Read docx files using docx4j (SORMAS-Foundation#4095)

syntakker · syntakker · commit 64e125351ac2 · 2021-01-25T12:11:54.000+01:00
diff --git a/sormas-backend/pom.xml b/sormas-backend/pom.xml
@@ -85,12 +85,20 @@
 			<artifactId>fr.opensagres.xdocreport.template.velocity</artifactId>
 		</dependency>
 
+		<dependency>
+			<groupId>org.docx4j</groupId>
+			<artifactId>docx4j-docx-anon</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>org.docx4j</groupId>
+			<artifactId>docx4j-JAXB-ReferenceImpl</artifactId>
+		</dependency>
+
 		<dependency>
 			<groupId>org.freemarker</groupId>
 			<artifactId>freemarker</artifactId>
 		</dependency>
 
-
 		<!-- Testing -->
 
 		<dependency>
diff --git a/sormas-backend/src/main/java/de/symeda/sormas/backend/docgeneration/TemplateEngineService.java b/sormas-backend/src/main/java/de/symeda/sormas/backend/docgeneration/TemplateEngineService.java
@@ -14,6 +14,8 @@
 import javax.ejb.LocalBean;
 import javax.ejb.Stateless;
 
+import org.docx4j.openpackaging.exceptions.Docx4JException;
+import org.docx4j.openpackaging.packages.WordprocessingMLPackage;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -37,7 +39,7 @@ public class TemplateEngineService {
 	private ConfigFacadeEjb.ConfigFacadeEjbLocal configFacade;
 
 	public Set<String> extractTemplateVariables(InputStream templateFile) throws IOException, XDocReportException {
-		IXDocReport report = XDocReportRegistry.getRegistry().loadReport(templateFile, TemplateEngineKind.Velocity);
+		IXDocReport report = readXDocReport(templateFile);
 
 		FieldsExtractor<FieldExtractor> extractor = FieldsExtractor.create();
 		report.extractFields(extractor);
@@ -60,7 +62,7 @@ public Set<String> extractTemplateVariables(InputStream templateFile) throws IOE
 	}
 
 	public InputStream generateDocument(Properties properties, InputStream templateFile) throws IOException, XDocReportException {
-		IXDocReport report = XDocReportRegistry.getRegistry().loadReport(templateFile, TemplateEngineKind.Velocity);
+		IXDocReport report = readXDocReport(templateFile);
 
 		IContext context = report.createContext();
 		for (Object key : properties.keySet()) {
@@ -78,8 +80,9 @@ public InputStream generateDocument(Properties properties, InputStream templateF
 	}
 
