restrict velocity engine features (SORMAS-Foundation#4231)

Author: syntakker

sormas-backend/src/main/java/de/symeda/sormas/backend/docgeneration/TemplateEngine.java

@@ -35,13 +35,16 @@
 import org.apache.velocity.Template;
 import org.apache.velocity.VelocityContext;
 import org.apache.velocity.app.VelocityEngine;
+import org.apache.velocity.exception.VelocityException;
 import org.apache.velocity.runtime.RuntimeConstants;
 import org.apache.velocity.runtime.RuntimeSingleton;
 import org.apache.velocity.runtime.parser.ParseException;
 import org.apache.velocity.runtime.parser.node.SimpleNode;
 import org.apache.velocity.util.introspection.SecureUberspector;
 import org.docx4j.openpackaging.exceptions.Docx4JException;
 import org.docx4j.openpackaging.packages.WordprocessingMLPackage;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 import de.symeda.sormas.api.docgeneneration.DocumentTemplateException;
 import de.symeda.sormas.api.docgeneneration.DocumentVariables;
@@ -53,12 +56,29 @@
 import fr.opensagres.xdocreport.template.FieldExtractor;
 import fr.opensagres.xdocreport.template.FieldsExtractor;
 import fr.opensagres.xdocreport.template.IContext;
-import fr.opensagres.xdocreport.template.TemplateEngineKind;
+import fr.opensagres.xdocreport.template.ITemplateEngine;
 import fr.opensagres.xdocreport.template.velocity.internal.ExtractVariablesVelocityVisitor;
+import fr.opensagres.xdocreport.template.velocity.internal.VelocityTemplateEngine;
 
 public class TemplateEngine {
 
 	private static final Pattern VARIABLE_PATTERN = Pattern.compile("([{] *(!)? *([A-Za-z0-9._]+) *[}]| *(!)? *([A-Za-z0-9._]+) *)");
+	private static final Logger logger = LoggerFactory.getLogger(TemplateEngine.class);
+
+	private Properties xdocVelocityProperties;
+
+	public TemplateEngine() {
+		xdocVelocityProperties = new Properties();
+		try {
+			xdocVelocityProperties.load(VelocityTemplateEngine.class.getClassLoader().getResourceAsStream("xdocreport-velocity.properties"));
+		} catch (IOException e) {
+			logger.error("Could not read velocity properties.", e);
+		}
+		// Disable Reflection and Classloader related methods
+		xdocVelocityProperties.setProperty(RuntimeConstants.UBERSPECT_CLASSNAME, SecureUberspector.class.getCanonicalName());
+		// Disable Includes
+		xdocVelocityProperties.setProperty(RuntimeConstants.EVENTHANDLER_INCLUDE, NoIncludesEventHandler.class.getCanonicalName());
+	}
 
 	public DocumentVariables extractTemplateVariablesDocx(File templateFile) throws DocumentTemplateException {
 		try {
@@ -105,7 +125,7 @@ public byte[] generateDocumentDocx(Properties properties, File templateFile) thr
 			ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
 			report.process(context, outputStream);
 			return outputStream.toByteArray();
-		} catch (IOException | XDocReportException e) {
+		} catch (IOException | XDocReportException | VelocityException e) {
 			throw new DocumentTemplateException(String.format(I18nProperties.getString(Strings.errorDocumentGeneration), templateFile.getName()));
 		}
 	}
@@ -161,7 +181,8 @@ protected IXDocReport readXDocReport(InputStream templateInputStream) throws Doc
 
 		try {
 			ByteArrayInputStream inStream = new ByteArrayInputStream(outStream.toByteArray());
-			return XDocReportRegistry.getRegistry().loadReport(inStream, TemplateEngineKind.Velocity);
+			ITemplateEngine templateEngine = new XDocTemplateEngine(xdocVelocityProperties);
+			return XDocReportRegistry.getRegistry().loadReport(inStream, templateEngine);
 		} catch (IOException | XDocReportException | NullPointerException e) {
 			throw new DocumentTemplateException(I18nProperties.getString(Strings.errorProcessingTemplate));
 		}

sormas-backend/src/main/java/de/symeda/sormas/backend/docgeneration/XDocTemplateEngine.java

@@ -0,0 +1,39 @@
+/*
+ * SORMAS® - Surveillance Outbreak Response Management & Analysis System
+ * Copyright © 2016-2021 Helmholtz-Zentrum für Infektionsforschung GmbH (HZI)
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ */
+
+package de.symeda.sormas.backend.docgeneration;
+
+import java.util.Properties;
+
+import fr.opensagres.xdocreport.core.XDocReportException;
+import fr.opensagres.xdocreport.template.velocity.internal.VelocityTemplateEngine;
+
+public class XDocTemplateEngine extends VelocityTemplateEngine {
+
+	public XDocTemplateEngine(Properties velocityEngineProperties) {
+		super(velocityEngineProperties);
+	}
+
+	@Override
+	public void initializeVelocityEngine(Properties velocityEngineProperties) throws XDocReportException {
+
+		try {
+			getVelocityEngine().setProperty("velocityTemplateEngine", this);
+			getVelocityEngine().init(velocityEngineProperties);
+		} catch (Exception var4) {
+			throw new XDocReportException(var4);
+		}
+	}
+}