InputSource(path));
-            final XMLReader saxReader = XmlUtils.buildSecureSaxParser().getXMLReader();
-
-            saxs.setXMLReader(saxReader);
+            final SAXSource saxs = new SAXSource(XmlUtils.buildSecureXmlReader(), new InputSource(path));
             transformer.transform(saxs, new StreamResult(new OutputStreamWriter(os, StandardCharsets.UTF_8)));
         } catch (ParserConfigurationException | TransformerConfigurationException ex) {
             LOGGER.debug("Configuration exception when pretty printing", ex);

core/src/main/java/org/owasp/dependencycheck/xml/assembly/GrokParser.java

@@ -27,9 +27,8 @@
 import java.nio.charset.StandardCharsets;
 import javax.annotation.concurrent.ThreadSafe;
 import javax.xml.parsers.ParserConfigurationException;
-import javax.xml.parsers.SAXParser;
 
-import org.owasp.dependencycheck.utils.FileUtils;
+import org.owasp.dependencycheck.utils.AutoCloseableInputSource;
 import org.owasp.dependencycheck.utils.XmlUtils;
 
 import org.slf4j.Logger;
@@ -38,6 +37,8 @@
 import org.xml.sax.SAXException;
 import org.xml.sax.XMLReader;
 
+import static org.owasp.dependencycheck.utils.AutoCloseableInputSource.fromResource;
+
 /**
  * A simple validating parser for XML Grok Assembly XML files.
  *
@@ -80,10 +81,9 @@ public AssemblyData parse(File file) throws GrokParseException {
      * @throws GrokParseException thrown if the XML cannot be parsed
      */
     public AssemblyData parse(InputStream inputStream) throws GrokParseException {
-        try (InputStream schema = FileUtils.getResourceAsStream(GROK_SCHEMA)) {
+        try (AutoCloseableInputSource schema = fromResource(GROK_SCHEMA)) {
             final GrokHandler handler = new GrokHandler();
-            final SAXParser saxParser = XmlUtils.buildSecureSaxParser(schema);
-            final XMLReader xmlReader = saxParser.getXMLReader();
+            final XMLReader xmlReader = XmlUtils.buildSecureValidatingXmlReader(schema);
             xmlReader.setErrorHandler(new GrokErrorHandler());
             xmlReader.setContentHandler(handler);
             try (Reader reader = new InputStreamReader(inputStream, StandardCharsets.UTF_8)) {

core/src/main/java/org/owasp/dependencycheck/xml/hints/HintParser.java

@@ -28,11 +28,11 @@
 import java.util.List;
 import javax.annotation.concurrent.NotThreadSafe;
 import javax.xml.parsers.ParserConfigurationException;
-import javax.xml.parsers.SAXParser;
+
 import org.apache.commons.io.ByteOrderMark;
 import org.apache.commons.io.input.BOMInputStream;
 
-import org.owasp.dependencycheck.utils.FileUtils;
+import org.owasp.dependencycheck.utils.AutoCloseableInputSource;
 import org.owasp.dependencycheck.utils.XmlUtils;
 
 import org.slf4j.Logger;
@@ -41,6 +41,8 @@
 import org.xml.sax.SAXException;
 import org.xml.sax.XMLReader;
 
+import static org.owasp.dependencycheck.utils.AutoCloseableInputSource.fromResource;
+
 /**
  * A simple validating parser for XML Hint Rules.
  *
@@ -53,21 +55,6 @@ public class HintParser {
      * The logger.
      */
     private static final Logger LOGGER = LoggerFactory.getLogger(HintParser.class);
-    /**
-     * JAXP Schema Language. Source:
-     * http://docs.oracle.com/javase/tutorial/jaxp/sax/validation.html
-     */
-    public static final String JAXP_SCHEMA_LANGUAGE = "http://java.sun.com/xml/jaxp/properties/schemaLanguage";
-    /**
-     * W3C XML Schema. Source:
-     * http://docs.oracle.com/javase/tutorial/jaxp/sax/validation.html
-     */
-    public static final String W3C_XML_SCHEMA = "http://www.w3.org/2001/XMLSchema";
-    /**
-     * JAXP Schema Source. Source:
-     * http://docs.oracle.com/javase/tutorial/jaxp/sax/validation.html
-     */
-    public static final String JAXP_SCHEMA_SOURCE = "http://java.sun.com/xml/jaxp/properties/schemaSource";
 
