Update implementation to use secure transformer

sgayangi · sgayangi · commit 7691d250ada2 · 2025-06-12T13:51:45.000+05:30
diff --git a/modules/balana-core/src/main/java/org/wso2/balana/ctx/StatusDetail.java b/modules/balana-core/src/main/java/org/wso2/balana/ctx/StatusDetail.java
@@ -169,9 +169,7 @@ private String nodeToText(Node node) throws ParsingException {
 
         StringWriter sw = new StringWriter();
         try {
-            TransformerFactory factory = TransformerFactory.newInstance();
-            factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
-            Transformer transformer = factory.newTransformer();
+            Transformer transformer = Utils.getSecuredTransformerFactory().newTransformer();
             transformer.setOutputProperty(OutputKeys.OMIT_XML_DECLARATION, "yes");
             transformer.setOutputProperty(OutputKeys.INDENT, "yes");
             transformer.transform(new DOMSource(node), new StreamResult(sw));
diff --git a/modules/balana-utils/src/main/java/org/wso2/balana/utils/Utils.java b/modules/balana-utils/src/main/java/org/wso2/balana/utils/Utils.java
@@ -29,8 +29,10 @@
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.transform.Transformer;
+import javax.xml.transform.TransformerConfigurationException;
 import javax.xml.transform.TransformerException;
 import javax.xml.transform.TransformerFactory;
+import javax.xml.transform.TransformerFactoryConfigurationError;
 import javax.xml.transform.dom.DOMSource;
 import javax.xml.transform.stream.StreamResult;
 import java.io.StringWriter;
@@ -50,6 +52,10 @@ public class Utils {
      */
     private static final int ENTITY_EXPANSION_LIMIT = 0;
 
+    //Secured transformer factory implementation
+    private static String JAVAX_TRANSFORMER_PROP_VAL =
+            "com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl";
+
     /**
      * Convert Document element to a String object
      * @param doc Document element
@@ -127,4 +133,34 @@ public static DocumentBuilderFactory getSecuredDocumentBuilderFactory() {
 //        StreamResult result =  new StreamResult(new StringWriter());
 //        transformer.transform(source, result);
 //    }
+
+    /**
+     * Create a secure process enabled TransformerFactory.
+     *
+     * @return Secured TransformerFactory which is stricly implemented via
+     * com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl
+     */
+    public static TransformerFactory getSecuredTransformerFactory() {
+
+        TransformerFactory transformerFactory;
+        try {
+            // Prevent XXE Attack by ensure using the correct factory class to create TrasformerFactory instance.
+            // This will instruct Java to use the version which supports using ACCESS_EXTERNAL_DTD argument.
+            transformerFactory = TransformerFactory.newInstance(JAVAX_TRANSFORMER_PROP_VAL, null);
+        } catch (TransformerFactoryConfigurationError e) {
+            logger.error("Failed to load default TransformerFactory", e);
+            // This part uses the default implementation of xalan.
+            transformerFactory = TransformerFactory.newInstance();
+        }
+
+        try {
+            transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+        } catch (TransformerConfigurationException e) {
+            logger.error("Failed to load XML Processor Feature " + XMLConstants.FEATURE_SECURE_PROCESSING +
+                    " for secure-processing.");
+        }
+        transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+        transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+        return transformerFactory;
+    }
 }
