Add new method

Author: drighetto

pom.xml

@@ -113,7 +113,7 @@
                     <charset>${project.build.sourceEncoding}</charset>
                     <linksource>true</linksource>
                     <windowtitle>Javadoc</windowtitle>
-                    <bottom>${project.artifactId} - ${project.version}</bottom>
+                    <bottom>Generated on ${maven.build.timestamp}.</bottom>
                     <javadocDirectory>${basedir}/src/main/javadoc</javadocDirectory>
                     <docfilessubdirs>true</docfilessubdirs>
                 </configuration>
@@ -125,6 +125,7 @@
         <jdk.target>21</jdk.target>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
         <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
+        <maven.build.timestamp.format>yyyy-MM-dd</maven.build.timestamp.format>
     </properties>
     <repositories>
         <repository>

src/main/java/eu/righettod/SecurityUtils.java

@@ -38,9 +38,13 @@
 import javax.imageio.ImageIO;
 import javax.json.Json;
 import javax.json.JsonReader;
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
+import javax.xml.stream.XMLInputFactory;
+import javax.xml.stream.XMLStreamReader;
+import javax.xml.stream.events.XMLEvent;
 import java.awt.*;
 import java.awt.image.BufferedImage;
 import java.io.*;
@@ -1187,4 +1191,45 @@ public static boolean isPathSafe(String path) {
         }
         return isSafe;
     }
+
+    /**
+     * Identify if an XML contains any XML comments or have any XSL processing instructions.<br>
+     * Stream reader based parsing is used to support large XML tree.
+     *
+     * @param xmlFilePath Filename of the XML file to check.
+     * @return True only if XML comments or XSL processing instructions are identified.
+     * @see "https://www.tutorialspoint.com/xml/xml_processing.htm"
+     * @see "https://docs.oracle.com/en/java/javase/21/docs/api/java.xml/javax/xml/stream/XMLInputFactory.html"
+     * @see "https://portswigger.net/kb/issues/00400700_xml-entity-expansion"
+     * @see "https://www.w3.org/Style/styling-XML.en.html"
+     */
+    public static boolean isXMLHaveCommentsOrXSLProcessingInstructions(String xmlFilePath) {
+        boolean itemsDetected = false;
+        try {
+            //Ensure that the parser will not be prone XML external entity (XXE) injection or XML entity expansion (XEE) attacks
+            XMLInputFactory xmlInputFactory = XMLInputFactory.newFactory();
+            xmlInputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
+            xmlInputFactory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+            xmlInputFactory.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES, false);
+            xmlInputFactory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
+
+            //Parse file
+            try (FileInputStream fis = new FileInputStream(xmlFilePath)) {
+                XMLStreamReader reader = xmlInputFactory.createXMLStreamReader(fis);
+                int eventType;
+                while (reader.hasNext() && !itemsDetected) {
+                    eventType = reader.next();
+                    if (eventType == XMLEvent.COMMENT) {
+                        itemsDetected = true;
+                    } else if (eventType == XMLEvent.PROCESSING_INSTRUCTION && "xml-stylesheet".equalsIgnoreCase(reader.getPITarget())) {
+                        itemsDetected = true;
+                    }
+                }
+            }
+        } catch (Exception e) {
+            //In case of error then assume that the check failed
+            itemsDetected = true;
+        }
+        return itemsDetected;
+    }
 }

src/test/java/eu/righettod/TestSecurityUtils.java

@@ -558,5 +558,21 @@ public void isPathSafe() {
             assertTrue(SecurityUtils.isPathSafe(p), String.format(templateMsgFalsePositive, p));
         });
     }
+
+    @Test
+    public void isXMLHaveCommentsOrXSLProcessingInstructions() {
+        //Test detection case for comments
+        String testFile = getTestFilePath("test-xml-with-comments.xml");
+        boolean result = SecurityUtils.isXMLHaveCommentsOrXSLProcessingInstructions(testFile);
+        assertTrue(result, "Comments were expected to be detected!");
+        //Test detection case for XSL PI
+        testFile = getTestFilePath("test-xml-with-xsl-pi.xml");
+        result = SecurityUtils.isXMLHaveCommentsOrXSLProcessingInstructions(testFile);
+        assertTrue(result, "XSL PI were expected to be detected!");
+        //Test for the clean case
+        testFile = getTestFilePath("test-xml-without-comment-or-xsl-pi.xml");
+        result = SecurityUtils.isXMLHaveCommentsOrXSLProcessingInstructions(testFile);
+        assertFalse(result, "No Comments or XSL PI were expected to be detected!");
+    }
 }
 

