Improve the security of XML parsers

Improve the security of XML parsers to prevent XML attacks like XML bombs and XXE attacks.
Set default configuration of xml parsers to throw an exception when it find DTD in the XML and implement factory logic to give an opportunity for customer to override the way of creation xml parsers.

DEVSIX-3270

Author: ar3em

forms/src/main/java/com/itextpdf/forms/xfa/XfaForm.java

@@ -54,28 +54,24 @@ This file is part of the iText (R) project.
 import com.itextpdf.kernel.pdf.PdfString;
 import com.itextpdf.kernel.pdf.PdfVersion;
 import com.itextpdf.kernel.pdf.VersionConforming;
+import com.itextpdf.kernel.utils.XmlProcessorCreator;
 import com.itextpdf.kernel.xmp.XmlDomWriter;
 
-import javax.xml.parsers.DocumentBuilder;
-import javax.xml.parsers.DocumentBuilderFactory;
-import javax.xml.parsers.ParserConfigurationException;
-
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 import java.io.File;
 import java.io.FileInputStream;
 import java.io.IOException;
 import java.io.InputStream;
-import java.io.StringReader;
 import java.nio.charset.StandardCharsets;
 import java.util.HashMap;
 import java.util.Map;
-
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.ParserConfigurationException;
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 import org.w3c.dom.Node;
 import org.w3c.dom.NodeList;
-import org.xml.sax.EntityResolver;
 import org.xml.sax.InputSource;
 import org.xml.sax.SAXException;
 
@@ -107,13 +103,14 @@ public XfaForm() {
 
     /**
      * Creates an XFA form by the stream containing all xml information
+     *
      * @param inputStream the InputStream
      */
     public XfaForm(InputStream inputStream) {
         try {
             initXfaForm(inputStream);
         } catch (Exception e) {
-            throw new PdfException(e);
+            throw new PdfException(e.getMessage(), e);
         }
     }
 
@@ -140,7 +137,7 @@ public XfaForm(PdfDictionary acroFormDictionary) {
             try {
                 initXfaForm(xfa);
             } catch (Exception e) {
-                throw new PdfException(e);
+                throw new PdfException(e.getMessage(), e);
             }
         }
     }
@@ -157,7 +154,7 @@ public XfaForm(PdfDocument pdfDocument) {
             try {
                 initXfaForm(xfa);
             } catch (Exception e) {
-                throw new PdfException(e);
+                throw new PdfException(e.getMessage(), e);
             }
         }
     }
@@ -497,17 +494,12 @@ public void fillXfaForm(InputSource is) throws IOException {
      * @throws java.io.IOException if any I/O issue occurs on the {@link InputSource}
      */
     public void fillXfaForm(InputSource is, boolean readOnly) throws IOException {
-        DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
-        DocumentBuilder db;
         try {
-            db = dbf.newDocumentBuilder();
-            db.setEntityResolver(new SafeEmptyEntityResolver());
+            DocumentBuilder db = XmlProcessorCreator.createSafeDocumentBuilder(false, false);
             Document newdoc = db.parse(is);
             fillXfaForm(newdoc.getDocumentElement(), readOnly);
-        } catch (ParserConfigurationException e) {
-            throw new PdfException(e);
         } catch (SAXException e) {
-            throw new PdfException(e);
+            throw new PdfException(e.getMessage(), e);
         }
     }
 
@@ -631,11 +623,8 @@ private void initXfaForm(PdfObject xfa) throws IOException, ParserConfigurationE
         initXfaForm(new ByteArrayInputStream(bout.toByteArray()));
     }
 
