Merge pull request #5343 from eclipse-ee4j/mojarra_pr_5339_improved_impl

Improved impl of #5339

Author: BalusC

impl/src/main/java/com/sun/faces/config/manager/Documents.java

@@ -18,6 +18,7 @@
 
 import static com.sun.faces.RIConstants.DOCUMENT_NAMESPACE;
 import static com.sun.faces.RIConstants.DOCUMENT_VERSION;
+import static com.sun.faces.util.Util.createLocalDocumentBuilderFactory;
 import static com.sun.faces.util.Util.isEmpty;
 import static java.util.Arrays.asList;
 import static java.util.logging.Level.INFO;
@@ -231,7 +232,7 @@ public static DocumentInfo[] sortDocuments(DocumentInfo[] facesDocuments, FacesC
     }
 
     private static DOMImplementation createDOMImplementation() throws ParserConfigurationException {
-        DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
+        DocumentBuilderFactory documentBuilderFactory = createLocalDocumentBuilderFactory();
         documentBuilderFactory.setNamespaceAware(true);
 
         return documentBuilderFactory.newDocumentBuilder().getDOMImplementation();

impl/src/main/java/com/sun/faces/config/processor/FacesFlowDefinitionConfigProcessor.java

@@ -16,6 +16,7 @@
 
 package com.sun.faces.config.processor;
 
+import static com.sun.faces.util.Util.createLocalDocumentBuilderFactory;
 import static com.sun.faces.util.Util.notNull;
 
 import java.net.MalformedURLException;
@@ -127,7 +128,7 @@ public static Document synthesizeEmptyFlowDefinition(URI uri) throws ParserConfi
         }
         String flowName = segments[segments.length - 2];
 
-        DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+        DocumentBuilderFactory dbf = createLocalDocumentBuilderFactory();
         dbf.setNamespaceAware(true);
         DocumentBuilder builder = dbf.newDocumentBuilder();
         DOMImplementation domImpl = builder.getDOMImplementation();

impl/src/main/java/com/sun/faces/util/Util.java

@@ -21,6 +21,7 @@
 
 import static com.sun.faces.RIConstants.FACES_SERVLET_MAPPINGS;
 import static com.sun.faces.RIConstants.FACES_SERVLET_REGISTRATION;
+import static com.sun.faces.RIConstants.NO_VALUE;
 import static com.sun.faces.util.MessageUtils.ILLEGAL_ATTEMPT_SETTING_APPLICATION_ARTIFACT_ID;
 import static com.sun.faces.util.MessageUtils.NAMED_OBJECT_NOT_FOUND_ERROR_MESSAGE_ID;
 import static com.sun.faces.util.MessageUtils.NULL_PARAMETERS_ERROR_MESSAGE_ID;
@@ -62,6 +63,7 @@
 
 import javax.naming.InitialContext;
 import javax.naming.NamingException;
+import javax.xml.XMLConstants;
 import javax.xml.namespace.NamespaceContext;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
@@ -269,12 +271,35 @@ public static boolean isUnitTestModeEnabled() {
         return unitTestModeEnabled;
     }
 
