get rid of ObjectFactory.java

src/test/java/de/kosit/validationtool/impl/Helper.java

@@ -28,23 +28,17 @@ import java.net.URISyntaxException;
 import java.net.URL;
 import java.nio.file.Paths;
 
-import javax.xml.transform.Transformer;
-import javax.xml.transform.TransformerException;
-import javax.xml.transform.dom.DOMSource;
-import javax.xml.transform.stream.StreamResult;
 import javax.xml.transform.stream.StreamSource;
 
-import org.w3c.dom.Document;
-
 import de.kosit.validationtool.api.Input;
 import de.kosit.validationtool.api.ResolvingConfigurationStrategy;
 import de.kosit.validationtool.impl.model.Result;
 import de.kosit.validationtool.impl.tasks.DocumentParseAction;
 import de.kosit.validationtool.model.reportInput.XMLSyntaxError;
 
-import net.sf.saxon.dom.NodeOverNodeInfo;
 import net.sf.saxon.s9api.Processor;
 import net.sf.saxon.s9api.SaxonApiException;
+import net.sf.saxon.s9api.Serializer;
 import net.sf.saxon.s9api.XdmNode;
 
 /**
@@ -148,20 +142,17 @@ public class Helper {
                 new File("src/test/resources/examples/repository").toURI());
     }
 
-    public static String serialize(final Document doc) {
+    public static String serialize(final XdmNode node) {
         try ( final StringWriter writer = new StringWriter() ) {
-            final Transformer transformer = TestObjectFactory.createTransformer(true);
-            transformer.transform(new DOMSource(doc), new StreamResult(writer));
+            final Processor processor = Helper.getTestProcessor();
+            final Serializer serializer = processor.newSerializer(writer);
+            serializer.serializeNode(node);
             return writer.toString();
-        } catch (final IOException | TransformerException e) {
+        } catch (final SaxonApiException | IOException e) {
             throw new IllegalStateException("Can not serialize document", e);
         }
     }
 
-    public static String serialize(final XdmNode node) {
-        return serialize((Document) NodeOverNodeInfo.wrap(node.getUnderlyingNode()));
-    }
-
     public static Result<XdmNode, XMLSyntaxError> parseDocument(final Processor processor, final Input input) {
         return new DocumentParseAction(processor).parseDocument(input);
     }

src/test/java/de/kosit/validationtool/impl/SaxonSecurityTest.java

@@ -26,12 +26,11 @@ import java.io.IOException;
 import java.net.URL;
 import java.util.stream.Collectors;
 
-import javax.xml.transform.dom.DOMSource;
+import javax.xml.transform.Source;
 import javax.xml.transform.stream.StreamSource;
 
 import org.apache.commons.lang3.StringUtils;
 import org.junit.Test;
-import org.w3c.dom.Document;
 
 import lombok.extern.slf4j.Slf4j;
 
@@ -41,9 +40,9 @@ import de.kosit.validationtool.impl.model.Result;
 import de.kosit.validationtool.impl.xml.RelativeUriResolver;
 import de.kosit.validationtool.model.reportInput.XMLSyntaxError;
 
-import net.sf.saxon.s9api.DOMDestination;
 import net.sf.saxon.s9api.Processor;
 import net.sf.saxon.s9api.SaxonApiException;
+import net.sf.saxon.s9api.XdmDestination;
 import net.sf.saxon.s9api.XdmNode;
 import net.sf.saxon.s9api.XsltCompiler;
 import net.sf.saxon.s9api.XsltExecutable;
@@ -67,19 +66,18 @@ public class SaxonSecurityTest {
                 final XsltCompiler compiler = p.newXsltCompiler();
                 final RelativeUriResolver resolver = new RelativeUriResolver(Simple.REPOSITORY_URI);
                 compiler.setURIResolver(resolver);
-                final XsltExecutable exetuable = compiler.compile(new StreamSource(resource.openStream()));
-                final XsltTransformer transformer = exetuable.load();
-                final Document document = TestObjectFactory.createDocumentBuilder(false).newDocument();
-                document.createElement("root");
-                final Document result = TestObjectFactory.createDocumentBuilder(false).newDocument();
+                final XsltExecutable executable = compiler.compile(new StreamSource(resource.openStream()));
+                final XsltTransformer transformer = executable.load();
+                final Source document = InputFactory.read("<root/>".getBytes(), "dummy").getSource();
                 // transformer.getUnderlyingController().setUnparsedTextURIResolver(resolver);
                 transformer.setURIResolver(resolver);
-                transformer.setSource(new DOMSource(document));
-                transformer.setDestination(new DOMDestination(result));
+                transformer.setSource(document);
+                final XdmDestination result = new XdmDestination();
+                transformer.setDestination(result);
                 transformer.transform();
 
