YARN-11330. use secure XML parsers (#4981)

Move construction of XML parsers in YARN
modules to using the locked-down parser factory
of HADOOP-18469.

One exception: GpuDeviceInformationParser still supports DTD resolution;
all other features are disabled.

Contributed by P J Fanning
This commit is contained in:
Steve Loughran 2022-10-21 14:16:22 +01:00 committed by GitHub
parent 237814a9b3
commit 19f8e4f34d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
19 changed files with 83 additions and 63 deletions

View File

@ -41,17 +41,18 @@
@InterfaceStability.Unstable @InterfaceStability.Unstable
public class XMLUtils { public class XMLUtils {
private static final String DISALLOW_DOCTYPE_DECL = public static final String DISALLOW_DOCTYPE_DECL =
"http://apache.org/xml/features/disallow-doctype-decl"; "http://apache.org/xml/features/disallow-doctype-decl";
private static final String LOAD_EXTERNAL_DECL = public static final String LOAD_EXTERNAL_DECL =
"http://apache.org/xml/features/nonvalidating/load-external-dtd"; "http://apache.org/xml/features/nonvalidating/load-external-dtd";
private static final String EXTERNAL_GENERAL_ENTITIES = public static final String EXTERNAL_GENERAL_ENTITIES =
"http://xml.org/sax/features/external-general-entities"; "http://xml.org/sax/features/external-general-entities";
private static final String EXTERNAL_PARAMETER_ENTITIES = public static final String EXTERNAL_PARAMETER_ENTITIES =
"http://xml.org/sax/features/external-parameter-entities"; "http://xml.org/sax/features/external-parameter-entities";
private static final String CREATE_ENTITY_REF_NODES = public static final String CREATE_ENTITY_REF_NODES =
"http://apache.org/xml/features/dom/create-entity-ref-nodes"; "http://apache.org/xml/features/dom/create-entity-ref-nodes";
public static final String VALIDATION =
"http://xml.org/sax/features/validation";
/** /**
* Transform input xml given a stylesheet. * Transform input xml given a stylesheet.

View File

@ -37,6 +37,7 @@
import org.apache.hadoop.security.ssl.SSLFactory; import org.apache.hadoop.security.ssl.SSLFactory;
import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.util.Tool; import org.apache.hadoop.util.Tool;
import org.apache.hadoop.util.XMLUtils;
import org.apache.hadoop.yarn.conf.YarnConfiguration; import org.apache.hadoop.yarn.conf.YarnConfiguration;
import org.apache.hadoop.yarn.webapp.dao.ConfInfo; import org.apache.hadoop.yarn.webapp.dao.ConfInfo;
import org.apache.hadoop.yarn.webapp.dao.QueueConfigInfo; import org.apache.hadoop.yarn.webapp.dao.QueueConfigInfo;
@ -190,7 +191,7 @@ private static void prettyFormatWithIndent(String input, int indent)
Source xmlInput = new StreamSource(new StringReader(input)); Source xmlInput = new StreamSource(new StringReader(input));
StringWriter sw = new StringWriter(); StringWriter sw = new StringWriter();
StreamResult xmlOutput = new StreamResult(sw); StreamResult xmlOutput = new StreamResult(sw);
TransformerFactory transformerFactory = TransformerFactory.newInstance(); TransformerFactory transformerFactory = XMLUtils.newSecureTransformerFactory();
transformerFactory.setAttribute("indent-number", indent); transformerFactory.setAttribute("indent-number", indent);
Transformer transformer = transformerFactory.newTransformer(); Transformer transformer = transformerFactory.newTransformer();
transformer.setOutputProperty(OutputKeys.INDENT, "yes"); transformer.setOutputProperty(OutputKeys.INDENT, "yes");

View File

@ -18,20 +18,27 @@
package org.apache.hadoop.yarn.server.nodemanager.webapp.dao.gpu; package org.apache.hadoop.yarn.server.nodemanager.webapp.dao.gpu;
import org.apache.hadoop.classification.InterfaceAudience; import java.io.StringReader;
import org.apache.hadoop.classification.InterfaceStability; import javax.xml.XMLConstants;
import org.apache.hadoop.yarn.exceptions.YarnException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xml.sax.InputSource;
import org.xml.sax.XMLReader;
import javax.xml.bind.JAXBContext; import javax.xml.bind.JAXBContext;
import javax.xml.bind.JAXBException; import javax.xml.bind.JAXBException;
import javax.xml.bind.Unmarshaller; import javax.xml.bind.Unmarshaller;
import javax.xml.parsers.SAXParserFactory; import javax.xml.parsers.SAXParserFactory;
import javax.xml.transform.sax.SAXSource; import javax.xml.transform.sax.SAXSource;
import java.io.StringReader;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.classification.InterfaceStability;
import org.apache.hadoop.yarn.exceptions.YarnException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xml.sax.InputSource;
import org.xml.sax.XMLReader;
import static org.apache.hadoop.util.XMLUtils.EXTERNAL_GENERAL_ENTITIES;
import static org.apache.hadoop.util.XMLUtils.EXTERNAL_PARAMETER_ENTITIES;
import static org.apache.hadoop.util.XMLUtils.LOAD_EXTERNAL_DECL;
import static org.apache.hadoop.util.XMLUtils.VALIDATION;
/** /**
* Parse XML and get GPU device information * Parse XML and get GPU device information
@ -68,10 +75,11 @@ public GpuDeviceInformationParser() throws YarnException {
*/ */
private SAXParserFactory initSaxParserFactory() throws Exception { private SAXParserFactory initSaxParserFactory() throws Exception {
SAXParserFactory spf = SAXParserFactory.newInstance(); SAXParserFactory spf = SAXParserFactory.newInstance();
spf.setFeature( spf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
"http://apache.org/xml/features/nonvalidating/load-external-dtd", spf.setFeature(LOAD_EXTERNAL_DECL, false);
false); spf.setFeature(EXTERNAL_GENERAL_ENTITIES, false);
spf.setFeature("http://xml.org/sax/features/validation", false); spf.setFeature(EXTERNAL_PARAMETER_ENTITIES, false);
spf.setFeature(VALIDATION, false);
return spf; return spf;
} }