src/test/resources/test-xml-with-comments.xml

@@ -0,0 +1,133 @@
+<?xml version="1.0"?>
+<catalog>
+    <book id="bk101">
+        <author>Gambardella, Matthew</author>
+        <title>XML Developer's Guide</title>
+        <genre>Computer</genre>
+        <price>44.95</price>
+        <publish_date>2000-10-01</publish_date>
+        <description>An in-depth look at creating applications
+            with XML.
+        </description>
+    </book>
+    <!-- TEST -->
+    <book id="bk102">
+        <author>Ralls, Kim</author>
+        <title>Midnight Rain</title>
+        <genre>Fantasy</genre>
+        <price>5.95</price>
+        <publish_date>2000-12-16</publish_date>
+        <description>A former architect battles corporate zombies,
+            an evil sorceress, and her own childhood to become queen
+            of the world.
+        </description>
+    </book>
+    <book id="bk103">
+        <author>Corets, Eva</author>
+        <title>Maeve Ascendant</title>
+        <genre>Fantasy</genre>
+        <price>5.95</price>
+        <publish_date>2000-11-17</publish_date>
+        <description>After the collapse of a nanotechnology
+            society in England, the young survivors lay the
+            foundation for a new society.
+        </description>
+    </book>
+    <book id="bk104">
+        <author>Corets, Eva</author>
+        <title>Oberon's Legacy</title>
+        <genre>Fantasy</genre>
+        <price>5.95</price>
+        <publish_date>2001-03-10</publish_date>
+        <description>In post-apocalypse England, the mysterious
+            agent known only as Oberon helps to create a new life
+            for the inhabitants of London. Sequel to Maeve
+            Ascendant.
+        </description>
+    </book>
+    <book id="bk105">
+        <author>Corets, Eva</author>
+        <title>The Sundered Grail</title>
+        <genre>Fantasy</genre>
+        <price>5.95</price>
+        <publish_date>2001-09-10</publish_date>
+        <description>The two daughters of Maeve, half-sisters,
+            battle one another for control of England. Sequel to
+            Oberon's Legacy.
+        </description>
+    </book>
+    <book id="bk106">
+        <author>Randall, Cynthia</author>
+        <title>Lover Birds</title>
+        <genre>Romance</genre>
+        <price>4.95</price>
+        <publish_date>2000-09-02</publish_date>
+        <description>When Carla meets Paul at an ornithology
+            conference, tempers fly as feathers get ruffled.
+        </description>
+    </book>
+    <book id="bk107">
+        <author>Thurman, Paula</author>
+        <title>Splish Splash</title>
+        <genre>Romance</genre>
+        <price>4.95</price>
+        <publish_date>2000-11-02</publish_date>
+        <description>A deep sea diver finds true love twenty
+            thousand leagues beneath the sea.
+        </description>
+    </book>
+    <book id="bk108">
+        <author>Knorr, Stefan</author>
+        <title>Creepy Crawlies</title>
+        <genre>Horror</genre>
+        <price>4.95</price>
+        <publish_date>2000-12-06</publish_date>
+        <description>An anthology of horror stories about roaches,
+            centipedes, scorpions and other insects.
+        </description>
+    </book>
+    <book id="bk109">
+        <author>Kress, Peter</author>
+        <title>Paradox Lost</title>
+        <genre>Science Fiction</genre>
+        <price>6.95</price>
+        <publish_date>2000-11-02</publish_date>
+        <description>After an inadvertant trip through a Heisenberg
+            Uncertainty Device, James Salway discovers the problems
+            of being quantum.
+        </description>
+    </book>
+    <book id="bk110">
+        <author>O'Brien, Tim</author>
+        <title>Microsoft .NET: The Programming Bible</title>
+        <genre>Computer</genre>
+        <price>36.95</price>
+        <publish_date>2000-12-09</publish_date>
+        <description>Microsoft's .NET initiative is explored in
+            detail in this deep programmer's reference.
+        </description>
+    </book>
+    <book id="bk111">
+        <author>O'Brien, Tim</author>
+        <title>MSXML3: A Comprehensive Guide</title>
+        <genre>Computer</genre>
+        <price>36.95</price>
+        <publish_date>2000-12-01</publish_date>
+        <description>The Microsoft MSXML3 parser is covered in
+            detail, with attention to XML DOM interfaces, XSLT processing,
+            SAX and more.
+        </description>
+    </book>
+    <book id="bk112">
+        <author>Galos, Mike</author>
+        <title>Visual Studio 7: A Comprehensive Guide</title>
+        <genre>Computer</genre>
+        <price>49.95</price>
+        <publish_date>2001-04-16</publish_date>
+        <description>Microsoft Visual Studio 7 is explored in depth,
+            looking at how Visual Basic, Visual C++, C#, and ASP+ are
+            integrated into a comprehensive development
+            environment.
+        </description>
+    </book>
+</catalog>