                 // wenn der Punkt erreicht wird, sollte wenigstens, das Element evil nicht mit 'bösen' Inhalten gefüllt sein!
-                if (StringUtils.isNotBlank(result.getDocumentElement().getTextContent())) {
+                if (StringUtils.isNotBlank(result.getXdmNode().getStringValue())) {
                     fail(String.format("Saxon configuration should prevent expansion within %s", resource));
                 }
 

src/test/java/de/kosit/validationtool/impl/TestObjectFactory.java

@@ -1,7 +1,95 @@
 package de.kosit.validationtool.impl;
 
+import java.io.Reader;
+import java.io.UnsupportedEncodingException;
+import java.net.URI;
+import java.net.URLEncoder;
+import java.nio.charset.StandardCharsets;
+
+import javax.xml.transform.Result;
+import javax.xml.transform.TransformerException;
+
+import net.sf.saxon.Configuration;
+import net.sf.saxon.expr.XPathContext;
+import net.sf.saxon.lib.CollectionFinder;
+import net.sf.saxon.lib.FeatureKeys;
+import net.sf.saxon.lib.OutputURIResolver;
+import net.sf.saxon.lib.ResourceCollection;
+import net.sf.saxon.lib.UnparsedTextURIResolver;
+import net.sf.saxon.s9api.Processor;
+import net.sf.saxon.trans.XPathException;
+
 /**
  * @author Andreas Penski
  */
-public class TestObjectFactory extends ObjectFactory {
+public class TestObjectFactory {
+
+    private static class SecureUriResolver implements CollectionFinder, OutputURIResolver, UnparsedTextURIResolver {
+
+        public static final String MESSAGE = "Configuration error. Resolving ist not allowed";
+
+        @Override
+        public OutputURIResolver newInstance() {
+            return this;
+        }
+
+        @Override
+        public Result resolve(final String href, final String base) throws TransformerException {
+            throw new IllegalStateException(MESSAGE);
+        }
+
+        @Override
+        public void close(final Result result) throws TransformerException {
+            throw new IllegalStateException(MESSAGE);
+        }
+
+        @Override
+        public Reader resolve(final URI absoluteURI, final String encoding, final Configuration config) throws XPathException {
+            throw new IllegalStateException(MESSAGE);
+        }
+
+        @Override
+        public ResourceCollection findCollection(final XPathContext context, final String collectionURI) throws XPathException {
+            throw new IllegalStateException(MESSAGE);
+        }
+    }
+
+    private static final String DISSALLOW_DOCTYPE_DECL_FEATURE = "http://apache.org/xml/features/disallow-doctype-decl";
+
+    private static final String LOAD_EXTERNAL_DTD_FEATURE = "http://apache.org/xml/features/nonvalidating/load-external-dtd";
+
+    private static final String FEATURE_SECURE_PROCESSING = "http://javax.xml.XMLConstants/feature/secure-processing";
+
+    private static Processor processor;
+
+    private static String encode(final String input) {
+        try {
+            return URLEncoder.encode(input, StandardCharsets.UTF_8.name());
+        } catch (final UnsupportedEncodingException e) {
+            throw new IllegalStateException("Error encoding property while initializing saxon", e);
+        }
+    }
+
+    public static Processor createProcessor() {
+        if (processor == null) {
+            processor = new Processor(false);
+            // verhindere global im Prinzip alle resolving strategien
+            final SecureUriResolver resolver = new SecureUriResolver();
+            processor.getUnderlyingConfiguration().setCollectionFinder(resolver);
+            processor.getUnderlyingConfiguration().setOutputURIResolver(resolver);
+            processor.getUnderlyingConfiguration().setUnparsedTextURIResolver(resolver);
+
+            // grundsätzlich Feature-konfiguration:
+            processor.setConfigurationProperty(FeatureKeys.DTD_VALIDATION, false);
+            processor.setConfigurationProperty(FeatureKeys.ENTITY_RESOLVER_CLASS, "");
+            processor.setConfigurationProperty(FeatureKeys.XINCLUDE, false);
+            processor.setConfigurationProperty(FeatureKeys.ALLOW_EXTERNAL_FUNCTIONS, false);
+
+            // Konfiguration des zu verwendenden Parsers, wenn Saxon selbst einen erzeugen muss, bspw. beim XSL parsen
+            processor.setConfigurationProperty(FeatureKeys.XML_PARSER_FEATURE + encode(FEATURE_SECURE_PROCESSING), true);
+            processor.setConfigurationProperty(FeatureKeys.XML_PARSER_FEATURE + encode(DISSALLOW_DOCTYPE_DECL_FEATURE), true);
+            processor.setConfigurationProperty(FeatureKeys.XML_PARSER_FEATURE + encode(LOAD_EXTERNAL_DTD_FEATURE), false);
+        }
+        return processor;
+    }
 }