View File

@ -35,6 +35,7 @@
import org.apache.hadoop.fs.Path; import org.apache.hadoop.fs.Path;
import org.apache.hadoop.http.JettyUtils; import org.apache.hadoop.http.JettyUtils;
import org.apache.hadoop.util.VersionInfo; import org.apache.hadoop.util.VersionInfo;
import org.apache.hadoop.util.XMLUtils;
import org.apache.hadoop.yarn.api.records.ApplicationAttemptId; import org.apache.hadoop.yarn.api.records.ApplicationAttemptId;
import org.apache.hadoop.yarn.api.records.ApplicationId; import org.apache.hadoop.yarn.api.records.ApplicationId;
import org.apache.hadoop.yarn.api.records.ContainerId; import org.apache.hadoop.yarn.api.records.ContainerId;
@ -432,10 +433,9 @@ public void testSingleNodesXML() throws JSONException, Exception {
assertEquals(MediaType.APPLICATION_XML+ "; " + JettyUtils.UTF_8, assertEquals(MediaType.APPLICATION_XML+ "; " + JettyUtils.UTF_8,
response.getType().toString()); response.getType().toString());
String xml = response.getEntity(String.class); String xml = response.getEntity(String.class);
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); DocumentBuilderFactory dbf = XMLUtils.newSecureDocumentBuilderFactory();
DocumentBuilder db = dbf.newDocumentBuilder(); DocumentBuilder db = dbf.newDocumentBuilder();
InputSource is = new InputSource(); InputSource is = new InputSource(new StringReader(xml));
is.setCharacterStream(new StringReader(xml));
Document dom = db.parse(is); Document dom = db.parse(is);
NodeList nodes = dom.getElementsByTagName("nodeInfo"); NodeList nodes = dom.getElementsByTagName("nodeInfo");
assertEquals("incorrect number of elements", 1, nodes.getLength()); assertEquals("incorrect number of elements", 1, nodes.getLength());

View File

@ -40,6 +40,7 @@
import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.FileUtil; import org.apache.hadoop.fs.FileUtil;
import org.apache.hadoop.http.JettyUtils; import org.apache.hadoop.http.JettyUtils;
import org.apache.hadoop.util.XMLUtils;
import org.apache.hadoop.yarn.api.records.ApplicationAttemptId; import org.apache.hadoop.yarn.api.records.ApplicationAttemptId;
import org.apache.hadoop.yarn.api.records.NodeId; import org.apache.hadoop.yarn.api.records.NodeId;
import org.apache.hadoop.yarn.conf.YarnConfiguration; import org.apache.hadoop.yarn.conf.YarnConfiguration;
@ -486,7 +487,7 @@ public void testNodeAppsStateInvalidXML() throws JSONException, Exception {
response.getType().toString()); response.getType().toString());
String msg = response.getEntity(String.class); String msg = response.getEntity(String.class);
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); DocumentBuilderFactory dbf = XMLUtils.newSecureDocumentBuilderFactory();
DocumentBuilder db = dbf.newDocumentBuilder(); DocumentBuilder db = dbf.newDocumentBuilder();
InputSource is = new InputSource(); InputSource is = new InputSource();
is.setCharacterStream(new StringReader(msg)); is.setCharacterStream(new StringReader(msg));
@ -651,7 +652,7 @@ public void testNodeAppsXML() throws JSONException, Exception {
assertEquals(MediaType.APPLICATION_XML_TYPE + "; " + JettyUtils.UTF_8, assertEquals(MediaType.APPLICATION_XML_TYPE + "; " + JettyUtils.UTF_8,
response.getType().toString()); response.getType().toString());
String xml = response.getEntity(String.class); String xml = response.getEntity(String.class);
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); DocumentBuilderFactory dbf = XMLUtils.newSecureDocumentBuilderFactory();
DocumentBuilder db = dbf.newDocumentBuilder(); DocumentBuilder db = dbf.newDocumentBuilder();
InputSource is = new InputSource(); InputSource is = new InputSource();
is.setCharacterStream(new StringReader(xml)); is.setCharacterStream(new StringReader(xml));
@ -676,7 +677,7 @@ public void testNodeSingleAppsXML() throws JSONException, Exception {
assertEquals(MediaType.APPLICATION_XML_TYPE + "; " + JettyUtils.UTF_8, assertEquals(MediaType.APPLICATION_XML_TYPE + "; " + JettyUtils.UTF_8,
response.getType().toString()); response.getType().toString());
String xml = response.getEntity(String.class); String xml = response.getEntity(String.class);
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); DocumentBuilderFactory dbf = XMLUtils.newSecureDocumentBuilderFactory();
DocumentBuilder db = dbf.newDocumentBuilder(); DocumentBuilder db = dbf.newDocumentBuilder();
InputSource is = new InputSource(); InputSource is = new InputSource();
is.setCharacterStream(new StringReader(xml)); is.setCharacterStream(new StringReader(xml));

