Merge pull request #56 from FHIR/do-20241211-xmlutil-checkstyle

Only instantiate DocumentBuilderFactory in a single location
FHIR · Dec 11, 2024 · 0929ce9 · 0929ce9
2 parents afbbe2a + 866a208
commit 0929ce9
Show file tree

Hide file tree

Showing 7 changed files with 110 additions and 2 deletions.
diff --git a/checkstyle.xml b/checkstyle.xml
@@ -0,0 +1,59 @@
+<?xml version="1.0"?>
+<!DOCTYPE module PUBLIC
+    "-//Puppy Crawl//DTD Check Configuration 1.3//EN"
+    "http://www.puppycrawl.com/dtds/configuration_1_3.dtd">
+
+<module name="Checker">
+
+    <property name="severity" value="error"/>
+    <property name="charset" value="UTF-8"/>
+    <property name="fileExtensions" value="java, properties, xml, js, json"/>
+    <module name="TreeWalker">
+        <!--
+        <module name="TodoComment">-->
+        <!-- The (?i) below means Case Insensitive -->
+        <!--<property name="format" value="(?i)FIXME"/>
+-->
+        <module name="RegexpSinglelineJava">
+            <property name="format" value="org\.jetbrains\.annotations\.NotNull"/>
+        </module>
+        <module name="RegexpSinglelineJava">
+            <property name="format" value="org\.jetbrains\.annotations\.Nullable"/>
+        </module>
+        <module name="RegexpSinglelineJava">
+            <property name="format" value="org\.jetbrains\.annotations\.\*"/>
+        </module>
+    </module>
+    <module name="RegexpMultiline">
+        <property name="id" value="transformerFactoryNewInstance"/>
+        <property name="matchAcrossLines" value="true"/>
+        <property name="format" value="TransformerFactory\.newInstance\("/>
+        <property name="message"
+                  value="Usage of TransformerFactory.newInstance() is not permitted. If you require this constructor, please add an XXE protected usage to XMLUtils and add the line number to checkstyle_suppressions.xml"
+        />
+    </module>
+    <module name="RegexpMultiline">
+        <property name="id" value="documentBuilderFactoryNewInstance"/>
+        <property name="matchAcrossLines" value="true"/>
+        <property name="format" value="DocumentBuilderFactory\.newInstance\("/>
+        <property name="message"
+                  value="Usage of DocumentBuilderFactory.newInstance() is only allowed in XMLUtils.parseDOM(InputStream stream). If the location of this call in XMLUtils has changed, please modify the expected line number in checkstyle_suppressions.xml"
+        />
+    </module>
+    <module name="RegexpMultiline">
+        <property name="id" value="saxParserFactoryNewInstance"/>
+        <property name="matchAcrossLines" value="true"/>
+        <property name="format" value="SAXParserFactory\.newInstance\("/>
+        <property name="message"
+                  value="Usage of SAXParserFactory.newInstance() is not permitted. If you require this constructor, please add an XXE protected usage to XMLUtils and add the line number to checkstyle_suppressions.xml"
+        />
+    </module>
+    <module name="RegexpMultiline">
+        <property name="id" value="getXMLReader"/>
+        <property name="matchAcrossLines" value="true"/>
+        <property name="format" value="\.getXMLReader\("/>
+        <property name="message"
+                  value="Usage of SAXParserFactory.getXMLReader() is not permitted. If you require this constructor, please add an XXE protected usage to XMLUtils and add the line number to checkstyle_suppressions.xml"
+        />
+    </module>
+</module>
diff --git a/checkstyle_suppressions.xml b/checkstyle_suppressions.xml
@@ -0,0 +1,8 @@
+<?xml version="1.0"?>
+<!DOCTYPE suppressions PUBLIC
+    "-//Checkstyle//DTD SuppressionFilter Configuration 1.2//EN"
+    "https://checkstyle.org/dtds/suppressions_1_2.dtd">
+
+<suppressions>
+    <suppress id="documentBuilderFactoryNewInstance" files="/src/main/java/org/fhir/ucum/utils/XmlUtils.java" lines="20"/>
+</suppressions>
diff --git a/master-branch-pipeline.yml b/master-branch-pipeline.yml
@@ -58,7 +58,7 @@ steps:
     inputs:
       mavenPomFile: 'pom.xml'
       mavenOptions: '-Xmx3072m'
-      options: '--settings $(System.DefaultWorkingDirectory)/settings.xml'
+      options: '--settings $(System.DefaultWorkingDirectory)/settings.xml -P CHECKSTYLE'
       javaHomeOption: 'JDKVersion'
       jdkVersionOption: '1.11'
       jdkArchitectureOption: 'x64'