     /**
      * The schema for the hint XML files.
@@ -142,20 +129,18 @@ public void parseHints(File file) throws HintParseException {
      * @throws SAXException thrown if the XML cannot be parsed
      */
     public void parseHints(InputStream inputStream) throws HintParseException, SAXException {
-        try (
-                InputStream schemaStream14 = FileUtils.getResourceAsStream(HINT_SCHEMA_1_4);
-                InputStream schemaStream13 = FileUtils.getResourceAsStream(HINT_SCHEMA_1_3);
-                InputStream schemaStream12 = FileUtils.getResourceAsStream(HINT_SCHEMA_1_2);
-                InputStream schemaStream11 = FileUtils.getResourceAsStream(HINT_SCHEMA_1_1)) {
+        try (AutoCloseableInputSource schemaStream14 = fromResource(HINT_SCHEMA_1_4);
+             AutoCloseableInputSource schemaStream13 = fromResource(HINT_SCHEMA_1_3);
+             AutoCloseableInputSource schemaStream12 = fromResource(HINT_SCHEMA_1_2);
+             AutoCloseableInputSource schemaStream11 = fromResource(HINT_SCHEMA_1_1)) {
 
             final BOMInputStream bomStream = BOMInputStream.builder().setInputStream(inputStream).get();
             final ByteOrderMark bom = bomStream.getBOM();
             final String defaultEncoding = StandardCharsets.UTF_8.name();
             final String charsetName = bom == null ? defaultEncoding : bom.getCharsetName();
 
             final HintHandler handler = new HintHandler();
-            final SAXParser saxParser = XmlUtils.buildSecureSaxParser(schemaStream14, schemaStream13, schemaStream12, schemaStream11);
-            final XMLReader xmlReader = saxParser.getXMLReader();
+            final XMLReader xmlReader = XmlUtils.buildSecureValidatingXmlReader(schemaStream14, schemaStream13, schemaStream12, schemaStream11);
             xmlReader.setErrorHandler(new HintErrorHandler());
             xmlReader.setContentHandler(handler);
             try (Reader reader = new InputStreamReader(bomStream, charsetName)) {

core/src/main/java/org/owasp/dependencycheck/xml/pom/PomParser.java

@@ -107,8 +107,7 @@ public Model parseWithoutDocTypeCleanup(File file) throws PomParseException {
     public Model parse(InputStream inputStream) throws PomParseException {
         try {
             final PomHandler handler = new PomHandler();
-            final SAXParser saxParser = XmlUtils.buildSecureSaxParser();
-            final XMLReader xmlReader = saxParser.getXMLReader();
+            final XMLReader xmlReader = XmlUtils.buildSecureXmlReader();
             xmlReader.setContentHandler(handler);
 
             final BOMInputStream bomStream = BOMInputStream.builder()
@@ -138,8 +137,7 @@ public Model parse(InputStream inputStream) throws PomParseException {
     public Model parseWithoutDocTypeCleanup(InputStream inputStream) throws PomParseException {
         try {
             final PomHandler handler = new PomHandler();
-            final SAXParser saxParser = XmlUtils.buildSecureSaxParser();
-            final XMLReader xmlReader = saxParser.getXMLReader();
+            final XMLReader xmlReader = XmlUtils.buildSecureXmlReader();
             xmlReader.setContentHandler(handler);
 
             final BOMInputStream bomStream = BOMInputStream.builder().setInputStream(new XmlInputStream(inputStream)).get();

core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionParser.java

@@ -28,20 +28,21 @@
 import java.util.List;
 import javax.annotation.concurrent.ThreadSafe;
 import javax.xml.parsers.ParserConfigurationException;
-import javax.xml.parsers.SAXParser;
+
 import org.apache.commons.io.ByteOrderMark;
 import org.apache.commons.io.input.BOMInputStream;
 
-import org.owasp.dependencycheck.utils.FileUtils;
+import org.owasp.dependencycheck.utils.AutoCloseableInputSource;
 import org.owasp.dependencycheck.utils.XmlUtils;
 
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
-import org.xml.sax.EntityResolver;
 import org.xml.sax.InputSource;
 import org.xml.sax.SAXException;
 import org.xml.sax.XMLReader;
 