-    private void initXfaForm(InputStream inputStream) throws ParserConfigurationException, IOException, SAXException {
-        DocumentBuilderFactory fact = DocumentBuilderFactory.newInstance();
-        fact.setNamespaceAware(true);
-        DocumentBuilder db = fact.newDocumentBuilder();
-        db.setEntityResolver(new SafeEmptyEntityResolver());
+    private void initXfaForm(InputStream inputStream) throws IOException, SAXException {
+        DocumentBuilder db = XmlProcessorCreator.createSafeDocumentBuilder(true, false);
         setDomDocument(db.parse(inputStream));
         xfaPresent = true;
     }
@@ -696,12 +685,4 @@ private Node findDataNode(Node datasetsNode) {
         }
         return null;
     }
-
-    // Prevents XXE attacks
-    private static class SafeEmptyEntityResolver implements EntityResolver {
-        public InputSource resolveEntity(String publicId, String systemId) throws SAXException, IOException {
-            return new InputSource(new StringReader(""));
-        }
-    }
-
 }

forms/src/main/java/com/itextpdf/forms/xfdf/XfdfFileUtils.java

@@ -42,24 +42,20 @@ This file is part of the iText (R) project.
  */
 package com.itextpdf.forms.xfdf;
 
-import org.w3c.dom.Document;
-import org.xml.sax.EntityResolver;
-import org.xml.sax.InputSource;
-import org.xml.sax.SAXException;
+import com.itextpdf.kernel.PdfException;
+import com.itextpdf.kernel.utils.XmlProcessorCreator;
 
+import java.io.InputStream;
+import java.io.OutputStream;
 import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilder;
-import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.transform.Transformer;
 import javax.xml.transform.TransformerException;
 import javax.xml.transform.TransformerFactory;
 import javax.xml.transform.dom.DOMSource;
 import javax.xml.transform.stream.StreamResult;
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.OutputStream;
-import java.io.StringReader;
+import org.w3c.dom.Document;
 
 final class XfdfFileUtils {
 
@@ -68,32 +64,40 @@ private XfdfFileUtils() {
 
     /**
      * Creates a new xml-styled document for writing xfdf info.
+     *
      * @throws ParserConfigurationException in case of failure to create a new document.
      */
-    static Document createNewXfdfDocument() throws ParserConfigurationException {
-        DocumentBuilderFactory documentFactory = DocumentBuilderFactory.newInstance();
-        DocumentBuilder documentBuilder = documentFactory.newDocumentBuilder();
-        documentBuilder.setEntityResolver(new XfdfFileUtils.SafeEmptyEntityResolver());
-        return documentBuilder.newDocument();
+    static Document createNewXfdfDocument() {
+        try {
+            DocumentBuilder db = XmlProcessorCreator.createSafeDocumentBuilder(false, false);
+            return db.newDocument();
+        } catch (Exception e) {
+            throw new PdfException(e.getMessage(), e);
+        }
     }
 
     /**
      * Creates a new xfdf document based on given input stream.
+     *
      * @param inputStream containing xfdf info.
      */
-    static Document createXfdfDocumentFromStream(InputStream inputStream) throws ParserConfigurationException, IOException, SAXException {
-        DocumentBuilderFactory documentFactory = DocumentBuilderFactory.newInstance();
-        DocumentBuilder documentBuilder = documentFactory.newDocumentBuilder();
-        documentBuilder.setEntityResolver(new XfdfFileUtils.SafeEmptyEntityResolver());
-        return documentBuilder.parse(inputStream);
+    static Document createXfdfDocumentFromStream(InputStream inputStream) {
+        try {
+            DocumentBuilder db = XmlProcessorCreator.createSafeDocumentBuilder(false, false);
+            return db.parse(inputStream);
+        } catch (Exception e) {
+            throw new PdfException(e.getMessage(), e);
+        }
     }
 
