Update xml writer

apache-rat-core/pom.xml

@@ -26,6 +26,9 @@
   <packaging>jar</packaging>
   <name>Apache Creadur RAT::Core</name>
   <description>The core functionality of RAT that is used by all clients.</description>
+  <properties>
+    <sonar.exclusions>src/main/java/org/apache/rat/report/xml/writer/XMLChar.java</sonar.exclusions>
+  </properties>
   <build>
     <resources>
       <resource>

apache-rat-core/src/main/java/org/apache/rat/Reporter.java

@@ -94,10 +94,9 @@ public ClaimStatistic execute() throws RatException  {
                         report.startReport();
                         configuration.getSources().build().run(report);
                         report.endReport();
-
-                        InputStream inputStream = new ByteArrayInputStream(outputStream.toByteArray());
-                        document = DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(inputStream);
                     }
+                    InputStream inputStream = new ByteArrayInputStream(outputStream.toByteArray());
+                    document = DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(inputStream);
                 } else {
                     document = DocumentBuilderFactory.newInstance().newDocumentBuilder().newDocument();
                     statistic = new ClaimStatistic();

apache-rat-core/src/main/java/org/apache/rat/report/xml/writer/IXmlWriter.java

@@ -21,6 +21,7 @@
 import java.io.IOException;
 
 import org.apache.rat.report.xml.XmlElements;
+import org.w3c.dom.Document;
 
 /**
  * Simple interface for creating basic XML documents.
@@ -147,4 +148,12 @@ default IXmlWriter openElement(XmlElements.Elements element) throws IOException
      * if called before any call to {@link #openElement(CharSequence)}
      */
     IXmlWriter closeDocument() throws IOException;
+
+    /**
+     * Append an XML document into this one.
+     * @param document the document to append
+     * @return this object
+     * @throws IOException on error.
+     */
+    IXmlWriter append(Document document) throws IOException;
 }

apache-rat-core/src/main/java/org/apache/rat/utils/StandardXmlFactory.java

@@ -0,0 +1,67 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.rat.utils;
+
+import java.io.InputStream;
+
+import javax.xml.XMLConstants;
+import javax.xml.transform.OutputKeys;
+import javax.xml.transform.Transformer;
+import javax.xml.transform.TransformerConfigurationException;
+import javax.xml.transform.TransformerFactory;
+import javax.xml.transform.stream.StreamSource;
+
+/**
+ * Factory to create standard XML objects.  The intention of this class is to resolve in a consistent manner the
+ * XXE errors and similar XML IO errors.
+ */
+public final class StandardXmlFactory {
+
+    private StandardXmlFactory() {
+        // do not instantiate.
+    }
+    /**
+     * Create a transformer with no stylesheet.
+     * @return the transformer.
+     * @throws TransformerConfigurationException on error.
+     */
+    public static Transformer create() throws TransformerConfigurationException {
+        return create(null);
+    }
+
+    /**
+     * Create a transformer with the specified stylesheet.
+     * @param styleIn the stylesheet to use.
+     * @return the transformer.
+     * @throws TransformerConfigurationException on error.
+     */
+    public static Transformer create(final InputStream styleIn) throws TransformerConfigurationException {
+        TransformerFactory factory = TransformerFactory.newInstance();
+        factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+        factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+        factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+        Transformer transformer = styleIn == null ? factory.newTransformer() : factory.newTransformer(new StreamSource(styleIn));
+        transformer.setOutputProperty(OutputKeys.OMIT_XML_DECLARATION, "yes");
+        transformer.setOutputProperty(OutputKeys.METHOD, "xml");
+        transformer.setOutputProperty(OutputKeys.INDENT, "yes");
+        transformer.setOutputProperty(OutputKeys.ENCODING, "UTF-8");
+        transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4");
+        return transformer;
+    }
+}

apache-rat-core/src/test/java/org/apache/rat/report/xml/writer/impl/base/XmlWriterTest.java

@@ -18,24 +18,28 @@
  */ 
 package org.apache.rat.report.xml.writer.impl.base;
 
+import jdk.dynalink.Operation;
 import org.apache.rat.report.xml.writer.InvalidXmlException;
 import org.apache.rat.report.xml.writer.OperationNotAllowedException;
 import org.apache.rat.report.xml.writer.XmlWriter;
+import org.apache.rat.testhelpers.XmlUtils;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
+import org.w3c.dom.Document;
 
+import java.io.ByteArrayInputStream;
 import java.io.StringWriter;
+import java.nio.charset.StandardCharsets;
+import java.util.NoSuchElementException;
 
 import static org.assertj.core.api.Assertions.fail;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 
-
 public class XmlWriterTest {
 
-    private static final char[] ZERO_CHAR = {(char)0};
-
     private XmlWriter writer;
     private StringWriter out;
 
@@ -337,10 +341,25 @@
         assertEquals(
                 writer, writer.openElement("alpha"), "XmlWriters should always return themselves");
          assertEquals("<alpha", out.toString(), "Alpha element started");
-        assertEquals(
-                writer, writer.content(new String(ZERO_CHAR)), "XmlWriters should always return themselves");
-        String out = this.out.toString();
-        assertEquals("<alpha>?", out, "Replace illegal characters with question marks");
+         CharSequence cs = new CharSequence() {
+             @Override
+             public int length() {
+                 return 1;
+             }
+
+             @Override
+             public char charAt(int index) {
+                 return Character.highSurrogate(0x110000);
+             }
+
+             @Override
+             public CharSequence subSequence(int start, int end) {
+                 return null;
+             }
+         };
+
+        assertEquals(writer, writer.content(cs), "XmlWriters should always return themselves");
+        assertEquals("<alpha>\\uDC00", this.out.toString(), "Replace illegal characters with \\u encoding");
     }
 
