Thanks Francesco! Colm.
On Mon, Oct 24, 2022 at 4:08 PM Francesco Chicchiriccò <ilgro...@apache.org> wrote: > > Hi Colm, > that class is used exclusively for the db content bootstrap process, which > is run only on empty database. > The input is given through the Domain Content XML file (typically, > MasterContent.xml), which can be configured to be loaded either from > classpath or conf.dir. > > Nevertheless, the library was upgraded on both active git branches 2_1_X > and master, and also included in last release. > Library version can be also set for override on project based on old > releases, via maven property. > > Regards. > > Il lun 24 ott 2022, 13:41 Colm O hEigeartaigh <cohei...@apache.org> ha > scritto: > > > Hi, > > > > Regarding the recent Apache Commons Text advisory > > (https://blogs.apache.org/security/entry/cve-2022-42889), Syncope uses > > the StringSubstitutor API here: > > > > > > https://github.com/apache/syncope/blob/7309dd303f2fe9238df4b69776f6284a87549599/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/content/ContentLoaderHandler.java > > > > Can you confirm please that all of the input used with > > StringSubstitutor in this class can be classified as "trusted input"? > > > > Thanks, > > > > Colm. > >