View File

@ -40,6 +40,7 @@
import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.FileUtil; import org.apache.hadoop.fs.FileUtil;
import org.apache.hadoop.http.JettyUtils; import org.apache.hadoop.http.JettyUtils;
import org.apache.hadoop.util.XMLUtils;
import org.apache.hadoop.yarn.api.records.NodeId; import org.apache.hadoop.yarn.api.records.NodeId;
import org.apache.hadoop.yarn.conf.YarnConfiguration; import org.apache.hadoop.yarn.conf.YarnConfiguration;
import org.apache.hadoop.yarn.server.nodemanager.Context; import org.apache.hadoop.yarn.server.nodemanager.Context;
@ -257,7 +258,7 @@ public void testNodeAuxServicesXML() throws Exception {
assertEquals(MediaType.APPLICATION_XML_TYPE + "; " + JettyUtils.UTF_8, assertEquals(MediaType.APPLICATION_XML_TYPE + "; " + JettyUtils.UTF_8,
response.getType().toString()); response.getType().toString());
String xml = response.getEntity(String.class); String xml = response.getEntity(String.class);
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); DocumentBuilderFactory dbf = XMLUtils.newSecureDocumentBuilderFactory();
DocumentBuilder db = dbf.newDocumentBuilder(); DocumentBuilder db = dbf.newDocumentBuilder();
InputSource is = new InputSource(); InputSource is = new InputSource();
is.setCharacterStream(new StringReader(xml)); is.setCharacterStream(new StringReader(xml));

View File

@ -39,6 +39,7 @@
import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.FileUtil; import org.apache.hadoop.fs.FileUtil;
import org.apache.hadoop.http.JettyUtils; import org.apache.hadoop.http.JettyUtils;
import org.apache.hadoop.util.XMLUtils;
import org.apache.hadoop.yarn.api.records.ApplicationAttemptId; import org.apache.hadoop.yarn.api.records.ApplicationAttemptId;
import org.apache.hadoop.yarn.api.records.ContainerId; import org.apache.hadoop.yarn.api.records.ContainerId;
import org.apache.hadoop.yarn.api.records.NodeId; import org.apache.hadoop.yarn.api.records.NodeId;
@ -447,7 +448,7 @@ public void testNodeSingleContainerXML() throws JSONException, Exception {
assertEquals(MediaType.APPLICATION_XML_TYPE + "; " + JettyUtils.UTF_8, assertEquals(MediaType.APPLICATION_XML_TYPE + "; " + JettyUtils.UTF_8,
response.getType().toString()); response.getType().toString());
String xml = response.getEntity(String.class); String xml = response.getEntity(String.class);
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); DocumentBuilderFactory dbf = XMLUtils.newSecureDocumentBuilderFactory();
DocumentBuilder db = dbf.newDocumentBuilder(); DocumentBuilder db = dbf.newDocumentBuilder();
InputSource is = new InputSource(); InputSource is = new InputSource();
is.setCharacterStream(new StringReader(xml)); is.setCharacterStream(new StringReader(xml));
@ -476,7 +477,7 @@ public void testNodeContainerXML() throws JSONException, Exception {
assertEquals(MediaType.APPLICATION_XML_TYPE + "; " + JettyUtils.UTF_8, assertEquals(MediaType.APPLICATION_XML_TYPE + "; " + JettyUtils.UTF_8,
response.getType().toString()); response.getType().toString());
String xml = response.getEntity(String.class); String xml = response.getEntity(String.class);
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); DocumentBuilderFactory dbf = XMLUtils.newSecureDocumentBuilderFactory();
DocumentBuilder db = dbf.newDocumentBuilder(); DocumentBuilder db = dbf.newDocumentBuilder();
InputSource is = new InputSource(); InputSource is = new InputSource();
is.setCharacterStream(new StringReader(xml)); is.setCharacterStream(new StringReader(xml));

View File

@ -28,6 +28,7 @@
import org.apache.hadoop.fs.UnsupportedFileSystemException; import org.apache.hadoop.fs.UnsupportedFileSystemException;
import org.apache.hadoop.security.authorize.AccessControlList; import org.apache.hadoop.security.authorize.AccessControlList;
import org.apache.hadoop.service.AbstractService; import org.apache.hadoop.service.AbstractService;
import org.apache.hadoop.util.XMLUtils;
import org.apache.hadoop.yarn.api.records.QueueACL; import org.apache.hadoop.yarn.api.records.QueueACL;
import org.apache.hadoop.yarn.security.AccessType; import org.apache.hadoop.yarn.security.AccessType;
import org.apache.hadoop.yarn.security.Permission; import org.apache.hadoop.yarn.security.Permission;
@ -236,8 +237,7 @@ public synchronized void reloadAllocations()
LOG.info("Loading allocation file " + allocFile); LOG.info("Loading allocation file " + allocFile);
// Read and parse the allocations file. // Read and parse the allocations file.
DocumentBuilderFactory docBuilderFactory = DocumentBuilderFactory docBuilderFactory = XMLUtils.newSecureDocumentBuilderFactory();
DocumentBuilderFactory.newInstance();
docBuilderFactory.setIgnoringComments(true); docBuilderFactory.setIgnoringComments(true);
DocumentBuilder builder = docBuilderFactory.newDocumentBuilder(); DocumentBuilder builder = docBuilderFactory.newDocumentBuilder();
Document doc = builder.parse(fs.open(allocFile)); Document doc = builder.parse(fs.open(allocFile));

