replace constructions of SchemaFactory and Validator

richard-dennehy · richard-dennehy · commit 43376ae6cf40 · 2025-08-27T16:57:54.000+01:00
diff --git a/libs/core/src/main/java/org/elasticsearch/core/XmlUtils.java b/libs/core/src/main/java/org/elasticsearch/core/XmlUtils.java
@@ -12,6 +12,8 @@
 import org.elasticsearch.logging.LogManager;
 import org.elasticsearch.logging.Logger;
 import org.xml.sax.SAXException;
+import org.xml.sax.SAXNotRecognizedException;
+import org.xml.sax.SAXNotSupportedException;
 import org.xml.sax.SAXParseException;
 
 import javax.xml.XMLConstants;
@@ -22,6 +24,9 @@
 import javax.xml.transform.TransformerConfigurationException;
 import javax.xml.transform.TransformerException;
 import javax.xml.transform.TransformerFactory;
+import javax.xml.validation.Schema;
+import javax.xml.validation.SchemaFactory;
+import javax.xml.validation.Validator;
 
 public class XmlUtils {
 
@@ -49,6 +54,9 @@ public static DocumentBuilder getHardenedBuilder(String[] schemaFiles) throws Pa
         return documentBuilder;
     }
 
+    /**
+     * Returns a DocumentBuilderFactory pre-configured to be secure
+     */
     @SuppressForbidden(reason = "This is the only allowed way to construct a DocumentBuilder")
     public static DocumentBuilderFactory getHardenedBuilderFactory() throws ParserConfigurationException {
         final DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
@@ -76,6 +84,9 @@ public static DocumentBuilderFactory getHardenedBuilderFactory() throws ParserCo
         return dbf;
     }
 
+    /**
+     * Constructs a Transformer configured to be secure
+     */
     @SuppressForbidden(reason = "This is the only allowed way to construct a Transformer")
     public static Transformer getHardenedXMLTransformer() throws TransformerConfigurationException {
         final TransformerFactory tfactory = TransformerFactory.newInstance();
@@ -88,6 +99,28 @@ public static Transformer getHardenedXMLTransformer() throws TransformerConfigur
         return transformer;
     }
 
+    /**
+     * Returns a SchemaFactory configured to be secure
+     */
+    @SuppressForbidden(reason = "This is the only allowed way to construct a SchemaFactory")
+    public static SchemaFactory getHardenedSchemaFactory() throws SAXNotSupportedException, SAXNotRecognizedException {
+        SchemaFactory schemaFactory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
+        schemaFactory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+        schemaFactory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
+        return schemaFactory;
+    }
+
+    /**
+     * Constructs a Validator configured to be secure
+     */
+    @SuppressForbidden(reason = "This is the only allowed way to construct a Validator")
+    public static Validator getHardenedValidator(Schema schema) throws SAXNotSupportedException, SAXNotRecognizedException {
+        Validator validator = schema.newValidator();
+        validator.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+        validator.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
+        return validator;
+    }
+
     private static class ErrorHandler implements org.xml.sax.ErrorHandler {
         /**
          * Enabling schema validation with `setValidating(true)` in our
diff --git a/x-pack/plugin/identity-provider/src/main/java/org/elasticsearch/xpack/idp/saml/support/XmlValidator.java b/x-pack/plugin/identity-provider/src/main/java/org/elasticsearch/xpack/idp/saml/support/XmlValidator.java
@@ -8,10 +8,13 @@
 package org.elasticsearch.xpack.idp.saml.support;
 
 import org.elasticsearch.core.IOUtils;
+import org.elasticsearch.core.XmlUtils;
 import org.w3c.dom.bootstrap.DOMImplementationRegistry;
 import org.w3c.dom.ls.DOMImplementationLS;
 import org.w3c.dom.ls.LSInput;
 import org.w3c.dom.ls.LSResourceResolver;
+import org.xml.sax.SAXNotRecognizedException;
+import org.xml.sax.SAXNotSupportedException;
 
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
@@ -20,7 +23,6 @@
 import java.util.ArrayList;
 import java.util.List;
 
-import javax.xml.XMLConstants;
 import javax.xml.transform.stream.StreamSource;
 import javax.xml.validation.Schema;
 import javax.xml.validation.SchemaFactory;
@@ -34,8 +36,8 @@ public class XmlValidator {
     private final SchemaFactory schemaFactory;
     private final String xsdName;
 
-    public XmlValidator(String xsdName) {
-        this.schemaFactory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
+    public XmlValidator(String xsdName) throws SAXNotSupportedException, SAXNotRecognizedException {
+        this.schemaFactory = XmlUtils.getHardenedSchemaFactory();
         this.xsdName = xsdName;
     }
 
@@ -49,9 +51,7 @@ public void validate(InputStream xml) throws Exception {
         try (InputStream xsdStream = loadSchema(xsdName); ResourceResolver resolver = new ResourceResolver()) {
             schemaFactory.setResourceResolver(resolver);
             Schema schema = schemaFactory.newSchema(new StreamSource(xsdStream));
-            Validator validator = schema.newValidator();
-            validator.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
-            validator.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
+            Validator validator = XmlUtils.getHardenedValidator(schema);
             validator.validate(new StreamSource(xml));
         }
     }
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/saml/SamlUtils.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/saml/SamlUtils.java
@@ -207,13 +207,11 @@ static String describeSamlObject(SAMLObject object) {
     }
 
     static void validate(InputStream xml, String xsdName) throws Exception {
-        SchemaFactory schemaFactory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
+        SchemaFactory schemaFactory = XmlUtils.getHardenedSchemaFactory();
         try (InputStream xsdStream = loadSchema(xsdName); ResourceResolver resolver = new ResourceResolver()) {
             schemaFactory.setResourceResolver(resolver);
             Schema schema = schemaFactory.newSchema(new StreamSource(xsdStream));
-            Validator validator = schema.newValidator();
-            validator.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
-            validator.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
+            Validator validator = XmlUtils.getHardenedValidator(schema);
             validator.validate(new StreamSource(xml));
         }
     }

Original file line number	Diff line number	Diff line change
`@@ -207,13 +207,11 @@ static String describeSamlObject(SAMLObject object) {`
`207`	`207`	`}`
`208`	`208`
`209`	`209`	`static void validate(InputStream xml, String xsdName) throws Exception {`
`210`		`- SchemaFactory schemaFactory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);`
	`210`	`+ SchemaFactory schemaFactory = XmlUtils.getHardenedSchemaFactory();`
`211`	`211`	`try (InputStream xsdStream = loadSchema(xsdName); ResourceResolver resolver = new ResourceResolver()) {`
`212`	`212`	`schemaFactory.setResourceResolver(resolver);`
`213`	`213`	`Schema schema = schemaFactory.newSchema(new StreamSource(xsdStream));`
`214`		`- Validator validator = schema.newValidator();`
`215`		`- validator.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");`
`216`		`- validator.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");`
	`214`	`+ Validator validator = XmlUtils.getHardenedValidator(schema);`
`217`	`215`	`validator.validate(new StreamSource(xml));`
`218`	`216`	`}`
`219`	`217`	`}`