diff --git a/pom.xml b/pom.xml
@@ -187,6 +187,14 @@
                     </execution>
                 </executions>
             </plugin>
+
+            <plugin>
+                <artifactId>maven-checkstyle-plugin</artifactId>
+                <version>3.2.0</version>
+                <configuration>
+                    <skip>true</skip>
+                </configuration>
+            </plugin>
         </plugins>
     </build>
 
@@ -293,6 +301,36 @@
                 </plugins>
             </build>
         </profile>
+        <profile>
+            <id>CHECKSTYLE</id>
+            <build>
+                <plugins>
+                    <plugin>
+                        <groupId>org.apache.maven.plugins</groupId>
+                        <artifactId>maven-checkstyle-plugin</artifactId>
+                        <configuration>
+                            <skip>false</skip>
+                        </configuration>
+                        <executions>
+                            <execution>
+                                <phase>process-sources</phase>
+                                <goals>
+                                    <goal>checkstyle</goal>
+                                </goals>
+                                <configuration>
+                                    <failsOnError>true</failsOnError>
+                                    <suppressionsLocation>${project.basedir}/checkstyle_suppressions.xml</suppressionsLocation>
+                                    <enableRulesSummary>true</enableRulesSummary>
+                                    <enableSeveritySummary>true</enableSeveritySummary>
+                                    <consoleOutput>true</consoleOutput>
+                                    <configLocation>${project.basedir}/checkstyle.xml</configLocation>
+                                </configuration>
+                            </execution>
+                        </executions>
+                    </plugin>
+                </plugins>
+            </build>
+        </profile>
         <profile>
             <id>OWASP_CHECK</id>
             <build>

diff --git a/pull-request-pipeline.yml b/pull-request-pipeline.yml
@@ -17,3 +17,4 @@ steps:
     publishJUnitResults: true
     testResultsFiles: '**/surefire-reports/TEST-*.xml'
     goals: 'package'
+    options: "-P CHECKSTYLE"
diff --git a/release-branch-pipeline.yml b/release-branch-pipeline.yml
@@ -79,7 +79,7 @@ steps:
     inputs:
       mavenPomFile: 'pom.xml'
       mavenOptions: '-Xmx3072m'
-      options: '--settings $(System.DefaultWorkingDirectory)/settings.xml'
+      options: '--settings $(System.DefaultWorkingDirectory)/settings.xml -P CHECKSTYLE'
       javaHomeOption: 'JDKVersion'
       jdkVersionOption: '1.11'
       jdkArchitectureOption: 'x64'

diff --git a/src/main/java/org/fhir/ucum/utils/XmlUtils.java b/src/main/java/org/fhir/ucum/utils/XmlUtils.java
@@ -18,6 +18,8 @@ public class XmlUtils {
 
   public static Document parseDOM(InputStream stream) throws ParserConfigurationException, SAXException, IOException {
     DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+    factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+    factory.setXIncludeAware(false);
     factory.setNamespaceAware(false);
     DocumentBuilder builder = factory.newDocumentBuilder();
     Document doc = builder.parse(stream);