 	public void validateTemplate(InputStream templateFile) {
+
 		try {
-			IXDocReport report = XDocReportRegistry.getRegistry().loadReport(templateFile, TemplateEngineKind.Velocity);
+			IXDocReport report = readXDocReport(templateFile);
 			FieldsExtractor<FieldExtractor> extractor = FieldsExtractor.create();
 			report.extractFields(extractor);
 		} catch (Exception e) {
@@ -90,4 +93,20 @@ public void validateTemplate(InputStream templateFile) {
 	public String getTempDir() {
 		return configFacade.getCustomFilesPath();
 	}
+
+	private IXDocReport readXDocReport(InputStream templateFile) throws IOException, XDocReportException {
+
+		try {
+			// Sanitize docx template for XXEs
+			WordprocessingMLPackage wordMLPackage = WordprocessingMLPackage.load(templateFile);
+			wordMLPackage.getDocumentModel();
+
+			ByteArrayOutputStream outStream = new ByteArrayOutputStream();
+			wordMLPackage.save(outStream);
+			ByteArrayInputStream inStream1 = new ByteArrayInputStream(outStream.toByteArray());
+			return XDocReportRegistry.getRegistry().loadReport(inStream1, TemplateEngineKind.Velocity);
+		} catch (Docx4JException e) {
+			throw new IllegalArgumentException(e.getMessage(), e);
+		}
+	}
 }
diff --git a/sormas-backend/src/test/java/de/symeda/sormas/backend/docgeneration/QuarantineOrderFacadeEjbTest.java b/sormas-backend/src/test/java/de/symeda/sormas/backend/docgeneration/QuarantineOrderFacadeEjbTest.java
@@ -191,15 +191,15 @@ public void validateTemplateTest() throws IOException {
 			quarantineOrderFacadeEjb.writeQuarantineTemplate("TemplateFileToBeValidated.docx", new byte[0]);
 			fail("Invalid docx file not recognized.");
 		} catch (IllegalArgumentException e) {
-			assertEquals("InputStream is not a zip.", e.getMessage());
+			assertEquals("Error reading from the stream (no bytes available)", e.getMessage());
 		}
 		try {
 			byte[] document = IOUtils.toByteArray(getClass().getResourceAsStream("/docgeneration/quarantine/FaultyTemplate.docx"));
 			quarantineOrderFacadeEjb.writeQuarantineTemplate("TemplateFileToBeValidated.docx", document);
 			fail("Syntax error not recognized.");
 		} catch (IllegalArgumentException e) {
 			String message =
-				"org.apache.velocity.runtime.parser.TemplateParseException: Encountered \"].</w:t></w:r></w:p><w:p><w:pPr><w:pStyle w:val=\\\"Normal\\\"/><w:bidi w:val=\\\"0\\\"/><w:ind w:right=\\\"3117\\\" w:hanging=\\\"0\\\"/><w:jc w:val=\\\"both\\\"/><w:rPr><w:rFonts w:ascii=\\\"DejaVu Sans\\\" w:hAnsi=\\\"DejaVu Sans\\\"/><w:sz w:val=\\\"21\\\"/><w:szCs w:val=\\\"21\\\"/></w:rPr></w:pPr><w:r><w:rPr><w:b w:val=\\\"false\\\"/><w:bCs w:val=\\\"false\\\"/></w:rPr></w:r></w:p><w:p><w:pPr><w:pStyle w:val=\\\"Normal\\\"/><w:bidi w:val=\\\"0\\\"/><w:ind w:right=\\\"3117\\\" w:hanging=\\\"0\\\"/><w:jc w:val=\\\"both\\\"/><w:rPr><w:b w:val=\\\"false\\\"/><w:b w:val=\\\"false\\\"/><w:bCs w:val=\\\"false\\\"/></w:rPr></w:pPr><w:r><w:rPr><w:rFonts w:ascii=\\\"DejaVu Sans\\\" w:hAnsi=\\\"DejaVu Sans\\\"/><w:b w:val=\\\"false\\\"/><w:bCs w:val=\\\"false\\\"/><w:sz w:val=\\\"21\\\"/><w:szCs w:val=\\\"21\\\"/></w:rPr><w:t>Processing of this template should fail.</w:t></w:r></w:p><w:sectPr><w:type w:val=\\\"nextPage\\\"/><w:pgSz w:w=\\\"11906\\\" w:h=\\\"16838\\\"/><w:pgMar w:left=\\\"1134\\\" w:right=\\\"1134\\\" w:header=\\\"0\\\" w:top=\\\"1134\\\" w:footer=\\\"0\\\" w:bottom=\\\"1134\\\" w:gutter=\\\"0\\\"/><w:pgNumType w:fmt=\\\"decimal\\\"/><w:formProt w:val=\\\"false\\\"/><w:textDirection w:val=\\\"lrTb\\\"/><w:docGrid w:type=\\\"default\\\" w:linePitch=\\\"100\\\" w:charSpace=\\\"0\\\"/></w:sectPr></w:body></w:document>\" at word/document.xml[line 1, column 1240]\n"
