- All Implemented Interfaces:
EntityResolver,EntityResolver2
Has common W3C DTDs/entities built-in and loads others via the supplied
SYSTEM URL, provided that certain conditions are met:
- URL protocol is
http/https. - Either the mime type is valid for a DTD or entity, or the filename ends
with
.dtd,.entor.mod. - The whitelist is either disabled (no host added to it) or contains the host from the URL.
If the whitelist was enabled (e.g. default constructor), any attempt to download data from a remote URL not present in the whitelist is going to produce an exception. You can use that to determine whether your documents are referencing a DTD resource that is not bundled with this resolver.
If the constructor with a false argument was used, the whitelist
can still be enabled by adding a hostname via
addHostToWhiteList(String).
Although this resolver should protect you from most information leaks (see
SSRF
attacks) and also from jar:
decompression bombs, DoS
attacks based on entity expansion/recursion like the
'billion laughs
attack' may still be possible and should be prevented at the XML parser.
Be sure to use a properly configured, recent version of your parser.
-
Constructor Summary
ConstructorsConstructorDescriptionConstruct a resolver with the whitelist enabled.DefaultEntityResolver(boolean enableWhitelist) Construct a resolver with the whitelist enabled or disabled according toenableWhitelist. -
Method Summary
Modifier and TypeMethodDescriptionvoidaddHostToWhiteList(String fqdn) Add the given host to a whitelist for remote DTD fetching.protected voidconnect(URLConnection con) Connect the givenURLConnection.getExternalSubset(String name, String baseURI) protected booleanisInvalidPath(String path) protected booleanisInvalidProtocol(String protocol) Is the given protocol not supported by this resolver ?protected booleanisValidContentType(String conType) Is the given string a valid DTD/entity content-type ?protected booleanisWhitelistedHost(String host) Is the given host whitelisted ?protected booleanIs the whitelist enabled ?protected URLConnectionopenConnection(URL url) Open a connection to the given URL.resolveEntity(DocumentTypeDeclaration dtDecl) resolveEntity(String documentTypeDeclaration) final InputSourceresolveEntity(String publicId, String systemId) final InputSourceresolveEntity(String name, String publicId, String baseURI, String systemId) resolveEntity(DocumentType dtDecl) voidsetClassLoader(ClassLoader loader)
-
Constructor Details
-
DefaultEntityResolver
public DefaultEntityResolver()Construct a resolver with the whitelist enabled. -
DefaultEntityResolver
public DefaultEntityResolver(boolean enableWhitelist) Construct a resolver with the whitelist enabled or disabled according toenableWhitelist.- Parameters:
enableWhitelist- can befalseto allow connecting to any host to retrieve DTDs or entities, ortrueto enable the (empty) whitelist so no network connections are to be allowed until a host is added to it.
-
-
Method Details
-
addHostToWhiteList
Add the given host to a whitelist for remote DTD fetching.If the whitelist is enabled, only http or https URLs will be allowed.
- Parameters:
fqdn- the fully qualified domain name to add to the whitelist.
-
getExternalSubset
- Specified by:
getExternalSubsetin interfaceEntityResolver2- Throws:
SAXExceptionIOException
-
resolveEntity
public final InputSource resolveEntity(String name, String publicId, String baseURI, String systemId) throws SAXException, IOException - Specified by:
resolveEntityin interfaceEntityResolver2- Throws:
SAXExceptionIOException
-
isInvalidPath
-
isWhitelistEnabled
protected boolean isWhitelistEnabled()Is the whitelist enabled ?- Returns:
trueif the whitelist is enabled.
-
isInvalidProtocol
Is the given protocol not supported by this resolver ?- Parameters:
protocol- the protocol.- Returns:
trueif this resolver considers the given protocol invalid.
-
isWhitelistedHost
Is the given host whitelisted ?- Parameters:
host- the host to test.- Returns:
trueif the given host is whitelisted.
-
openConnection
Open a connection to the given URL.- Parameters:
url- the URL to connect to.- Returns:
- the connection.
- Throws:
IOException- if an I/O error happened opening the connection.
-
connect
Connect the givenURLConnection.- Parameters:
con- theURLConnection.- Throws:
IOException- if a problem happened connecting.
-
isValidContentType
Is the given string a valid DTD/entity content-type ?- Parameters:
conType- the content-type.- Returns:
trueif it is a valid DTD/entity content-type
-
resolveEntity
public final InputSource resolveEntity(String publicId, String systemId) throws SAXException, IOException - Specified by:
resolveEntityin interfaceEntityResolver- Throws:
SAXExceptionIOException
-
resolveEntity
- Throws:
SAXExceptionIOException
-
resolveEntity
- Throws:
SAXExceptionIOException
-
resolveEntity
- Throws:
SAXExceptionIOException
-
setClassLoader
-