+    public static interface ThrowingBiConsumer<T, U> {
+        void accept(T t, U u) throws Exception;
+    }
+
+    private static <F> void setFeature(ThrowingBiConsumer<F, Boolean> setter, F feature, Boolean flag) {
+        try {
+            setter.accept(feature, flag);
+        } catch (Exception e) {
+            throw new IllegalArgumentException("The feature '" + feature + "' is not supported by your XML processor.", e);
+        }
+    }
+
+    private static <F> void setPossiblyUnsupportedFeature(ThrowingBiConsumer<F, Boolean> setter, F feature, Boolean flag) {
+        try {
+            setFeature(setter, feature, flag);
+        } catch (IllegalArgumentException e) {
+            LOGGER.log(Level.FINE, e.getMessage(), e);
+        }
+    }
+
     public static TransformerFactory createTransformerFactory() {
         ClassLoader cl = Thread.currentThread().getContextClassLoader();
         TransformerFactory factory;
         try {
             Thread.currentThread().setContextClassLoader(Util.class.getClassLoader());
             factory = TransformerFactory.newInstance();
+            factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, NO_VALUE);
+            factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, NO_VALUE);
+            setFeature(factory::setFeature, XMLConstants.FEATURE_SECURE_PROCESSING, true);
         } finally {
             Thread.currentThread().setContextClassLoader(cl);
         }
@@ -298,13 +323,25 @@ public static DocumentBuilderFactory createDocumentBuilderFactory() {
         DocumentBuilderFactory factory;
         try {
             Thread.currentThread().setContextClassLoader(Util.class.getClassLoader());
-            factory = DocumentBuilderFactory.newInstance();
+            factory = createLocalDocumentBuilderFactory();
         } finally {
             Thread.currentThread().setContextClassLoader(cl);
         }
         return factory;
     }
 
+    public static DocumentBuilderFactory createLocalDocumentBuilderFactory() {
+        DocumentBuilderFactory factory;
+        factory = DocumentBuilderFactory.newInstance();
+        factory.setXIncludeAware(false);
+        factory.setExpandEntityReferences(false);
+        setFeature(factory::setFeature, XMLConstants.FEATURE_SECURE_PROCESSING, true);
+        setPossiblyUnsupportedFeature(factory::setFeature, "http://xml.org/sax/features/external-general-entities", false);
+        setPossiblyUnsupportedFeature(factory::setFeature, "http://xml.org/sax/features/external-parameter-entities", false);
+        setPossiblyUnsupportedFeature(factory::setFeature, "http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+        return factory;
+    }
+
     public static SchemaFactory createSchemaFactory(String uri) {
         ClassLoader cl = Thread.currentThread().getContextClassLoader();
         SchemaFactory factory;

impl/src/test/java/com/sun/faces/config/processor/FacesConfigNamespaceContextTest.java

@@ -16,6 +16,7 @@
 
 package com.sun.faces.config.processor;
 
+import static com.sun.faces.util.Util.createLocalDocumentBuilderFactory;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNotNull;
 
@@ -79,7 +80,7 @@ public void testJakartaEENSWithParameter() throws ParserConfigurationException,
 
 	private Document createFacesConfig(String flowName, String namespace, String version)
 			throws ParserConfigurationException {
-		DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
+		DocumentBuilderFactory documentBuilderFactory = createLocalDocumentBuilderFactory();
 		documentBuilderFactory.setNamespaceAware(true);
 		DocumentBuilder documentBuilder = documentBuilderFactory.newDocumentBuilder();
 		Document docFlowConfig = documentBuilder.newDocument();

impl/src/test/java/jakarta/faces/FacesConfigOrderingTestCase.java

@@ -16,6 +16,8 @@
 
 package jakarta.faces;
 
+import static com.sun.faces.util.Util.createLocalDocumentBuilderFactory;
+
 import java.lang.reflect.Method;
 import java.util.ArrayList;
 import java.util.Arrays;
@@ -25,17 +27,16 @@
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
 
-import junit.framework.Test;
-import junit.framework.TestCase;
-import junit.framework.TestSuite;
-
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 
 import com.sun.faces.config.manager.documents.DocumentInfo;
 import com.sun.faces.config.manager.documents.DocumentOrderingWrapper;
 
 import jakarta.faces.context.FacesContext;
+import junit.framework.Test;
+import junit.framework.TestCase;
+import junit.framework.TestSuite;
 
 public class FacesConfigOrderingTestCase extends TestCase {
 
@@ -391,7 +392,7 @@ private void populateIds(String elementName, List<String> ids, String ns,
 
 	private Document newDocument() throws ParserConfigurationException {
 
-		DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+		DocumentBuilderFactory factory = createLocalDocumentBuilderFactory();
 		factory.setValidating(false);
 		factory.setNamespaceAware(true);
 		return factory.newDocumentBuilder().newDocument();