+				"org.apache.velocity.runtime.parser.TemplateParseException: Encountered \"].</w:t>\\n            </w:r>\\n        </w:p>\\n        <w:p>\\n            <w:pPr>\\n                <w:pStyle w:val=\\\"Normal\\\"/>\\n                <w:bidi w:val=\\\"false\\\"/>\\n                <w:ind w:right=\\\"3117\\\" w:hanging=\\\"0\\\"/>\\n                <w:jc w:val=\\\"both\\\"/>\\n                <w:rPr>\\n                    <w:rFonts w:ascii=\\\"DejaVu Sans\\\" w:hAnsi=\\\"DejaVu Sans\\\"/>\\n                    <w:sz w:val=\\\"21\\\"/>\\n                    <w:szCs w:val=\\\"21\\\"/>\\n                </w:rPr>\\n            </w:pPr>\\n            <w:r>\\n                <w:rPr>\\n                    <w:b w:val=\\\"false\\\"/>\\n                    <w:bCs w:val=\\\"false\\\"/>\\n                </w:rPr>\\n            </w:r>\\n        </w:p>\\n        <w:p>\\n            <w:pPr>\\n                <w:pStyle w:val=\\\"Normal\\\"/>\\n                <w:bidi w:val=\\\"false\\\"/>\\n                <w:ind w:right=\\\"3117\\\" w:hanging=\\\"0\\\"/>\\n                <w:jc w:val=\\\"both\\\"/>\\n                <w:rPr>\\n                    <w:b w:val=\\\"false\\\"/>\\n                    <w:bCs w:val=\\\"false\\\"/>\\n                </w:rPr>\\n            </w:pPr>\\n            <w:r>\\n                <w:rPr>\\n                    <w:rFonts w:ascii=\\\"DejaVu Sans\\\" w:hAnsi=\\\"DejaVu Sans\\\"/>\\n                    <w:b w:val=\\\"false\\\"/>\\n                    <w:bCs w:val=\\\"false\\\"/>\\n                    <w:sz w:val=\\\"21\\\"/>\\n                    <w:szCs w:val=\\\"21\\\"/>\\n                </w:rPr>\\n                <w:t>Processing of this template should fail.</w:t>\\n            </w:r>\\n        </w:p>\\n        <w:sectPr>\\n            <w:type w:val=\\\"nextPage\\\"/>\\n            <w:pgSz w:w=\\\"11906\\\" w:h=\\\"16838\\\"/>\\n            <w:pgMar w:top=\\\"1134\\\" w:right=\\\"1134\\\" w:bottom=\\\"1134\\\" w:left=\\\"1134\\\" w:header=\\\"0\\\" w:footer=\\\"0\\\" w:gutter=\\\"0\\\"/>\\n            <w:pgNumType w:fmt=\\\"decimal\\\"/>\\n            <w:formProt w:val=\\\"false\\\"/>\\n            <w:textDirection w:val=\\\"lrTb\\\"/>\\n            <w:docGrid w:type=\\\"default\\\" w:linePitch=\\\"100\\\" w:charSpace=\\\"0\\\"/>\\n        </w:sectPr>\\n    </w:body>\\n</w:document>\" at word/document.xml[line 22, column 59]\n"
 					+ "Was expecting one of:\n" //
 					+ "    \"[\" ...\n" //
 					+ "    \"}\" ...\n    ";
diff --git a/sormas-base/pom.xml b/sormas-base/pom.xml
@@ -33,6 +33,7 @@
 		<bouncycastle.version>1.67</bouncycastle.version>
 		<keycloak.version>11.0.3</keycloak.version>
 		<xdocreport.version>2.0.2</xdocreport.version>
+		<docx4j.version>8.2.8</docx4j.version>
 
 		<!-- Attention: Compile dependencies with versions are maintained redundantly in sormas-app/app/build.gradle -->
 
@@ -616,6 +617,17 @@
 				<version>${swagger.version}</version>
 			</dependency>
 
+			<dependency>
+				<groupId>org.docx4j</groupId>
+				<artifactId>docx4j-docx-anon</artifactId>
+				<version>${docx4j.version}</version>
+			</dependency>
+			<dependency>
+				<groupId>org.docx4j</groupId>
+				<artifactId>docx4j-JAXB-ReferenceImpl</artifactId>
+				<version>${docx4j.version}</version>
+			</dependency>
+
 			<dependency>
 				<groupId>org.freemarker</groupId>
 				<artifactId>freemarker</artifactId>
