Use UTF-8 explicitly when reading SBML/SED-ML XML

vcell-core/src/main/java/org/jlibsedml/Libsedml.java

@@ -11,7 +11,7 @@
 import java.io.InputStream;
 import java.io.OutputStreamWriter;
 import java.io.StringReader;
-import java.nio.charset.Charset;
+import java.nio.charset.StandardCharsets;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.zip.ZipEntry;
@@ -100,8 +100,8 @@ public static SedMLDocument readDocument(File file) throws XMLException {
      */
     public static SedMLDocument readDocument(InputStream is, String encoding) throws XMLException, IOException {
         if(encoding == null) {
-            encoding = Charset.defaultCharset().name();
-        }     
+            encoding = StandardCharsets.UTF_8.name();
+        }
         List<String> lines = IOUtils.readLines(is, encoding);
         String content =  StringUtils.join(lines, "\n");
         return readDocumentFromString(content);

vcell-core/src/main/java/org/jlibsedml/XpathGeneratorHelper.java

@@ -3,6 +3,7 @@
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.net.URISyntaxException;
+import java.nio.charset.StandardCharsets;
 import java.util.ArrayList;
 import java.util.Iterator;
 import java.util.List;
@@ -51,7 +52,7 @@ public boolean addIdentifiersAsDataGenerators(final AbstractTask task, final Str
             String modelStrRep = modelResolver.getModelXMLFor(modelFound.getSourceURI());
             if (modelStrRep == null) return false;
 
-            Document doc = utils.readDoc(new ByteArrayInputStream(modelStrRep.getBytes()));
+            Document doc = utils.readDoc(new ByteArrayInputStream(modelStrRep.getBytes(StandardCharsets.UTF_8)));
 
             List<AllOrNothingConfig> configs = new ArrayList<>();
             for (IdName idn : idNameList) {

vcell-core/src/main/java/org/jlibsedml/modelsupport/KisaoTermParser.java

@@ -7,6 +7,7 @@
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.InputStreamReader;
+import java.nio.charset.StandardCharsets;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
@@ -34,7 +35,7 @@ class KisaoTermParser {
     KisaoOntology parse() {
         InputStream is2 = KisaoTermParser.class.getClassLoader()
                 .getResourceAsStream(Kisao_OBO);
-        BufferedReader isr = new BufferedReader(new InputStreamReader(is2));
+        BufferedReader isr = new BufferedReader(new InputStreamReader(is2, StandardCharsets.UTF_8));
         String line = null;
         boolean inPreamble = true;
         boolean inState = false;

vcell-core/src/main/java/org/vcell/sbml/vcell/SBMLImporter.java

@@ -83,7 +83,6 @@
 import javax.xml.stream.XMLStreamException;
 import java.beans.PropertyVetoException;
 import java.io.*;
-import java.nio.charset.Charset;
 import java.nio.charset.StandardCharsets;
 import java.util.*;
 import java.util.Map.Entry;
@@ -1931,7 +1930,7 @@ private SBMLDocument readSbmlDocument(File sbmlFile){
         final String defaultErrorPrefix = "Unable to read SBML file";
         try {
             // Read SBML model into libSBML SBMLDocument and create an SBML model
-            List<String> readLines = FileUtils.readLines(sbmlFile, Charset.defaultCharset());
+            List<String> readLines = FileUtils.readLines(sbmlFile, StandardCharsets.UTF_8);
             StringBuilder sb = new StringBuilder();
             //Temporary fix for org.sbml.jsbml.xml.parsers.RenderParser.processEndDocument(SBMLDocument sbmlDocument)
             //throws NPE when "<sbml ... xmlns:render... " is defined in input document

vcell-core/src/main/java/org/vcell/sedml/SedMLImporter.java

@@ -69,7 +69,7 @@
 
 import java.beans.PropertyVetoException;
 import java.io.*;
-import java.nio.charset.Charset;
+import java.nio.charset.StandardCharsets;
 
 import java.nio.file.Files;
 import java.util.*;
@@ -1110,7 +1110,7 @@ private BioModel importModel(Model mm) {
 					logger.error("failed to make BioPax objects", e);
 				}
 			} else {				// we assume it's sbml, if it's neither import will fail
-				InputStream sbmlSource = IOUtils.toInputStream(modelXML, Charset.defaultCharset());
+				InputStream sbmlSource = IOUtils.toInputStream(modelXML, StandardCharsets.UTF_8);
 				boolean bValidateSBML = false;
 				SBMLImporter sbmlImporter = new SBMLImporter(sbmlSource, this.transLogger, bValidateSBML);
 				bioModel = sbmlImporter.getBioModel();

vcell-core/src/main/java/org/vcell/sybil/util/xml/DOMUtil.java

@@ -18,6 +18,7 @@
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
+import java.nio.charset.StandardCharsets;
 import java.util.List;
 import java.util.Vector;
 
