move hardened XML factories to core

richard-dennehy · richard-dennehy · commit cdaf7a5b36a5 · 2025-08-27T13:46:26.000+01:00
diff --git a/build-tools-internal/src/main/resources/forbidden/jdk-signatures.txt b/build-tools-internal/src/main/resources/forbidden/jdk-signatures.txt
@@ -102,3 +102,21 @@ java.util.Collections#shuffle(java.util.List) @ Use java.util.Collections#shuffl
 
 @defaultMessage Avoid creating FilePermission objects directly, but use FilePermissionUtils instead
 java.io.FilePermission#<init>(java.lang.String,java.lang.String)
+
+@defaultMessage DocumentBuilderFactory should not be used directly. Use XmlUtils#getHardenedDocumentBuilder(java.lang.String[]) instead.
+javax.xml.parsers.DocumentBuilderFactory#newInstance()
+javax.xml.parsers.DocumentBuilderFactory#newInstance(java.lang.String, java.lang.ClassLoader)
+javax.xml.parsers.DocumentBuilderFactory#newDefaultNSInstance()
+javax.xml.parsers.DocumentBuilderFactory#newNSInstance()
+javax.xml.parsers.DocumentBuilderFactory#newNSInstance(java.lang.String, java.lang.ClassLoader)
+
+@defaultMessage TransformerFactory should not be used directly. Use XmlUtils#getHardenedXMLTransformer() instead.
+javax.xml.transform.TransformerFactory#newInstance()
+javax.xml.transform.TransformerFactory#newInstance(java.lang.String, java.lang.ClassLoader)
+
+@defaultMessage SAXParserFactory should not be used directly. Use XmlUtils#getHardenedSaxParser() instead
+javax.xml.parsers.SAXParserFactory#newInstance()
+javax.xml.parsers.SAXParserFactory#newInstance(java.lang.String, java.lang.ClassLoader)
+javax.xml.parsers.SAXParserFactory#newDefaultNSInstance()
+javax.xml.parsers.SAXParserFactory#newNSInstance()
+javax.xml.parsers.SAXParserFactory#newNSInstance(java.lang.String, java.lang.ClassLoader)
diff --git a/libs/core/src/main/java/module-info.java b/libs/core/src/main/java/module-info.java
@@ -12,6 +12,7 @@
 module org.elasticsearch.base {
     requires static jsr305;
     requires org.elasticsearch.logging;
+    requires java.xml;
 