+import static org.owasp.dependencycheck.utils.AutoCloseableInputSource.fromResource;
+
 /**
  * A simple validating parser for XML Suppression Rules.
  *
@@ -105,24 +106,21 @@ public List<SuppressionRule> parseSuppressionRules(File file) throws Suppression
      */
     public List<SuppressionRule> parseSuppressionRules(InputStream inputStream)
             throws SuppressionParseException, SAXException {
-        try (
-                InputStream schemaStream14 = FileUtils.getResourceAsStream(SUPPRESSION_SCHEMA_1_4);
-                InputStream schemaStream13 = FileUtils.getResourceAsStream(SUPPRESSION_SCHEMA_1_3);
-                InputStream schemaStream12 = FileUtils.getResourceAsStream(SUPPRESSION_SCHEMA_1_2);
-                InputStream schemaStream11 = FileUtils.getResourceAsStream(SUPPRESSION_SCHEMA_1_1);
-                InputStream schemaStream10 = FileUtils.getResourceAsStream(SUPPRESSION_SCHEMA_1_0)) {
+        try (AutoCloseableInputSource schemaStream14 = fromResource(SUPPRESSION_SCHEMA_1_4);
+             AutoCloseableInputSource schemaStream13 = fromResource(SUPPRESSION_SCHEMA_1_3);
+             AutoCloseableInputSource schemaStream12 = fromResource(SUPPRESSION_SCHEMA_1_2);
+             AutoCloseableInputSource schemaStream11 = fromResource(SUPPRESSION_SCHEMA_1_1);
+             AutoCloseableInputSource schemaStream10 = fromResource(SUPPRESSION_SCHEMA_1_0)) {
 
             final BOMInputStream bomStream = BOMInputStream.builder().setInputStream(inputStream).get();
             final ByteOrderMark bom = bomStream.getBOM();
             final String defaultEncoding = StandardCharsets.UTF_8.name();
             final String charsetName = bom == null ? defaultEncoding : bom.getCharsetName();
 
             final SuppressionHandler handler = new SuppressionHandler();
-            final SAXParser saxParser = XmlUtils.buildSecureSaxParser(schemaStream14, schemaStream13, schemaStream12, schemaStream11, schemaStream10);
-            final XMLReader xmlReader = saxParser.getXMLReader();
+            final XMLReader xmlReader = XmlUtils.buildSecureValidatingXmlReader(schemaStream14, schemaStream13, schemaStream12, schemaStream11, schemaStream10);
             xmlReader.setErrorHandler(new SuppressionErrorHandler());
             xmlReader.setContentHandler(handler);
-            xmlReader.setEntityResolver(new ClassloaderResolver());
             try (Reader reader = new InputStreamReader(bomStream, charsetName)) {
                 final InputSource in = new InputSource(reader);
                 xmlReader.parse(in);
@@ -141,24 +139,4 @@ public List<SuppressionRule> parseSuppressionRules(InputStream inputStream)
         }
     }
 
-    /**
-     * Load HTTPS schema resources locally from the JAR files resources.
-     */
-    private static class ClassloaderResolver implements EntityResolver {
-
-        @Override
-        public InputSource resolveEntity(String publicId, String systemId) throws SAXException, IOException {
-
-            if (systemId != null && systemId.startsWith("https://jeremylong.github.io/DependencyCheck/")) {
-                final String resource = "schema/" + systemId.substring(45);
-                final InputStream in = SuppressionParser.class.getClassLoader().getResourceAsStream(resource);
-                if (in != null) {
-                    final InputSource source = new InputSource(in);
-                    source.setSystemId(systemId);
-                    return source;
-                }
-            }
-            return null;
-        }
-    }
 }

core/src/test/java/org/owasp/dependencycheck/xml/assembly/GrokHandlerTest.java

@@ -19,11 +19,11 @@
 
 import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.BaseTest;
+import org.owasp.dependencycheck.utils.AutoCloseableInputSource;
 import org.owasp.dependencycheck.utils.XmlUtils;
 import org.xml.sax.InputSource;
 import org.xml.sax.XMLReader;
 
-import javax.xml.parsers.SAXParser;
 import java.io.File;
 import java.io.FileInputStream;
 import java.io.InputStream;
@@ -32,6 +32,7 @@
 import java.nio.charset.StandardCharsets;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.owasp.dependencycheck.utils.AutoCloseableInputSource.fromResource;
 
 /**
  *
@@ -47,24 +48,23 @@ class GrokHandlerTest extends BaseTest {
     @Test
     void testHandler() throws Exception {
         File file = BaseTest.getResourceAsFile(this, "assembly/sample-grok.xml");
-        InputStream schemaStream = BaseTest.getResourceAsStream(this, "schema/grok-assembly.1.0.xsd");
 
