001//////////////////////////////////////////////////////////////////////////////// 002// checkstyle: Checks Java source code for adherence to a set of rules. 003// Copyright (C) 2001-2019 the original author or authors. 004// 005// This library is free software; you can redistribute it and/or 006// modify it under the terms of the GNU Lesser General Public 007// License as published by the Free Software Foundation; either 008// version 2.1 of the License, or (at your option) any later version. 009// 010// This library is distributed in the hope that it will be useful, 011// but WITHOUT ANY WARRANTY; without even the implied warranty of 012// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 013// Lesser General Public License for more details. 014// 015// You should have received a copy of the GNU Lesser General Public 016// License along with this library; if not, write to the Free Software 017// Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 018//////////////////////////////////////////////////////////////////////////////// 019 020package com.puppycrawl.tools.checkstyle; 021 022import java.io.IOException; 023import java.io.InputStream; 024import java.util.HashMap; 025import java.util.Map; 026 027import javax.xml.parsers.ParserConfigurationException; 028import javax.xml.parsers.SAXParserFactory; 029 030import org.xml.sax.InputSource; 031import org.xml.sax.SAXException; 032import org.xml.sax.SAXParseException; 033import org.xml.sax.XMLReader; 034import org.xml.sax.helpers.DefaultHandler; 035 036/** 037 * Contains the common implementation of a loader, for loading a configuration 038 * from an XML file. 039 * <p> 040 * The error handling policy can be described as being austere, dead set, 041 * disciplinary, dour, draconian, exacting, firm, forbidding, grim, hard, hard- 042 * boiled, harsh, harsh, in line, iron-fisted, no-nonsense, oppressive, 043 * persnickety, picky, prudish, punctilious, puritanical, rigid, rigorous, 044 * scrupulous, set, severe, square, stern, stickler, straight, strait-laced, 045 * stringent, stuffy, stuffy, tough, unpermissive, unsparing and uptight. 046 * </p> 047 * 048 * @noinspection ThisEscapedInObjectConstruction 049 */ 050public class XmlLoader 051 extends DefaultHandler { 052 053 /** Maps public id to resolve to resource name for the DTD. */ 054 private final Map<String, String> publicIdToResourceNameMap; 055 /** Parser to read XML files. **/ 056 private final XMLReader parser; 057 058 /** 059 * Creates a new instance. 060 * @param publicIdToResourceNameMap maps public IDs to DTD resource names 061 * @throws SAXException if an error occurs 062 * @throws ParserConfigurationException if an error occurs 063 */ 064 protected XmlLoader(Map<String, String> publicIdToResourceNameMap) 065 throws SAXException, ParserConfigurationException { 066 this.publicIdToResourceNameMap = new HashMap<>(publicIdToResourceNameMap); 067 final SAXParserFactory factory = SAXParserFactory.newInstance(); 068 LoadExternalDtdFeatureProvider.setFeaturesBySystemProperty(factory); 069 factory.setValidating(true); 070 parser = factory.newSAXParser().getXMLReader(); 071 parser.setContentHandler(this); 072 parser.setEntityResolver(this); 073 parser.setErrorHandler(this); 074 } 075 076 /** 077 * Parses the specified input source. 078 * @param inputSource the input source to parse. 079 * @throws IOException if an error occurs 080 * @throws SAXException in an error occurs 081 */ 082 public void parseInputSource(InputSource inputSource) 083 throws IOException, SAXException { 084 parser.parse(inputSource); 085 } 086 087 @Override 088 public InputSource resolveEntity(String publicId, String systemId) 089 throws SAXException, IOException { 090 final InputSource inputSource; 091 if (publicIdToResourceNameMap.keySet().contains(publicId)) { 092 final String dtdResourceName = 093 publicIdToResourceNameMap.get(publicId); 094 final ClassLoader loader = 095 getClass().getClassLoader(); 096 final InputStream dtdIs = 097 loader.getResourceAsStream(dtdResourceName); 098 099 inputSource = new InputSource(dtdIs); 100 } 101 else { 102 inputSource = super.resolveEntity(publicId, systemId); 103 } 104 return inputSource; 105 } 106 107 @Override 108 public void error(SAXParseException exception) throws SAXException { 109 throw exception; 110 } 111 112 /** 113 * Used for setting specific for secure java installations features to SAXParserFactory. 114 * Pulled out as a separate class in order to suppress Pitest mutations. 115 */ 116 public static final class LoadExternalDtdFeatureProvider { 117 118 /** System property name to enable external DTD load. */ 119 public static final String ENABLE_EXTERNAL_DTD_LOAD = "checkstyle.enableExternalDtdLoad"; 120 121 /** Feature that enables loading external DTD when loading XML files. */ 122 public static final String LOAD_EXTERNAL_DTD = 123 "http://apache.org/xml/features/nonvalidating/load-external-dtd"; 124 /** Feature that enables including external general entities in XML files. */ 125 public static final String EXTERNAL_GENERAL_ENTITIES = 126 "http://xml.org/sax/features/external-general-entities"; 127 128 /** Stop instances being created. **/ 129 private LoadExternalDtdFeatureProvider() { 130 } 131 132 /** 133 * Configures SAXParserFactory with features required 134 * to use external DTD file loading, this is not activated by default to no allow 135 * usage of schema files that checkstyle do not know 136 * it is even security problem to allow files from outside. 137 * @param factory factory to be configured with special features 138 * @throws SAXException if an error occurs 139 * @throws ParserConfigurationException if an error occurs 140 */ 141 public static void setFeaturesBySystemProperty(SAXParserFactory factory) 142 throws SAXException, ParserConfigurationException { 143 144 final boolean enableExternalDtdLoad = Boolean.parseBoolean( 145 System.getProperty(ENABLE_EXTERNAL_DTD_LOAD, "false")); 146 147 factory.setFeature(LOAD_EXTERNAL_DTD, enableExternalDtdLoad); 148 factory.setFeature(EXTERNAL_GENERAL_ENTITIES, enableExternalDtdLoad); 149 } 150 151 } 152 153}