     exports org.elasticsearch.core;
     exports org.elasticsearch.jdk;
diff --git a/libs/core/src/main/java/org/elasticsearch/core/XmlUtils.java b/libs/core/src/main/java/org/elasticsearch/core/XmlUtils.java
@@ -0,0 +1,131 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+package org.elasticsearch.core;
+
+import org.elasticsearch.logging.LogManager;
+import org.elasticsearch.logging.Logger;
+import org.xml.sax.SAXException;
+import org.xml.sax.SAXParseException;
+
+import javax.xml.XMLConstants;
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
+import javax.xml.transform.Transformer;
+import javax.xml.transform.TransformerConfigurationException;
+import javax.xml.transform.TransformerException;
+import javax.xml.transform.TransformerFactory;
+
+public class XmlUtils {
+
+    private static final Logger LOGGER = LogManager.getLogger(XmlUtils.class);
+
+    /**
+     * Constructs a DocumentBuilder with all the necessary features for it to be secure
+     *
+     * @throws ParserConfigurationException if one of the features can't be set on the DocumentBuilderFactory
+     */
+    @SuppressForbidden(reason = "This is the only allowed way to construct a DocumentBuilder")
+    public static DocumentBuilder getHardenedBuilder(String[] schemaFiles) throws ParserConfigurationException {
+        final DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+        dbf.setNamespaceAware(true);
+        // Ensure that Schema Validation is enabled for the factory
+        dbf.setValidating(true);
+        // Disallow internal and external entity expansion
+        dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+        dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
+        dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+        dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+        dbf.setFeature("http://xml.org/sax/features/validation", true);
+        dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-dtd-grammar", false);
+        dbf.setIgnoringComments(true);
+        // This is required, otherwise schema validation causes signature invalidation
+        dbf.setFeature("http://apache.org/xml/features/validation/schema/normalized-value", false);
+        // Make sure that URL schema namespaces are not resolved/downloaded from URLs we do not control
+        dbf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "file,jar");
+        dbf.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "file,jar");
+        dbf.setFeature("http://apache.org/xml/features/honour-all-schemaLocations", true);
+        // Ensure we do not resolve XIncludes. Defaults to false, but set it explicitly to be future-proof
+        dbf.setXIncludeAware(false);
+        // Ensure we do not expand entity reference nodes
+        dbf.setExpandEntityReferences(false);
+        // Further limit danger from denial of service attacks
+        dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+        dbf.setAttribute("http://apache.org/xml/features/validation/schema", true);
+        dbf.setAttribute("http://apache.org/xml/features/validation/schema-full-checking", true);
+        dbf.setAttribute("http://java.sun.com/xml/jaxp/properties/schemaLanguage", XMLConstants.W3C_XML_SCHEMA_NS_URI);
+        // We ship our own xsd files for schema validation since we do not trust anyone else.
+        dbf.setAttribute("http://java.sun.com/xml/jaxp/properties/schemaSource", schemaFiles);
+        DocumentBuilder documentBuilder = dbf.newDocumentBuilder();
+        documentBuilder.setErrorHandler(new ErrorHandler());
+        return documentBuilder;
+    }
+
+    @SuppressForbidden(reason = "This is the only allowed way to construct a Transformer")
+    public static Transformer getHardenedXMLTransformer() throws TransformerConfigurationException {
+        final TransformerFactory tfactory = TransformerFactory.newInstance();
+        tfactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+        tfactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+        tfactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+        tfactory.setAttribute("indent-number", 2);
+        Transformer transformer = tfactory.newTransformer();
+        transformer.setErrorListener(new ErrorListener());
+        return transformer;
+    }
+
+    private static class ErrorHandler implements org.xml.sax.ErrorHandler {
+        /**
+         * Enabling schema validation with `setValidating(true)` in our
+         * DocumentBuilderFactory requires that we provide our own
+         * ErrorHandler implementation
+         *
+         * @throws SAXException If the document we attempt to parse is not valid according to the specified schema.
+         */
+        @Override
+        public void warning(SAXParseException e) throws SAXException {
+            LOGGER.debug("XML Parser error ", e);
+            throw e;
+        }
+
+        @Override
+        public void error(SAXParseException e) throws SAXException {
+            LOGGER.debug("XML Parser error ", e);
+            throw e;
+        }
+
+        @Override
+        public void fatalError(SAXParseException e) throws SAXException {
+            LOGGER.debug("XML Parser error ", e);
+            throw e;
+        }
+    }
+
+
+    private static class ErrorListener implements javax.xml.transform.ErrorListener {
+
+        @Override
+        public void warning(TransformerException e) throws TransformerException {
+            LOGGER.debug("XML transformation error", e);
+            throw e;
+        }
+
+        @Override
+        public void error(TransformerException e) throws TransformerException {
+            LOGGER.debug("XML transformation error", e);
+            throw e;
+        }
+
+        @Override
+        public void fatalError(TransformerException e) throws TransformerException {
+            LOGGER.debug("XML transformation error", e);
+            throw e;
+        }
+    }
+}
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/saml/TransportSamlSpMetadataAction.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/saml/TransportSamlSpMetadataAction.java
@@ -11,6 +11,7 @@
 import org.elasticsearch.action.support.ActionFilters;
 import org.elasticsearch.action.support.HandledTransportAction;
 import org.elasticsearch.common.util.concurrent.EsExecutors;
+import org.elasticsearch.core.XmlUtils;
 import org.elasticsearch.injection.guice.Inject;
 import org.elasticsearch.tasks.Task;
 import org.elasticsearch.transport.TransportService;
@@ -75,7 +76,7 @@ private void prepareMetadata(SamlRealm realm, ActionListener<SamlSpMetadataRespo
             final EntityDescriptor descriptor = builder.build();
             final Element element = marshaller.marshall(descriptor);
             final StringWriter writer = new StringWriter();
-            final Transformer serializer = SamlUtils.getHardenedXMLTransformer();
+            final Transformer serializer = XmlUtils.getHardenedXMLTransformer();
             serializer.transform(new DOMSource(element), new StreamResult(writer));
             listener.onResponse(new SamlSpMetadataResponse(writer.toString()));
         } catch (Exception e) {
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/saml/SamlUtils.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/saml/SamlUtils.java
@@ -12,7 +12,7 @@
 import org.elasticsearch.SpecialPermission;
 import org.elasticsearch.common.hash.MessageDigests;
 import org.elasticsearch.core.IOUtils;
-import org.elasticsearch.core.SuppressForbidden;
+import org.elasticsearch.core.XmlUtils;
 import org.elasticsearch.xpack.core.security.support.RestorableContextClassLoader;
 import org.opensaml.core.config.InitializationService;
 import org.opensaml.core.xml.XMLObject;
@@ -30,8 +30,6 @@
 import org.w3c.dom.ls.DOMImplementationLS;
 import org.w3c.dom.ls.LSInput;
 import org.w3c.dom.ls.LSResourceResolver;
-import org.xml.sax.SAXException;
-import org.xml.sax.SAXParseException;
 
 import java.io.IOException;
 import java.io.InputStream;
@@ -51,13 +49,10 @@
 import javax.xml.XMLConstants;
 import javax.xml.namespace.QName;
 import javax.xml.parsers.DocumentBuilder;
-import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.transform.OutputKeys;
 import javax.xml.transform.Transformer;
-import javax.xml.transform.TransformerConfigurationException;
 import javax.xml.transform.TransformerException;
-import javax.xml.transform.TransformerFactory;
 import javax.xml.transform.dom.DOMSource;
 import javax.xml.transform.stream.StreamResult;
 import javax.xml.transform.stream.StreamSource;
@@ -161,7 +156,7 @@ static String toString(Element element) {
     }
 
     static void print(Element element, Writer writer, boolean pretty) throws TransformerException {
-        final Transformer serializer = getHardenedXMLTransformer();
+        final Transformer serializer = XmlUtils.getHardenedXMLTransformer();
         if (pretty) {
             serializer.setOutputProperty(OutputKeys.INDENT, "yes");
         }
@@ -211,18 +206,6 @@ static String describeSamlObject(SAMLObject object) {
         return getXmlContent(object, true);
     }
 