View File

@ -24,6 +24,7 @@
import org.apache.hadoop.security.Credentials; import org.apache.hadoop.security.Credentials;
import org.apache.hadoop.security.token.Token; import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier; import org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier;
import org.apache.hadoop.util.XMLUtils;
import org.apache.hadoop.yarn.nodelabels.NodeAttributeStore; import org.apache.hadoop.yarn.nodelabels.NodeAttributeStore;
import org.apache.hadoop.yarn.nodelabels.NodeLabelUtil; import org.apache.hadoop.yarn.nodelabels.NodeLabelUtil;
import org.apache.hadoop.yarn.server.api.ResourceTracker; import org.apache.hadoop.yarn.server.api.ResourceTracker;
@ -2601,7 +2602,7 @@ private void writeToHostsFile(File file, String... hosts)
private void writeToHostsXmlFile( private void writeToHostsXmlFile(
File file, Pair<String, Integer>... hostsAndTimeouts) throws Exception { File file, Pair<String, Integer>... hostsAndTimeouts) throws Exception {
ensureFileExists(file); ensureFileExists(file);
DocumentBuilderFactory dbFactory = DocumentBuilderFactory.newInstance(); DocumentBuilderFactory dbFactory = XMLUtils.newSecureDocumentBuilderFactory();
Document doc = dbFactory.newDocumentBuilder().newDocument(); Document doc = dbFactory.newDocumentBuilder().newDocument();
Element hosts = doc.createElement("hosts"); Element hosts = doc.createElement("hosts");
doc.appendChild(hosts); doc.appendChild(hosts);
@ -2619,7 +2620,7 @@ private void writeToHostsXmlFile(
); );
} }
} }
TransformerFactory transformerFactory = TransformerFactory.newInstance(); TransformerFactory transformerFactory = XMLUtils.newSecureTransformerFactory();
Transformer transformer = transformerFactory.newTransformer(); Transformer transformer = transformerFactory.newTransformer();
transformer.setOutputProperty(OutputKeys.INDENT, "yes"); transformer.setOutputProperty(OutputKeys.INDENT, "yes");
transformer.transform(new DOMSource(doc), new StreamResult(file)); transformer.transform(new DOMSource(doc), new StreamResult(file));

View File

@ -19,6 +19,7 @@
package org.apache.hadoop.yarn.server.resourcemanager.placement; package org.apache.hadoop.yarn.server.resourcemanager.placement;
import org.apache.commons.io.IOUtils; import org.apache.commons.io.IOUtils;
import org.apache.hadoop.util.XMLUtils;
import org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair.FairScheduler; import org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair.FairScheduler;
import org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair.FairSchedulerConfiguration; import org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair.FairSchedulerConfiguration;
import org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair.QueueManager; import org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair.QueueManager;
@ -188,11 +189,10 @@ private void ruleInit(Class <? extends PlacementRule> ruleClass) {
private Element createConf(String str) { private Element createConf(String str) {
// Create a simple rule element to use in the rule create // Create a simple rule element to use in the rule create
DocumentBuilderFactory docBuilderFactory =
DocumentBuilderFactory.newInstance();
docBuilderFactory.setIgnoringComments(true);
Document doc = null; Document doc = null;
try { try {
DocumentBuilderFactory docBuilderFactory = XMLUtils.newSecureDocumentBuilderFactory();
docBuilderFactory.setIgnoringComments(true);
DocumentBuilder builder = docBuilderFactory.newDocumentBuilder(); DocumentBuilder builder = docBuilderFactory.newDocumentBuilder();
doc = builder.parse(IOUtils.toInputStream(str, StandardCharsets.UTF_8)); doc = builder.parse(IOUtils.toInputStream(str, StandardCharsets.UTF_8));
} catch (Exception ex) { } catch (Exception ex) {

View File

@ -57,6 +57,7 @@
import org.apache.hadoop.security.authorize.AuthorizationException; import org.apache.hadoop.security.authorize.AuthorizationException;
import org.apache.hadoop.service.Service.STATE; import org.apache.hadoop.service.Service.STATE;
import org.apache.hadoop.util.VersionInfo; import org.apache.hadoop.util.VersionInfo;
import org.apache.hadoop.util.XMLUtils;
import org.apache.hadoop.yarn.api.protocolrecords.GetApplicationsRequest; import org.apache.hadoop.yarn.api.protocolrecords.GetApplicationsRequest;
import org.apache.hadoop.yarn.api.protocolrecords.GetApplicationsResponse; import org.apache.hadoop.yarn.api.protocolrecords.GetApplicationsResponse;
import org.apache.hadoop.yarn.api.records.ApplicationId; import org.apache.hadoop.yarn.api.records.ApplicationId;
@ -309,7 +310,7 @@ public void testInfoDefault() throws JSONException, Exception {
} }
public void verifyClusterInfoXML(String xml) throws JSONException, Exception { public void verifyClusterInfoXML(String xml) throws JSONException, Exception {
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); DocumentBuilderFactory dbf = XMLUtils.newSecureDocumentBuilderFactory();
DocumentBuilder db = dbf.newDocumentBuilder(); DocumentBuilder db = dbf.newDocumentBuilder();
InputSource is = new InputSource(); InputSource is = new InputSource();
is.setCharacterStream(new StringReader(xml)); is.setCharacterStream(new StringReader(xml));
@ -435,7 +436,7 @@ public void testClusterMetricsXML() throws JSONException, Exception {
public void verifyClusterMetricsXML(String xml) throws JSONException, public void verifyClusterMetricsXML(String xml) throws JSONException,
Exception { Exception {
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); DocumentBuilderFactory dbf = XMLUtils.newSecureDocumentBuilderFactory();
DocumentBuilder db = dbf.newDocumentBuilder(); DocumentBuilder db = dbf.newDocumentBuilder();
InputSource is = new InputSource(); InputSource is = new InputSource();
is.setCharacterStream(new StringReader(xml)); is.setCharacterStream(new StringReader(xml));
@ -606,7 +607,7 @@ public void testClusterSchedulerFifoXML() throws JSONException, Exception {
public void verifySchedulerFifoXML(String xml) throws JSONException, public void verifySchedulerFifoXML(String xml) throws JSONException,
Exception { Exception {
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); DocumentBuilderFactory dbf = XMLUtils.newSecureDocumentBuilderFactory();
DocumentBuilder db = dbf.newDocumentBuilder(); DocumentBuilder db = dbf.newDocumentBuilder();
InputSource is = new InputSource(); InputSource is = new InputSource();
is.setCharacterStream(new StringReader(xml)); is.setCharacterStream(new StringReader(xml));