     @Test
@@ -482,4 +501,49 @@
             // Each attribute may only be written once
         }
     }
+
+    @Test
+    public void writeCDataBeforeElement() throws Exception {
+        assertThrows(OperationNotAllowedException.class, () -> writer.startDocument().cdata("Just cdata").closeDocument());
+    }
+
+    @Test
+    public void writeCData() throws Exception {
+        writer.startDocument().openElement("test").cdata("Just cdata").closeDocument();
+        assertEquals("<?xml version='1.0'?><test><![CDATA[ Just cdata ]]></test>", out.toString());
+    }
+
+    @Test
+    public void writeCDataEmbeddedCData() throws Exception {
+        writer.startDocument().openElement("test").cdata("Some <![CDATA[ cdata ]]> text").closeDocument();
+        assertEquals("<?xml version='1.0'?><test><![CDATA[ Some \\u3C![CDATA[ cdata {rat:CDATA close} text ]]></test>", out.toString());
+    }
+
+    @Test
+    public void closeElementBeforeOpened() throws Exception {
+        assertThrows(NoSuchElementException.class, () -> writer.startDocument().openElement("test").closeElement("missing"));
+    }
+
+    @Test
+    public void closeElement() throws Exception {
+        writer.startDocument().openElement("root").openElement("hello").openElement("world").content("hello world").closeElement("hello").openElement("test").closeDocument();
+        assertEquals("<?xml version='1.0'?><root><hello><world>hello world</world></hello><test/></root>", out.toString());
+    }
+
+    @Test
+    public void append() throws Exception {
+        // ensure proper line endings
+        String expected = String.format("<?xml version='1.0'?><base>%n" +
+                "<root>%n" +
+                "    <hello>%n" +
+                "        <world>hello world</world>%n" +
+                "    </hello>%n" +
+                "    <test/>%n" +
+                "</root>%n" +
+                "</base>");
+        byte[] rawDocument = "<?xml version='1.0'?><root><hello><world>hello world</world></hello><test/></root>".getBytes(StandardCharsets.UTF_8);
+        Document document = XmlUtils.toDom(new ByteArrayInputStream(rawDocument));
+        writer.startDocument().openElement("base").append(document).closeDocument();
+        assertEquals(expected, out.toString());
+    }
 }

apache-rat-tools/src/main/java/org/apache/rat/tools/xsd/XsdGenerator.java

@@ -30,10 +30,8 @@
 import java.util.List;
 import java.util.Map;
 
-import javax.xml.transform.OutputKeys;
 import javax.xml.transform.Transformer;
 import javax.xml.transform.TransformerException;
-import javax.xml.transform.TransformerFactory;
 import javax.xml.transform.stream.StreamResult;
 import javax.xml.transform.stream.StreamSource;
 
@@ -45,6 +43,7 @@
 import org.apache.rat.configuration.XMLConfig;
 import org.apache.rat.license.SimpleLicense;
 import org.apache.rat.tools.xsd.XsdWriter.Type;
+import org.apache.rat.utils.StandardXmlFactory;
 
 /**
  * Generates the XSD for a configuration.
@@ -71,16 +70,9 @@
     public static void main(final String[] args) throws IOException, TransformerException {
         XsdGenerator generator = new XsdGenerator();
 
-        TransformerFactory tf = TransformerFactory.newInstance();
-        Transformer transformer;
         try (InputStream in = generator.getInputStream();
              InputStream styleIn = StyleSheets.XML.getStyleSheet().get()) {
-            transformer = tf.newTransformer(new StreamSource(styleIn));
-            transformer.setOutputProperty(OutputKeys.OMIT_XML_DECLARATION, "yes");
-            transformer.setOutputProperty(OutputKeys.METHOD, "xml");
-            transformer.setOutputProperty(OutputKeys.INDENT, "yes");
-            transformer.setOutputProperty(OutputKeys.ENCODING, "UTF-8");
-            transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4");
+            Transformer transformer = StandardXmlFactory.create(styleIn);
             transformer.transform(new StreamSource(in),
                     new StreamResult(new OutputStreamWriter(System.out, StandardCharsets.UTF_8)));
         }
@@ -92,11 +84,11 @@
      * @throws IOException on output errors.
      */
     public InputStream getInputStream() throws IOException {
-        try (ByteArrayOutputStream baos = new ByteArrayOutputStream();
-             Writer writer = new OutputStreamWriter(baos, StandardCharsets.UTF_8)) {
+        ByteArrayOutputStream baos = new ByteArrayOutputStream();
+        try (Writer writer = new OutputStreamWriter(baos, StandardCharsets.UTF_8)) {
             write(writer);
-            return new ByteArrayInputStream(baos.toByteArray());
         }
+        return new ByteArrayInputStream(baos.toByteArray());
     }
 
     /**

src/conf/checkstyle-suppressions.xml

@@ -61,4 +61,8 @@
   <suppress checks="[a-zA-Z0-9]*"
             files="src[/\\]main[/\\]java[/\\]org[/\\]apache[/\\]rat[/\\]anttasks[/\\]BaseAntTask.java" />
 
+  <!-- Suppress checks for imported code -->
+  <suppress checks="[a-zA-Z0-9]*"
+            files="org[/\\]apache[/\\]rat[/\\]report[/\\]xml[/\\]writer[/\\]XMLChar.java" />
+
 </suppressions>