-    @SuppressForbidden(reason = "This is the only allowed way to construct a Transformer")
-    public static Transformer getHardenedXMLTransformer() throws TransformerConfigurationException {
-        final TransformerFactory tfactory = TransformerFactory.newInstance();
-        tfactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
-        tfactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
-        tfactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
-        tfactory.setAttribute("indent-number", 2);
-        Transformer transformer = tfactory.newTransformer();
-        transformer.setErrorListener(new ErrorListener());
-        return transformer;
-    }
-
     static void validate(InputStream xml, String xsdName) throws Exception {
         SchemaFactory schemaFactory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
         try (InputStream xsdStream = loadSchema(xsdName); ResourceResolver resolver = new ResourceResolver()) {
@@ -277,40 +260,8 @@ public void close() throws IOException {
      *
      * @throws ParserConfigurationException if one of the features can't be set on the DocumentBuilderFactory
      */
-    @SuppressForbidden(reason = "This is the only allowed way to construct a DocumentBuilder")
     public static DocumentBuilder getHardenedBuilder(String[] schemaFiles) throws ParserConfigurationException {
-        final DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
-        dbf.setNamespaceAware(true);
-        // Ensure that Schema Validation is enabled for the factory
-        dbf.setValidating(true);
-        // Disallow internal and external entity expansion
-        dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
-        dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
-        dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
-        dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
-        dbf.setFeature("http://xml.org/sax/features/validation", true);
-        dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-dtd-grammar", false);
-        dbf.setIgnoringComments(true);
-        // This is required, otherwise schema validation causes signature invalidation
-        dbf.setFeature("http://apache.org/xml/features/validation/schema/normalized-value", false);
-        // Make sure that URL schema namespaces are not resolved/downloaded from URLs we do not control
-        dbf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "file,jar");
-        dbf.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "file,jar");
-        dbf.setFeature("http://apache.org/xml/features/honour-all-schemaLocations", true);
-        // Ensure we do not resolve XIncludes. Defaults to false, but set it explicitly to be future-proof
-        dbf.setXIncludeAware(false);
-        // Ensure we do not expand entity reference nodes
-        dbf.setExpandEntityReferences(false);
-        // Further limit danger from denial of service attacks
-        dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
-        dbf.setAttribute("http://apache.org/xml/features/validation/schema", true);
-        dbf.setAttribute("http://apache.org/xml/features/validation/schema-full-checking", true);
-        dbf.setAttribute("http://java.sun.com/xml/jaxp/properties/schemaLanguage", XMLConstants.W3C_XML_SCHEMA_NS_URI);
-        // We ship our own xsd files for schema validation since we do not trust anyone else.
-        dbf.setAttribute("http://java.sun.com/xml/jaxp/properties/schemaSource", resolveSchemaFilePaths(schemaFiles));
-        DocumentBuilder documentBuilder = dbf.newDocumentBuilder();
-        documentBuilder.setErrorHandler(new ErrorHandler());
-        return documentBuilder;
+        return XmlUtils.getHardenedBuilder(resolveSchemaFilePaths(schemaFiles));
     }
 
     private static String[] resolveSchemaFilePaths(String[] relativePaths) {
@@ -324,52 +275,4 @@ private static String[] resolveSchemaFilePaths(String[] relativePaths) {
             }
         }).filter(Objects::nonNull).toArray(String[]::new);
     }
-
-    private static class ErrorListener implements javax.xml.transform.ErrorListener {
-
-        @Override
-        public void warning(TransformerException e) throws TransformerException {
-            LOGGER.debug("XML transformation error", e);
-            throw e;
-        }
-
-        @Override
-        public void error(TransformerException e) throws TransformerException {
-            LOGGER.debug("XML transformation error", e);
-            throw e;
-        }
-
-        @Override
-        public void fatalError(TransformerException e) throws TransformerException {
-            LOGGER.debug("XML transformation error", e);
-            throw e;
-        }
-    }
-
-    private static class ErrorHandler implements org.xml.sax.ErrorHandler {
-        /**
-         * Enabling schema validation with `setValidating(true)` in our
-         * DocumentBuilderFactory requires that we provide our own
-         * ErrorHandler implementation
-         *
-         * @throws SAXException If the document we attempt to parse is not valid according to the specified schema.
-         */
-        @Override
-        public void warning(SAXParseException e) throws SAXException {
-            LOGGER.debug("XML Parser error ", e);
-            throw e;
-        }
-
-        @Override
-        public void error(SAXParseException e) throws SAXException {
-            LOGGER.debug("XML Parser error ", e);
-            throw e;
-        }
-
-        @Override
-        public void fatalError(SAXParseException e) throws SAXException {
-            LOGGER.debug("XML Parser error ", e);
-            throw e;
-        }
-    }
 }