View File

@ -25,6 +25,7 @@
import com.sun.jersey.test.framework.WebAppDescriptor; import com.sun.jersey.test.framework.WebAppDescriptor;
import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.http.JettyUtils; import org.apache.hadoop.http.JettyUtils;
import org.apache.hadoop.util.XMLUtils;
import org.apache.hadoop.yarn.api.records.ContainerState; import org.apache.hadoop.yarn.api.records.ContainerState;
import org.apache.hadoop.yarn.conf.YarnConfiguration; import org.apache.hadoop.yarn.conf.YarnConfiguration;
import org.apache.hadoop.yarn.server.resourcemanager.MockAM; import org.apache.hadoop.yarn.server.resourcemanager.MockAM;
@ -355,7 +356,7 @@ public void testAppAttemptsXML() throws Exception {
response.getType().toString()); response.getType().toString());
String xml = response.getEntity(String.class); String xml = response.getEntity(String.class);
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); DocumentBuilderFactory dbf = XMLUtils.newSecureDocumentBuilderFactory();
DocumentBuilder db = dbf.newDocumentBuilder(); DocumentBuilder db = dbf.newDocumentBuilder();
InputSource is = new InputSource(); InputSource is = new InputSource();
is.setCharacterStream(new StringReader(xml)); is.setCharacterStream(new StringReader(xml));

View File

@ -31,6 +31,7 @@
import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.http.JettyUtils; import org.apache.hadoop.http.JettyUtils;
import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.util.XMLUtils;
import org.apache.hadoop.yarn.api.records.ContainerState; import org.apache.hadoop.yarn.api.records.ContainerState;
import org.apache.hadoop.yarn.api.records.FinalApplicationStatus; import org.apache.hadoop.yarn.api.records.FinalApplicationStatus;
import org.apache.hadoop.yarn.api.records.ResourceRequest; import org.apache.hadoop.yarn.api.records.ResourceRequest;
@ -177,7 +178,7 @@ public void testAppsXML() throws JSONException, Exception {
assertEquals(MediaType.APPLICATION_XML_TYPE + "; " + JettyUtils.UTF_8, assertEquals(MediaType.APPLICATION_XML_TYPE + "; " + JettyUtils.UTF_8,
response.getType().toString()); response.getType().toString());
String xml = response.getEntity(String.class); String xml = response.getEntity(String.class);
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); DocumentBuilderFactory dbf = XMLUtils.newSecureDocumentBuilderFactory();
DocumentBuilder db = dbf.newDocumentBuilder(); DocumentBuilder db = dbf.newDocumentBuilder();
InputSource is = new InputSource(); InputSource is = new InputSource();
is.setCharacterStream(new StringReader(xml)); is.setCharacterStream(new StringReader(xml));
@ -211,7 +212,7 @@ public void testRunningApp() throws JSONException, Exception {
assertEquals(MediaType.APPLICATION_XML_TYPE + "; " + JettyUtils.UTF_8, assertEquals(MediaType.APPLICATION_XML_TYPE + "; " + JettyUtils.UTF_8,
response.getType().toString()); response.getType().toString());
String xml = response.getEntity(String.class); String xml = response.getEntity(String.class);
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); DocumentBuilderFactory dbf = XMLUtils.newSecureDocumentBuilderFactory();
DocumentBuilder db = dbf.newDocumentBuilder(); DocumentBuilder db = dbf.newDocumentBuilder();
InputSource is = new InputSource(); InputSource is = new InputSource();
is.setCharacterStream(new StringReader(xml)); is.setCharacterStream(new StringReader(xml));
@ -252,7 +253,7 @@ public void testAppsXMLMulti() throws JSONException, Exception {
assertEquals(MediaType.APPLICATION_XML_TYPE + "; " + JettyUtils.UTF_8, assertEquals(MediaType.APPLICATION_XML_TYPE + "; " + JettyUtils.UTF_8,
response.getType().toString()); response.getType().toString());
String xml = response.getEntity(String.class); String xml = response.getEntity(String.class);
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); DocumentBuilderFactory dbf = XMLUtils.newSecureDocumentBuilderFactory();
DocumentBuilder db = dbf.newDocumentBuilder(); DocumentBuilder db = dbf.newDocumentBuilder();
InputSource is = new InputSource(); InputSource is = new InputSource();
is.setCharacterStream(new StringReader(xml)); is.setCharacterStream(new StringReader(xml));
@ -1712,7 +1713,7 @@ public void testSingleAppsXML() throws JSONException, Exception {
response.getType().toString()); response.getType().toString());
String xml = response.getEntity(String.class); String xml = response.getEntity(String.class);
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); DocumentBuilderFactory dbf = XMLUtils.newSecureDocumentBuilderFactory();
DocumentBuilder db = dbf.newDocumentBuilder(); DocumentBuilder db = dbf.newDocumentBuilder();
InputSource is = new InputSource(); InputSource is = new InputSource();
is.setCharacterStream(new StringReader(xml)); is.setCharacterStream(new StringReader(xml));

