Update implementation to use secure transformer

modules/balana-core/src/main/java/org/wso2/balana/ctx/StatusDetail.java

@@ -169,9 +169,7 @@ private String nodeToText(Node node) throws ParsingException {
 
         StringWriter sw = new StringWriter();
         try {
-            TransformerFactory factory = TransformerFactory.newInstance();
-            factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
-            Transformer transformer = factory.newTransformer();
+            Transformer transformer = Utils.getSecuredTransformerFactory().newTransformer();
             transformer.setOutputProperty(OutputKeys.OMIT_XML_DECLARATION, "yes");
             transformer.setOutputProperty(OutputKeys.INDENT, "yes");
             transformer.transform(new DOMSource(node), new StreamResult(sw));

modules/balana-core/src/test/java/org/wso2/balana/basic/BasicTestV3.java

@@ -21,8 +21,11 @@
 import junit.framework.TestCase;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.w3c.dom.Document;
+import org.w3c.dom.Node;
 import org.wso2.balana.*;
 import org.wso2.balana.ctx.ResponseCtx;
+import org.wso2.balana.ctx.Status;
 import org.wso2.balana.finder.PolicyFinder;
 import org.wso2.balana.finder.PolicyFinderModule;
 import org.wso2.balana.finder.impl.FileBasedPolicyFinderModule;
@@ -32,6 +35,9 @@
 import java.util.HashSet;
 import java.util.Set;
 
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+
 /**
  *  This XACML 3.0 basic polciy test. This would test a basic policy, basic policy with obligations and
  *   basic policy with advices. 
@@ -296,4 +302,29 @@ private static PDP getPDPNewInstance(Set<String> policies){
 
     }
 
+    public void testParsesSimpleStatusDetail() throws Exception {
+        String xml =
+                "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
+                        + "<Status>"
+                        + "  <StatusCode Value=\"test\">"
+                        + "  </StatusCode>"
+                        + "  <StatusMessage>Policy had a syntax issue</StatusMessage>"
+                        + "  <StatusDetail>"
+                        + "    <Problem>line=42; column=17</Problem>"
+                        + "  </StatusDetail>"
+                        + "</Status>";
+        Node root = parseRoot(xml);
+        Status status = Status.getInstance(root);
+        assertNotNull(status.getDetail().toString(), "StatusDetail should not be null");
+    }
+
+
+    private Node parseRoot(String xml) throws Exception {
+        DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+        DocumentBuilder builder = factory.newDocumentBuilder();
+        Document doc = builder.parse(new java.io.ByteArrayInputStream(xml.getBytes("UTF-8")));
+        Node root = doc.getDocumentElement();
+        return root;
+    }
+
 }

modules/balana-utils/src/main/java/org/wso2/balana/utils/Utils.java

@@ -29,8 +29,10 @@
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.transform.Transformer;
+import javax.xml.transform.TransformerConfigurationException;
 import javax.xml.transform.TransformerException;
 import javax.xml.transform.TransformerFactory;
+import javax.xml.transform.TransformerFactoryConfigurationError;
 import javax.xml.transform.dom.DOMSource;
 import javax.xml.transform.stream.StreamResult;
 import java.io.StringWriter;
@@ -50,6 +52,10 @@ public class Utils {
      */
     private static final int ENTITY_EXPANSION_LIMIT = 0;
 
+    //Secured transformer factory implementation
+    private static String JAVAX_TRANSFORMER_PROP_VAL =
+            "com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl";
+
     /**
      * Convert Document element to a String object
      * @param doc Document element
@@ -127,4 +133,34 @@ public static DocumentBuilderFactory getSecuredDocumentBuilderFactory() {
 //        StreamResult result =  new StreamResult(new StringWriter());
 //        transformer.transform(source, result);
 //    }
+
+    /**
+     * Create a secure process enabled TransformerFactory.
+     *
+     * @return Secured TransformerFactory which is stricly implemented via
+     * com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl
+     */
+    public static TransformerFactory getSecuredTransformerFactory() {
+
+        TransformerFactory transformerFactory;
+        try {
+            // Prevent XXE Attack by ensure using the correct factory class to create TrasformerFactory instance.
+            // This will instruct Java to use the version which supports using ACCESS_EXTERNAL_DTD argument.
+            transformerFactory = TransformerFactory.newInstance(JAVAX_TRANSFORMER_PROP_VAL, null);
+        } catch (TransformerFactoryConfigurationError e) {
+            logger.error("Failed to load default TransformerFactory", e);
+            // This part uses the default implementation of xalan.
+            transformerFactory = TransformerFactory.newInstance();
+        }
+
+        try {
+            transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+        } catch (TransformerConfigurationException e) {
+            logger.error("Failed to load XML Processor Feature " + XMLConstants.FEATURE_SECURE_PROCESSING +
+                    " for secure-processing.");
+        }
+        transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+        transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+        return transformerFactory;
+    }
 }