-        GrokHandler handler = new GrokHandler();
-        SAXParser saxParser = XmlUtils.buildSecureSaxParser(schemaStream);
-        XMLReader xmlReader = saxParser.getXMLReader();
-        xmlReader.setErrorHandler(new GrokErrorHandler());
-        xmlReader.setContentHandler(handler);
+        try (AutoCloseableInputSource schema = fromResource("schema/grok-assembly.1.0.xsd")) {
+            GrokHandler handler = new GrokHandler();
+            XMLReader xmlReader = XmlUtils.buildSecureValidatingXmlReader(schema);
+            xmlReader.setErrorHandler(new GrokErrorHandler());
+            xmlReader.setContentHandler(handler);
 
-        InputStream inputStream = new FileInputStream(file);
-        Reader reader = new InputStreamReader(inputStream, StandardCharsets.UTF_8);
-        InputSource in = new InputSource(reader);
+            try (Reader reader = new InputStreamReader(new FileInputStream(file), StandardCharsets.UTF_8)) {
+                InputSource in = new InputSource(reader);
+                xmlReader.parse(in);
+            }
 
-        xmlReader.parse(in);
-
-        AssemblyData result = handler.getAssemblyData();
-        assertEquals("OWASP Contributors", result.getCompanyName());
-        assertEquals("GrokAssembly", result.getProductName());
-        assertEquals("Inspects a .NET Assembly to determine Company, Product, and Version information", result.getComments());
-        assertEquals(1, result.getNamespaces().size());
+            AssemblyData result = handler.getAssemblyData();
+            assertEquals("OWASP Contributors", result.getCompanyName());
+            assertEquals("GrokAssembly", result.getProductName());
+            assertEquals("Inspects a .NET Assembly to determine Company, Product, and Version information", result.getComments());
+            assertEquals(1, result.getNamespaces().size());
+        }
     }
 }

core/src/test/java/org/owasp/dependencycheck/xml/hints/HintHandlerTest.java

@@ -19,13 +19,13 @@
 
 import org.junit.jupiter.api.Test;
 import org.owasp.dependencycheck.BaseTest;
+import org.owasp.dependencycheck.utils.AutoCloseableInputSource;
+import org.owasp.dependencycheck.utils.XmlUtils;
 import org.xml.sax.InputSource;
 import org.xml.sax.SAXException;
 import org.xml.sax.XMLReader;
 
 import javax.xml.parsers.ParserConfigurationException;
-import javax.xml.parsers.SAXParser;
-import javax.xml.parsers.SAXParserFactory;
 import java.io.File;
 import java.io.FileInputStream;
 import java.io.IOException;
@@ -36,6 +36,7 @@
 import java.util.List;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.owasp.dependencycheck.utils.AutoCloseableInputSource.fromResource;
 
 /**
  *
@@ -46,26 +47,20 @@ class HintHandlerTest extends BaseTest {
     @Test
     void testHandler() throws ParserConfigurationException, SAXException, IOException {
         File file = BaseTest.getResourceAsFile(this, "hints.xml");
-        File schema = BaseTest.getResourceAsFile(this, "schema/dependency-hint.1.1.xsd");
         HintHandler handler = new HintHandler();
 
-        SAXParserFactory factory = SAXParserFactory.newInstance();
-        factory.setNamespaceAware(true);
-        factory.setValidating(true);
-        SAXParser saxParser = factory.newSAXParser();
-        saxParser.setProperty(HintParser.JAXP_SCHEMA_LANGUAGE, HintParser.W3C_XML_SCHEMA);
-        saxParser.setProperty(HintParser.JAXP_SCHEMA_SOURCE, schema);
-        XMLReader xmlReader = saxParser.getXMLReader();
-        xmlReader.setErrorHandler(new HintErrorHandler());
-        xmlReader.setContentHandler(handler);
+        try (AutoCloseableInputSource schemaResource = fromResource("schema/dependency-hint.1.4.xsd")) {
+            XMLReader xmlReader = XmlUtils.buildSecureValidatingXmlReader(schemaResource);
+            xmlReader.setErrorHandler(new HintErrorHandler());
+            xmlReader.setContentHandler(handler);
 
-        InputStream inputStream = new FileInputStream(file);
-        Reader reader = new InputStreamReader(inputStream, StandardCharsets.UTF_8);
-        InputSource in = new InputSource(reader);
-        xmlReader.parse(in);
-
-        List<HintRule> result = handler.getHintRules();
-        assertEquals(2,result.size(),"two hint rules should have been loaded");
+            try (Reader reader = new InputStreamReader(new FileInputStream(file), StandardCharsets.UTF_8)) {
+                InputSource in = new InputSource(reader);
+                xmlReader.parse(in);
+            }
+            List<HintRule> result = handler.getHintRules();
+            assertEquals(2, result.size(), "two hint rules should have been loaded");
+        }
     }
 
 }