View File

@ -56,6 +56,7 @@
import org.apache.hadoop.security.Credentials; import org.apache.hadoop.security.Credentials;
import org.apache.hadoop.security.authentication.server.AuthenticationFilter; import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
import org.apache.hadoop.security.authentication.server.PseudoAuthenticationHandler; import org.apache.hadoop.security.authentication.server.PseudoAuthenticationHandler;
import org.apache.hadoop.util.XMLUtils;
import org.apache.hadoop.yarn.api.records.ApplicationAccessType; import org.apache.hadoop.yarn.api.records.ApplicationAccessType;
import org.apache.hadoop.yarn.api.records.ApplicationId; import org.apache.hadoop.yarn.api.records.ApplicationId;
import org.apache.hadoop.yarn.api.records.ApplicationSubmissionContext; import org.apache.hadoop.yarn.api.records.ApplicationSubmissionContext;
@ -532,7 +533,7 @@ protected static void verifyAppStateXML(ClientResponse response,
assertEquals(MediaType.APPLICATION_XML_TYPE + "; " + JettyUtils.UTF_8, assertEquals(MediaType.APPLICATION_XML_TYPE + "; " + JettyUtils.UTF_8,
response.getType().toString()); response.getType().toString());
String xml = response.getEntity(String.class); String xml = response.getEntity(String.class);
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); DocumentBuilderFactory dbf = XMLUtils.newSecureDocumentBuilderFactory();
DocumentBuilder db = dbf.newDocumentBuilder(); DocumentBuilder db = dbf.newDocumentBuilder();
InputSource is = new InputSource(); InputSource is = new InputSource();
is.setCharacterStream(new StringReader(xml)); is.setCharacterStream(new StringReader(xml));
@ -733,7 +734,7 @@ protected String validateGetNewApplicationJsonResponse(JSONObject json)
protected String validateGetNewApplicationXMLResponse(String response) protected String validateGetNewApplicationXMLResponse(String response)
throws ParserConfigurationException, IOException, SAXException { throws ParserConfigurationException, IOException, SAXException {
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); DocumentBuilderFactory dbf = XMLUtils.newSecureDocumentBuilderFactory();
DocumentBuilder db = dbf.newDocumentBuilder(); DocumentBuilder db = dbf.newDocumentBuilder();
InputSource is = new InputSource(); InputSource is = new InputSource();
is.setCharacterStream(new StringReader(response)); is.setCharacterStream(new StringReader(response));
@ -1299,7 +1300,7 @@ protected static void verifyAppPriorityXML(ClientResponse response,
assertEquals(MediaType.APPLICATION_XML_TYPE + "; " + JettyUtils.UTF_8, assertEquals(MediaType.APPLICATION_XML_TYPE + "; " + JettyUtils.UTF_8,
response.getType().toString()); response.getType().toString());
String xml = response.getEntity(String.class); String xml = response.getEntity(String.class);
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); DocumentBuilderFactory dbf = XMLUtils.newSecureDocumentBuilderFactory();
DocumentBuilder db = dbf.newDocumentBuilder(); DocumentBuilder db = dbf.newDocumentBuilder();
InputSource is = new InputSource(); InputSource is = new InputSource();
is.setCharacterStream(new StringReader(xml)); is.setCharacterStream(new StringReader(xml));
@ -1329,7 +1330,7 @@ protected static void verifyAppPriorityXML(ClientResponse response,
assertEquals(MediaType.APPLICATION_XML_TYPE + "; " + JettyUtils.UTF_8, assertEquals(MediaType.APPLICATION_XML_TYPE + "; " + JettyUtils.UTF_8,
response.getType().toString()); response.getType().toString());
String xml = response.getEntity(String.class); String xml = response.getEntity(String.class);
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); DocumentBuilderFactory dbf = XMLUtils.newSecureDocumentBuilderFactory();
DocumentBuilder db = dbf.newDocumentBuilder(); DocumentBuilder db = dbf.newDocumentBuilder();
InputSource is = new InputSource(); InputSource is = new InputSource();
is.setCharacterStream(new StringReader(xml)); is.setCharacterStream(new StringReader(xml));
@ -1466,7 +1467,7 @@ protected static void verifyAppTimeoutXML(ClientResponse response,
assertEquals(MediaType.APPLICATION_XML_TYPE + "; " + JettyUtils.UTF_8, assertEquals(MediaType.APPLICATION_XML_TYPE + "; " + JettyUtils.UTF_8,
response.getType().toString()); response.getType().toString());
String xml = response.getEntity(String.class); String xml = response.getEntity(String.class);
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); DocumentBuilderFactory dbf = XMLUtils.newSecureDocumentBuilderFactory();
DocumentBuilder db = dbf.newDocumentBuilder(); DocumentBuilder db = dbf.newDocumentBuilder();
InputSource is = new InputSource(); InputSource is = new InputSource();
is.setCharacterStream(new StringReader(xml)); is.setCharacterStream(new StringReader(xml));

