ppkarwasz opened a new pull request, #18:
URL: https://github.com/apache/commons-xml/pull/18

   Fixes [COMMONSXML-9](https://issues.apache.org/jira/browse/COMMONSXML-9).
   
   ## Problem
   
   A hardened factory from `XmlFactories` blocks external DTDs, entities, 
schemas and stylesheets. On Apache Xerces, Woodstox, Xalan and the JDK's 
built-in StAX (Zephyr), installing a custom resolver silently removed that 
protection. Unlike the stock JDK (JEP 185 `ACCESS_EXTERNAL_*`), Saxon 
(`allowedProtocols`) and Android (ignore-all), these implementations fall back 
to fetching whatever a resolver leaves unresolved, so a caller's `set*Resolver` 
overwrote the deny floor the hardening relied on and re-opened the XXE/SSRF 
surface.
   
   ## Change
   
   Install a non-removable resolver floor on every resolver channel: 
`EntityResolver` (DOM/SAX), `LSResourceResolver` (schema), `URIResolver` (XSLT) 
and `XMLResolver` (StAX). The hardened wrappers keep their own floor installed 
and route a caller's resolver through it as a delegate:
   
   - the caller's resolver is consulted first, so it can still opt a specific 
resource in by returning a non-`null` value;
   - anything left unresolved (a `null` return, or no caller resolver) takes 
the floor's default action, deny (or ignore for the Woodstox DTD-subset and 
undeclared-entity hooks), instead of the implementation's resolve-all fallback.
   
   Installing a resolver is now in scope: a custom resolver can add permitted 
resources but can no longer remove the block.
   
   ## Threat model
   
   The threat model is amended to explicitly allow users to install their own 
resolvers,
   except implementation-specific types like Xerces 
`http://apache.org/xml/properties/internal/entity-resolver`.
   
   ## Tests
   
   - New `EntityResolverFloorTest` is the core coverage: on every channel 
(`EntityResolver`, `LSResourceResolver`, `URIResolver`, `XMLResolver`), an 
allow-list resolver still opts a specific resource in, while a resolver that 
resolves nothing cannot re-open a blocked fetch.
   - It also adds DOM and SAX tests that resolve a relative XInclude sibling 
through a caller resolver, skipped where JAXP does not support 
`setXIncludeAware` (Android).
   - The full JVM suite and the Android connected suite pass.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to