src/test/resources/test-xml-with-xsl-pi.xml

@@ -0,0 +1,133 @@
+<?xml version="1.0"?>
+<?xml-stylesheet type="text/xsl" href="test.xslt" ?>
+<catalog>
+    <book id="bk101">
+        <author>Gambardella, Matthew</author>
+        <title>XML Developer's Guide</title>
+        <genre>Computer</genre>
+        <price>44.95</price>
+        <publish_date>2000-10-01</publish_date>
+        <description>An in-depth look at creating applications
+            with XML.
+        </description>
+    </book>
+    <book id="bk102">
+        <author>Ralls, Kim</author>
+        <title>Midnight Rain</title>
+        <genre>Fantasy</genre>
+        <price>5.95</price>
+        <publish_date>2000-12-16</publish_date>
+        <description>A former architect battles corporate zombies,
+            an evil sorceress, and her own childhood to become queen
+            of the world.
+        </description>
+    </book>
+    <book id="bk103">
+        <author>Corets, Eva</author>
+        <title>Maeve Ascendant</title>
+        <genre>Fantasy</genre>
+        <price>5.95</price>
+        <publish_date>2000-11-17</publish_date>
+        <description>After the collapse of a nanotechnology
+            society in England, the young survivors lay the
+            foundation for a new society.
+        </description>
+    </book>
+    <book id="bk104">
+        <author>Corets, Eva</author>
+        <title>Oberon's Legacy</title>
+        <genre>Fantasy</genre>
+        <price>5.95</price>
+        <publish_date>2001-03-10</publish_date>
+        <description>In post-apocalypse England, the mysterious
+            agent known only as Oberon helps to create a new life
+            for the inhabitants of London. Sequel to Maeve
+            Ascendant.
+        </description>
+    </book>
+    <book id="bk105">
+        <author>Corets, Eva</author>
+        <title>The Sundered Grail</title>
+        <genre>Fantasy</genre>
+        <price>5.95</price>
+        <publish_date>2001-09-10</publish_date>
+        <description>The two daughters of Maeve, half-sisters,
+            battle one another for control of England. Sequel to
+            Oberon's Legacy.
+        </description>
+    </book>
+    <book id="bk106">
+        <author>Randall, Cynthia</author>
+        <title>Lover Birds</title>
+        <genre>Romance</genre>
+        <price>4.95</price>
+        <publish_date>2000-09-02</publish_date>
+        <description>When Carla meets Paul at an ornithology
+            conference, tempers fly as feathers get ruffled.
+        </description>
+    </book>
+    <book id="bk107">
+        <author>Thurman, Paula</author>
+        <title>Splish Splash</title>
+        <genre>Romance</genre>
+        <price>4.95</price>
+        <publish_date>2000-11-02</publish_date>
+        <description>A deep sea diver finds true love twenty
+            thousand leagues beneath the sea.
+        </description>
+    </book>
+    <book id="bk108">
+        <author>Knorr, Stefan</author>
+        <title>Creepy Crawlies</title>
+        <genre>Horror</genre>
+        <price>4.95</price>
+        <publish_date>2000-12-06</publish_date>
+        <description>An anthology of horror stories about roaches,
+            centipedes, scorpions and other insects.
+        </description>
+    </book>
+    <book id="bk109">
+        <author>Kress, Peter</author>
+        <title>Paradox Lost</title>
+        <genre>Science Fiction</genre>
+        <price>6.95</price>
+        <publish_date>2000-11-02</publish_date>
+        <description>After an inadvertant trip through a Heisenberg
+            Uncertainty Device, James Salway discovers the problems
+            of being quantum.
+        </description>
+    </book>
+    <book id="bk110">
+        <author>O'Brien, Tim</author>
+        <title>Microsoft .NET: The Programming Bible</title>
+        <genre>Computer</genre>
+        <price>36.95</price>
+        <publish_date>2000-12-09</publish_date>
+        <description>Microsoft's .NET initiative is explored in
+            detail in this deep programmer's reference.
+        </description>
+    </book>
+    <book id="bk111">
+        <author>O'Brien, Tim</author>
+        <title>MSXML3: A Comprehensive Guide</title>
+        <genre>Computer</genre>
+        <price>36.95</price>
+        <publish_date>2000-12-01</publish_date>
+        <description>The Microsoft MSXML3 parser is covered in
+            detail, with attention to XML DOM interfaces, XSLT processing,
+            SAX and more.
+        </description>
+    </book>
+    <book id="bk112">
+        <author>Galos, Mike</author>
+        <title>Visual Studio 7: A Comprehensive Guide</title>
+        <genre>Computer</genre>
+        <price>49.95</price>
+        <publish_date>2001-04-16</publish_date>
+        <description>Microsoft Visual Studio 7 is explored in depth,
+            looking at how Visual Basic, Visual C++, C#, and ASP+ are
+            integrated into a comprehensive development
+            environment.
+        </description>
+    </book>
+</catalog>