View File

@ -48,6 +48,7 @@
import org.apache.hadoop.security.token.SecretManager.InvalidToken; import org.apache.hadoop.security.token.SecretManager.InvalidToken;
import org.apache.hadoop.security.token.Token; import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.util.Time; import org.apache.hadoop.util.Time;
import org.apache.hadoop.util.XMLUtils;
import org.apache.hadoop.yarn.conf.YarnConfiguration; import org.apache.hadoop.yarn.conf.YarnConfiguration;
import org.apache.hadoop.yarn.security.client.RMDelegationTokenIdentifier; import org.apache.hadoop.yarn.security.client.RMDelegationTokenIdentifier;
import org.apache.hadoop.yarn.server.resourcemanager.MockRM; import org.apache.hadoop.yarn.server.resourcemanager.MockRM;
@ -697,7 +698,7 @@ private void verifySimpleAuthCancel() {
public static DelegationToken getDelegationTokenFromXML(String tokenXML) public static DelegationToken getDelegationTokenFromXML(String tokenXML)
throws IOException, ParserConfigurationException, SAXException { throws IOException, ParserConfigurationException, SAXException {
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); DocumentBuilderFactory dbf = XMLUtils.newSecureDocumentBuilderFactory();
DocumentBuilder db = dbf.newDocumentBuilder(); DocumentBuilder db = dbf.newDocumentBuilder();
InputSource is = new InputSource(); InputSource is = new InputSource();
is.setCharacterStream(new StringReader(tokenXML)); is.setCharacterStream(new StringReader(tokenXML));

View File

@ -42,6 +42,7 @@
import org.apache.hadoop.thirdparty.com.google.common.collect.ImmutableMap; import org.apache.hadoop.thirdparty.com.google.common.collect.ImmutableMap;
import org.apache.hadoop.thirdparty.com.google.common.collect.Sets; import org.apache.hadoop.thirdparty.com.google.common.collect.Sets;
import org.apache.hadoop.http.JettyUtils; import org.apache.hadoop.http.JettyUtils;
import org.apache.hadoop.util.XMLUtils;
import org.apache.hadoop.yarn.api.records.NodeId; import org.apache.hadoop.yarn.api.records.NodeId;
import org.apache.hadoop.yarn.api.records.NodeLabel; import org.apache.hadoop.yarn.api.records.NodeLabel;
import org.apache.hadoop.yarn.api.records.Priority; import org.apache.hadoop.yarn.api.records.Priority;
@ -258,7 +259,7 @@ public void testSchedulerPartitionsXML() throws JSONException, Exception {
assertEquals(MediaType.APPLICATION_XML_TYPE + "; " + JettyUtils.UTF_8, assertEquals(MediaType.APPLICATION_XML_TYPE + "; " + JettyUtils.UTF_8,
response.getType().toString()); response.getType().toString());
String xml = response.getEntity(String.class); String xml = response.getEntity(String.class);
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); DocumentBuilderFactory dbf = XMLUtils.newSecureDocumentBuilderFactory();
DocumentBuilder db = dbf.newDocumentBuilder(); DocumentBuilder db = dbf.newDocumentBuilder();
InputSource is = new InputSource(); InputSource is = new InputSource();
is.setCharacterStream(new StringReader(xml)); is.setCharacterStream(new StringReader(xml));

View File

@ -49,6 +49,7 @@
import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authentication.server.AuthenticationFilter; import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
import org.apache.hadoop.security.authentication.server.PseudoAuthenticationHandler; import org.apache.hadoop.security.authentication.server.PseudoAuthenticationHandler;
import org.apache.hadoop.util.XMLUtils;
import org.apache.hadoop.yarn.api.records.ContainerStatus; import org.apache.hadoop.yarn.api.records.ContainerStatus;
import org.apache.hadoop.yarn.api.records.NodeAttribute; import org.apache.hadoop.yarn.api.records.NodeAttribute;
import org.apache.hadoop.yarn.api.records.NodeAttributeType; import org.apache.hadoop.yarn.api.records.NodeAttributeType;
@ -578,10 +579,9 @@ public void testNonexistNodeXML() throws JSONException, Exception {
response.getType().toString()); response.getType().toString());
String msg = response.getEntity(String.class); String msg = response.getEntity(String.class);
System.out.println(msg); System.out.println(msg);
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); DocumentBuilderFactory dbf = XMLUtils.newSecureDocumentBuilderFactory();
DocumentBuilder db = dbf.newDocumentBuilder(); DocumentBuilder db = dbf.newDocumentBuilder();
InputSource is = new InputSource(); InputSource is = new InputSource(new StringReader(msg));
is.setCharacterStream(new StringReader(msg));
Document dom = db.parse(is); Document dom = db.parse(is);
NodeList nodes = dom.getElementsByTagName("RemoteException"); NodeList nodes = dom.getElementsByTagName("RemoteException");
Element element = (Element) nodes.item(0); Element element = (Element) nodes.item(0);
@ -646,10 +646,9 @@ public void testNodesXML() throws JSONException, Exception {
assertEquals(MediaType.APPLICATION_XML_TYPE + "; " + JettyUtils.UTF_8, assertEquals(MediaType.APPLICATION_XML_TYPE + "; " + JettyUtils.UTF_8,
response.getType().toString()); response.getType().toString());
String xml = response.getEntity(String.class); String xml = response.getEntity(String.class);
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); DocumentBuilderFactory dbf = XMLUtils.newSecureDocumentBuilderFactory();
DocumentBuilder db = dbf.newDocumentBuilder(); DocumentBuilder db = dbf.newDocumentBuilder();
InputSource is = new InputSource(); InputSource is = new InputSource(new StringReader(xml));
is.setCharacterStream(new StringReader(xml));
Document dom = db.parse(is); Document dom = db.parse(is);
NodeList nodesApps = dom.getElementsByTagName("nodes"); NodeList nodesApps = dom.getElementsByTagName("nodes");
assertEquals("incorrect number of elements", 1, nodesApps.getLength()); assertEquals("incorrect number of elements", 1, nodesApps.getLength());
@ -672,7 +671,7 @@ public void testSingleNodesXML() throws JSONException, Exception {
response.getType().toString()); response.getType().toString());
String xml = response.getEntity(String.class); String xml = response.getEntity(String.class);
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); DocumentBuilderFactory dbf = XMLUtils.newSecureDocumentBuilderFactory();
DocumentBuilder db = dbf.newDocumentBuilder(); DocumentBuilder db = dbf.newDocumentBuilder();
InputSource is = new InputSource(); InputSource is = new InputSource();
is.setCharacterStream(new StringReader(xml)); is.setCharacterStream(new StringReader(xml));
@ -694,7 +693,7 @@ public void testNodes2XML() throws JSONException, Exception {
response.getType().toString()); response.getType().toString());
String xml = response.getEntity(String.class); String xml = response.getEntity(String.class);
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); DocumentBuilderFactory dbf = XMLUtils.newSecureDocumentBuilderFactory();
DocumentBuilder db = dbf.newDocumentBuilder(); DocumentBuilder db = dbf.newDocumentBuilder();
InputSource is = new InputSource(); InputSource is = new InputSource();
is.setCharacterStream(new StringReader(xml)); is.setCharacterStream(new StringReader(xml));

