Project icon

com.io7m.jxe

Build status Maven Central Codacy Codecov

The jxe package implements a set of classes intended to both provide more secure defaults and to eliminate much of the boilerplate required to set up the standard JDK SAX parsers.

It provides a sane API for setting up secure-by-default validating SAX parsers that dynamically locate schemas for incoming documents from a whitelisted set of locations without those documents knowing or caring where those schemas are actually located.

The package is capable of setting up extremely strict validating parsers. For example, many applications that receive XML have the following requirements on incoming data:

  • XML documents must be validated against one of a small set of schemas. Data that has not been validated must be rejected.
  • Documents must declare the namespace to which their data belongs, but must not be required to actually state the physical location of the schema. This is security sensitive: A document should not be able to tell a parser where to find a schema, because hostile documents could cause the parser to read a schema that trivially accepts all data. This would allow the document to essentially pass through without having to conform to the structure that an application expects. Documents that do not declare a namespace must be rejected.
  • The XML parser must not access the network except to explicitly permitted locations. This is security sensitive: A hostile document could declare a dependency on a schema that could cause the parser to contact attacker-controlled servers.
  • The XML parser must be robust in the face of attacks such as entity expansion attacks.
  • The XML parser must prevent path traversal attacks: Documents must not be able to cause files outside of a particular directory to be accessed.

The jxe package allows applications to enforce all of the above requirements via a very simple API:

Contents

Features

  • Hardened SAX parsers: Prevent path traversal attacks, prevent entity expansion attacks, prevent network access!
  • Dispatching XSD schema resolvers; XML documents specify namespaces and the resolvers find their respective XSD schemas from a provided whitelist of locations. Reject non-validated XML!
  • OSGi-ready.
  • JPMS-ready
  • High coverage automated test suite
  • ISC license

Releases

The current release is 0.0.1.

Source code and binaries are available from the repository.

Documentation

Documentation for the 0.0.1 release is available for reading online.

Documentation for current and older releases is archived in the repository.

User documentation

Maven

The following is a complete list of the project's modules expressed as Maven dependencies:

<dependency>
  <groupId>com.io7m.jxe</groupId>
  <artifactId>com.io7m.jxe</artifactId>
  <version>0.0.1</version>
</dependency>

<dependency>
  <groupId>com.io7m.jxe</groupId>
  <artifactId>com.io7m.jxe.core</artifactId>
  <version>0.0.1</version>
</dependency>

<dependency>
  <groupId>com.io7m.jxe</groupId>
  <artifactId>com.io7m.jxe.tests</artifactId>
  <version>0.0.1</version>
</dependency>

<dependency>
  <groupId>com.io7m.jxe</groupId>
  <artifactId>com.io7m.jxe.documentation</artifactId>
  <version>0.0.1</version>
</dependency>

Each release of the project is made available on Maven Central within ten minutes of the release announcement.

Changes

Subscribe to the releases atom feed.

No formal releases have been made.

Sources

This project uses Git to manage source code.

Repository: https://github.com/io7m/jxe

$ git clone https://github.com/io7m/jxe

License

Copyright ⓒ 2018 Mark Raynsford <code@io7m.com> http://io7m.com

Permission to use, copy, modify, and/or distribute this software for
any purpose with or without fee is hereby granted, provided that the
above copyright notice and this permission notice appear in all copies.

THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL
WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR
BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES
OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,
WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION,
ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
SOFTWARE.

Bug Tracker

The project uses GitHub Issues to track issues.