added DCL pattern implementation for TransformerUtil

Closes #40030 Signed-off-by: Anchels <mishtitov@gmail.com> Signed-off-by: Alexander Schwartz <aschwart@redhat.com> Co-authored-by: Anchels <42744001+Anchels@users.noreply.github.com>
2025-12-16 20:15:46 -06:00 · 2025-06-06 15:06:29 +02:00
parent 8cff835c30
commit 20dcb4f4f7
1 changed files with 32 additions and 27 deletions
--- a/saml-core/src/main/java/org/keycloak/saml/common/util/TransformerUtil.java
+++ b/saml-core/src/main/java/org/keycloak/saml/common/util/TransformerUtil.java
@@ -37,7 +37,6 @@ import javax.xml.stream.XMLEventReader;
 import javax.xml.stream.events.Attribute;
 import javax.xml.stream.events.Characters;
 import javax.xml.stream.events.Comment;
-import javax.xml.stream.events.EndElement;
 import javax.xml.stream.events.Namespace;
 import javax.xml.stream.events.StartElement;
 import javax.xml.stream.events.XMLEvent;
@@ -67,7 +66,7 @@ public class TransformerUtil {

    private static final PicketLinkLogger logger = PicketLinkLoggerFactory.getLogger();

-    private static TransformerFactory transformerFactory;
+    private static volatile TransformerFactory transformerFactory;

    /**
     * Get the Default Transformer
@@ -102,32 +101,38 @@ public class TransformerUtil {
     */
    public static TransformerFactory getTransformerFactory() throws TransformerFactoryConfigurationError {
        if (transformerFactory == null) {
-            boolean tccl_jaxp = SystemPropertiesUtil.getSystemProperty(GeneralConstants.TCCL_JAXP, "false")
-                    .equalsIgnoreCase("true");
-            ClassLoader prevTCCL = SecurityActions.getTCCL();
-            try {
-                if (tccl_jaxp) {
-                    SecurityActions.setTCCL(TransformerUtil.class.getClassLoader());
-                }
-                transformerFactory = TransformerFactory.newInstance();
-                try {
-                    transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
-                } catch (TransformerConfigurationException ignored) {
-                    // some platforms don't support this.   For example our testsuite pulls Selenium which requires Xalan 2.7.1
-                    logger.warn("XML External Entity switches are not supported.  You may get XML injection vulnerabilities.");
-                }
-                try {
-                    transformerFactory.setAttribute(FixXMLConstants.ACCESS_EXTERNAL_DTD, "");
+            synchronized (TransformerUtil.class) {
+                if (transformerFactory == null) {
+                    boolean tccl_jaxp = SystemPropertiesUtil.getSystemProperty(GeneralConstants.TCCL_JAXP, "false")
+                            .equalsIgnoreCase("true");
+                    ClassLoader prevTCCL = SecurityActions.getTCCL();
+                    TransformerFactory localTransformerFactory;
+                    try {
+                        if (tccl_jaxp) {
+                            SecurityActions.setTCCL(TransformerUtil.class.getClassLoader());
+                        }
+                        localTransformerFactory = TransformerFactory.newInstance();
+                        try {
+                            localTransformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+                        } catch (TransformerConfigurationException ignored) {
+                            // some platforms don't support this.   For example our testsuite pulls Selenium which requires Xalan 2.7.1
+                            logger.warn("XML External Entity switches are not supported.  You may get XML injection vulnerabilities.");
+                        }
+                        try {
+                            localTransformerFactory.setAttribute(FixXMLConstants.ACCESS_EXTERNAL_DTD, "");

-                    transformerFactory.setAttribute(FixXMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
-                } catch (Exception ignored) {
-                    // some platforms don't support this.   For example our testsuite pulls Selenium which requires Xalan 2.7.1
-                    logger.warn("XML External Entity switches are not supported.  You may get XML injection vulnerabilities.");
-                }
+                            localTransformerFactory.setAttribute(FixXMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+                        } catch (Exception ignored) {
+                            // some platforms don't support this.   For example our testsuite pulls Selenium which requires Xalan 2.7.1
+                            logger.warn("XML External Entity switches are not supported.  You may get XML injection vulnerabilities.");
+                        }

-            } finally {
-                if (tccl_jaxp) {
-                    SecurityActions.setTCCL(prevTCCL);
+                    } finally {
+                        if (tccl_jaxp) {
+                            SecurityActions.setTCCL(prevTCCL);
+                        }
+                    }
+                    transformerFactory = localTransformerFactory;
                }
            }
        }
@@ -447,4 +452,4 @@ public class TransformerUtil {
            }
        }
    }
-}
+}