View File

@ -20,6 +20,7 @@
import com.sun.jersey.api.client.WebResource; import com.sun.jersey.api.client.WebResource;
import org.apache.hadoop.http.JettyUtils; import org.apache.hadoop.http.JettyUtils;
import org.apache.hadoop.util.XMLUtils;
import org.codehaus.jettison.json.JSONObject; import org.codehaus.jettison.json.JSONObject;
import org.slf4j.Logger; import org.slf4j.Logger;
import org.slf4j.LoggerFactory; import org.slf4j.LoggerFactory;
@ -29,7 +30,6 @@
import javax.ws.rs.core.MediaType; import javax.ws.rs.core.MediaType;
import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.transform.*; import javax.xml.transform.*;
import javax.xml.transform.dom.DOMSource; import javax.xml.transform.dom.DOMSource;
import javax.xml.transform.stream.StreamResult; import javax.xml.transform.stream.StreamResult;
@ -84,7 +84,7 @@ private Document parseXml(BufferedClientResponse response) {
try { try {
String xml = response.getEntity(String.class); String xml = response.getEntity(String.class);
DocumentBuilder db = DocumentBuilder db =
DocumentBuilderFactory.newInstance().newDocumentBuilder(); XMLUtils.newSecureDocumentBuilderFactory().newDocumentBuilder();
InputSource is = new InputSource(); InputSource is = new InputSource();
is.setCharacterStream(new StringReader(xml)); is.setCharacterStream(new StringReader(xml));
@ -105,7 +105,7 @@ private void logResponse(Document doc) {
public static String toXml(Node node) { public static String toXml(Node node) {
StringWriter writer; StringWriter writer;
try { try {
TransformerFactory tf = TransformerFactory.newInstance(); TransformerFactory tf = XMLUtils.newSecureTransformerFactory();
Transformer transformer = tf.newTransformer(); Transformer transformer = tf.newTransformer();
transformer.setOutputProperty(OutputKeys.INDENT, "yes"); transformer.setOutputProperty(OutputKeys.INDENT, "yes");
transformer.setOutputProperty( transformer.setOutputProperty(

View File

@ -30,6 +30,7 @@
import org.apache.hadoop.security.http.RestCsrfPreventionFilter; import org.apache.hadoop.security.http.RestCsrfPreventionFilter;
import org.apache.hadoop.service.Service.STATE; import org.apache.hadoop.service.Service.STATE;
import org.apache.hadoop.util.VersionInfo; import org.apache.hadoop.util.VersionInfo;
import org.apache.hadoop.util.XMLUtils;
import org.apache.hadoop.yarn.conf.YarnConfiguration; import org.apache.hadoop.yarn.conf.YarnConfiguration;
import org.apache.hadoop.yarn.server.resourcemanager.MockRM; import org.apache.hadoop.yarn.server.resourcemanager.MockRM;
import org.apache.hadoop.yarn.server.resourcemanager.ResourceManager; import org.apache.hadoop.yarn.server.resourcemanager.ResourceManager;
@ -153,7 +154,7 @@ public void testAllowNonBrowserInteractionWithoutHeader() throws Exception {
} }
public void verifyClusterInfoXML(String xml) throws Exception { public void verifyClusterInfoXML(String xml) throws Exception {
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); DocumentBuilderFactory dbf = XMLUtils.newSecureDocumentBuilderFactory();
DocumentBuilder db = dbf.newDocumentBuilder(); DocumentBuilder db = dbf.newDocumentBuilder();
InputSource is = new InputSource(); InputSource is = new InputSource();
is.setCharacterStream(new StringReader(xml)); is.setCharacterStream(new StringReader(xml));