     /**
-     * Saves the info from output stream to xml-styled document.
-     * @param document to save info to.
-     * @param outputStream the stream containing xfdf info.
+     * Saves the info from XML-styled {@link Document} to {@link OutputStream}.
+     *
+     * @param document     input {@link Document} that contains XFDF info
+     * @param outputStream the output stream
      */
-    static void saveXfdfDocumentToFile(Document document, OutputStream outputStream) throws TransformerException {
+    static void saveXfdfDocumentToFile(Document document, OutputStream outputStream)
+            throws TransformerException {
         TransformerFactory transformerFactory = TransformerFactory.newInstance();
         transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
         transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
@@ -103,11 +107,4 @@ static void saveXfdfDocumentToFile(Document document, OutputStream outputStream)
         StreamResult streamResult = new StreamResult(outputStream);
         transformer.transform(domSource, streamResult);
     }
-
-    // Prevents XXE attacks
-    private static class SafeEmptyEntityResolver implements EntityResolver {
-        public InputSource resolveEntity(String publicId, String systemId) throws SAXException, IOException {
-            return new InputSource(new StringReader(""));
-        }
-    }
 }

forms/src/test/java/com/itextpdf/forms/xfa/SecurityTestXmlParserFactory.java

@@ -0,0 +1,75 @@
+/*
+    This file is part of the iText (R) project.
+    Copyright (c) 1998-2021 iText Group NV
+    Authors: iText Software.
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU Affero General Public License version 3
+    as published by the Free Software Foundation with the addition of the
+    following permission added to Section 15 as permitted in Section 7(a):
+    FOR ANY PART OF THE COVERED WORK IN WHICH THE COPYRIGHT IS OWNED BY
+    ITEXT GROUP. ITEXT GROUP DISCLAIMS THE WARRANTY OF NON INFRINGEMENT
+    OF THIRD PARTY RIGHTS
+
+    This program is distributed in the hope that it will be useful, but
+    WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+    or FITNESS FOR A PARTICULAR PURPOSE.
+    See the GNU Affero General Public License for more details.
+    You should have received a copy of the GNU Affero General Public License
+    along with this program; if not, see http://www.gnu.org/licenses or write to
+    the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+    Boston, MA, 02110-1301 USA, or download the license from the following URL:
+    http://itextpdf.com/terms-of-use/
+
+    The interactive user interfaces in modified source and object code versions
+    of this program must display Appropriate Legal Notices, as required under
+    Section 5 of the GNU Affero General Public License.
+
+    In accordance with Section 7(b) of the GNU Affero General Public License,
+    a covered work must retain the producer line in every PDF that is created
+    or manipulated using iText.
+
+    You can be released from the requirements of the license by purchasing
+    a commercial license. Buying such a license is mandatory as soon as you
+    develop commercial activities involving the iText software without
+    disclosing the source code of your own applications.
+    These activities include: offering paid services to customers as an ASP,
+    serving PDFs on the fly in a web application, shipping iText with a closed
+    source product.
+
+    For more information, please contact iText Software Corp. at this
+    address: [email protected]
+ */
+package com.itextpdf.forms.xfa;
+
+import com.itextpdf.kernel.PdfException;
+import com.itextpdf.kernel.utils.DefaultSafeXmlParserFactory;
+import com.itextpdf.test.ExceptionTestUtil;
+
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
+import org.xml.sax.EntityResolver;
+import org.xml.sax.InputSource;
+
+public class SecurityTestXmlParserFactory extends DefaultSafeXmlParserFactory {
+
+    @Override
+    public DocumentBuilder createDocumentBuilderInstance(boolean namespaceAware, boolean ignoringComments) {
+        DocumentBuilder db;
+        try {
+            db = DocumentBuilderFactory.newInstance().newDocumentBuilder();
+        } catch (ParserConfigurationException e) {
+            throw new PdfException(e.getMessage(), e);
+        }
+
+        db.setEntityResolver(new TestEntityResolver());
+        return db;
+    }
+
+    private static class TestEntityResolver implements EntityResolver {
+        public InputSource resolveEntity(String publicId, String systemId) {
+            throw new PdfException(ExceptionTestUtil.getXxeTestMessage());
+        }
+    }
+}