@@ -42,6 +43,13 @@ public class DOMUtil {
 	protected static void initBuilder() throws ParserConfigurationException {
 		if(builder == null) {
 			DocumentBuilderFactory factory = new DocumentBuilderFactoryImpl();
+			// CWE-611: disable DTD and external entity processing
+			factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+			factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+			factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+			factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+			factory.setXIncludeAware(false);
+			factory.setExpandEntityReferences(false);
 			builder = factory.newDocumentBuilder();
 		}
 	}
@@ -55,7 +63,7 @@ public static Document parse(InputStream is)
 	public static Document parse(String text) 
 	throws SAXException, IOException, ParserConfigurationException {
 		initBuilder();
-		return builder.parse(new ByteArrayInputStream(text.getBytes()));
+		return builder.parse(new ByteArrayInputStream(text.getBytes(StandardCharsets.UTF_8)));
 	}
 
 	public static void serialize(Document document, OutputStream out) throws IOException {

vcell-core/src/test/java/org/vcell/sbml/SBMLImportCharsetTest.java

@@ -0,0 +1,110 @@
+package org.vcell.sbml;
+
+import cbit.util.xml.VCLogger;
+import cbit.util.xml.VCLoggerException;
+import cbit.vcell.biomodel.BioModel;
+import cbit.vcell.model.ReactionStep;
+import cbit.vcell.model.SpeciesContext;
+import org.junit.jupiter.api.Tag;
+import org.junit.jupiter.api.Test;
+import org.vcell.sbml.vcell.SBMLImporter;
+
+import java.io.File;
+import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
+import java.nio.file.Path;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+
+/**
+ * Verifies SBML import reads non-ASCII attribute values byte-for-byte from a
+ * UTF-8 source. The two reaction-name patterns chosen here (en-dash U+2013 and
+ * Greek mu U+03BC) are common in scientific notation and would mojibake under
+ * the previous {@code Charset.defaultCharset()} read on a non-UTF-8 JVM.
+ */
+@Tag("Fast")
+public class SBMLImportCharsetTest {
+
+    private static class CapturingVCLogger extends VCLogger {
+        @Override public boolean hasMessages() { return false; }
+        @Override public void sendAllMessages() { }
+        @Override public void sendMessage(Priority p, ErrorType et, String message) throws VCLoggerException {
+            if (p == Priority.HighPriority) {
+                throw new VCLoggerException(p + " " + et + ": " + message);
+            }
+        }
+    }
+
+    private static final String SBML_WITH_NON_ASCII =
+            "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n" +
+            "<sbml xmlns=\"http://www.sbml.org/sbml/level2/version4\" level=\"2\" version=\"4\">\n" +
+            "  <model id=\"charsetTestModel\">\n" +
+            "    <listOfCompartments>\n" +
+            "      <compartment id=\"c1\" size=\"1.0\"/>\n" +
+            "    </listOfCompartments>\n" +
+            "    <listOfSpecies>\n" +
+            "      <species id=\"s1\" name=\"μ-prot\" compartment=\"c1\" initialConcentration=\"1.0\"/>\n" +
+            "    </listOfSpecies>\n" +
+            "    <listOfReactions>\n" +
+            "      <reaction id=\"r1\" name=\"k_14–3–3\">\n" +
+            "        <listOfProducts>\n" +
+            "          <speciesReference species=\"s1\"/>\n" +
+            "        </listOfProducts>\n" +
+            "        <kineticLaw>\n" +
+            "          <math xmlns=\"http://www.w3.org/1998/Math/MathML\">\n" +
+            "            <cn>1.0</cn>\n" +
+            "          </math>\n" +
+            "        </kineticLaw>\n" +
+            "      </reaction>\n" +
+            "    </listOfReactions>\n" +
+            "  </model>\n" +
+            "</sbml>\n";
+
+    @Test
+    public void importsUtf8ReactionAndSpeciesNames() throws Exception {
+        Path tmp = Files.createTempFile("vcell-charset-test-", ".xml");
+        try {
+            Files.write(tmp, SBML_WITH_NON_ASCII.getBytes(StandardCharsets.UTF_8));
+
+            SBMLImporter importer = new SBMLImporter(tmp.toAbsolutePath().toString(), new CapturingVCLogger(), false);
+            BioModel bioModel = importer.getBioModel();
+            assertNotNull(bioModel);
+
+            ReactionStep r1 = null;
+            for (ReactionStep rs : bioModel.getModel().getReactionSteps()) {
+                if ("r1".equals(rs.getName())) { r1 = rs; break; }
+            }
+            assertNotNull(r1, "expected reaction with id 'r1' in imported model");
+            assertEquals("k_14–3–3", r1.getSbmlName(),
+                    "reaction sbmlName must preserve U+2013 EN DASH characters");
+
+            SpeciesContext s1 = null;
+            for (SpeciesContext sc : bioModel.getModel().getSpeciesContexts()) {
+                if ("s1".equals(sc.getName())) { s1 = sc; break; }
+            }
+            assertNotNull(s1, "expected species with id 's1' in imported model");
+            assertEquals("μ-prot", s1.getSbmlName(),
+                    "species sbmlName must preserve U+03BC GREEK SMALL LETTER MU");
+        } finally {
+            Files.deleteIfExists(tmp);
+        }
+    }
+
+    @Test
+    public void inputStreamPathPreservesUtf8() throws Exception {
+        try (java.io.ByteArrayInputStream in =
+                     new java.io.ByteArrayInputStream(SBML_WITH_NON_ASCII.getBytes(StandardCharsets.UTF_8))) {
+            SBMLImporter importer = new SBMLImporter(in, new CapturingVCLogger(), false);
+            BioModel bioModel = importer.getBioModel();
+            assertNotNull(bioModel);
+
+            ReactionStep r1 = null;
+            for (ReactionStep rs : bioModel.getModel().getReactionSteps()) {
+                if ("r1".equals(rs.getName())) { r1 = rs; break; }
+            }
+            assertNotNull(r1);
+            assertEquals("k_14–3–3", r1.getSbmlName());
+        }
+    }
+}