[
https://issues.apache.org/jira/browse/JENA-2331?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17544230#comment-17544230
]
Andy Seaborne commented on JENA-2331:
-------------------------------------
Jena as supplied is secure by recommended practice and has been security
reviewed.
The last thing I want is to unsecure Jena and receive another security report
that it is possible to bypass the securing of XML parsing. Properly handling of
such security reports and issuing a CVE is time consuming.
I don't see anything in the issue to say that Woodstox is secure by default,
without configuration. What are the correct setting for Woodstox?
bq. We have another third party library that pulled it in. And the intent is
clearly to use the parser directly
I assume you've tested this 3rd party setup to check that the setting do not
interfere - i.e it never processes DTDs.
Does it set up Woodstox to be secure?
PS https://github.com/FasterXML/woodstox/issues/61
> JenaXMLInput does not play well with Woodstox
> ---------------------------------------------
>
> Key: JENA-2331
> URL: https://issues.apache.org/jira/browse/JENA-2331
> Project: Apache Jena
> Issue Type: Bug
> Components: Core
> Affects Versions: Jena 4.5.0
> Reporter: Brian Vosburgh
> Priority: Major
>
> New in 4.5.0, {{JenaXMLInput}} initializes the loaded {{XMLInputFactory}}
> with at least one property that is not supported by the Woodstox StAX parser
> (see [https://github.com/FasterXML/woodstox/issues/51]). This results in a
> logged stack trace that looks like this:
> {code}
> ERROR [main] o.a.j.u.JenaXMLInput - Problem setting StAX property
> java.lang.IllegalArgumentException: Unrecognized property
> 'http://javax.xml.XMLConstants/property/accessExternalDTD'
> at
> com.ctc.wstx.api.CommonConfig.reportUnknownProperty(CommonConfig.java:167)
> ~[woodstox-core-6.2.7.jar:6.2.7]
> at com.ctc.wstx.api.CommonConfig.setProperty(CommonConfig.java:158)
> ~[woodstox-core-6.2.7.jar:6.2.7]
> at com.ctc.wstx.api.ReaderConfig.setProperty(ReaderConfig.java:35)
> ~[woodstox-core-6.2.7.jar:6.2.7]
> at
> com.ctc.wstx.stax.WstxInputFactory.setProperty(WstxInputFactory.java:400)
> ~[woodstox-core-6.2.7.jar:6.2.7]
> at
> org.apache.jena.util.JenaXMLInput.initXMLInputFactory(JenaXMLInput.java:81)
> ~[jena-core-4.5.0.jar:4.5.0]
> at org.apache.jena.util.JenaXMLInput.<clinit>(JenaXMLInput.java:90)
> ~[jena-core-4.5.0.jar:4.5.0]
> at
> org.apache.jena.rdfxml.xmlinput.impl.RDFXMLParser.create(RDFXMLParser.java:75)
> ~[jena-core-4.5.0.jar:4.5.0]
> at org.apache.jena.rdfxml.xmlinput.ARP.<init>(ARP.java:76)
> ~[jena-core-4.5.0.jar:4.5.0]
> at
> org.apache.jena.riot.lang.ReaderRIOTRDFXML.<init>(ReaderRIOTRDFXML.java:62)
> ~[jena-arq-4.5.0.jar:4.5.0]
> at
> org.apache.jena.riot.lang.ReaderRIOTRDFXML.lambda$static$0(ReaderRIOTRDFXML.java:59)
> ~[jena-arq-4.5.0.jar:4.5.0]
> at org.apache.jena.riot.RDFParser.createReader(RDFParser.java:486)
> [jena-arq-4.5.0.jar:4.5.0]
> at org.apache.jena.riot.RDFParser.createReader(RDFParser.java:480)
> [jena-arq-4.5.0.jar:4.5.0]
> at org.apache.jena.riot.RDFParser.parseNotUri(RDFParser.java:399)
> [jena-arq-4.5.0.jar:4.5.0]
> at org.apache.jena.riot.RDFParser.parse(RDFParser.java:356)
> [jena-arq-4.5.0.jar:4.5.0]
> at org.apache.jena.riot.RDFParserBuilder.parse(RDFParserBuilder.java:568)
> [jena-arq-4.5.0.jar:4.5.0]
> at
> org.apache.jena.riot.RDFDataMgr.parseFromInputStream(RDFDataMgr.java:718)
> [jena-arq-4.5.0.jar:4.5.0]
> at org.apache.jena.riot.RDFDataMgr.read(RDFDataMgr.java:253)
> [jena-arq-4.5.0.jar:4.5.0]
> at org.apache.jena.riot.RDFDataMgr.read(RDFDataMgr.java:235)
> [jena-arq-4.5.0.jar:4.5.0]
> at
> org.apache.jena.riot.adapters.RDFReaderRIOT.read(RDFReaderRIOT.java:69)
> [jena-arq-4.5.0.jar:4.5.0]
> at org.apache.jena.rdf.model.impl.ModelCom.read(ModelCom.java:253)
> [jena-core-4.5.0.jar:4.5.0]
> at
> org.apache.jena.ontology.OntDocumentManager.findMetadata(OntDocumentManager.java:890)
> [jena-core-4.5.0.jar:4.5.0]
> at
> org.apache.jena.ontology.OntDocumentManager.initialiseMetadata(OntDocumentManager.java:848)
> [jena-core-4.5.0.jar:4.5.0]
> at
> org.apache.jena.ontology.OntDocumentManager.<init>(OntDocumentManager.java:196)
> [jena-core-4.5.0.jar:4.5.0]
> at
> org.apache.jena.ontology.OntDocumentManager.<init>(OntDocumentManager.java:178)
> [jena-core-4.5.0.jar:4.5.0]
> at
> org.apache.jena.ontology.OntDocumentManager.<init>(OntDocumentManager.java:162)
> [jena-core-4.5.0.jar:4.5.0]
> {code}
> Jena should probably do one of the following:
> * Instead of relying on whatever parser is discovered by
> {{{}XMLInputFactory.newInstance(){}}}, Jena can directly load the
> JDK-supplied parser, which supports these properties, by calling
> {{XMLInputFactory.newDefaultFactory()}} instead.
> * Jena can be a bit more robust when dealing with non-JDK parsers by
> wrapping each call to {{XMLInputFactory.setProperty(...)}} with a separate
> {{try-catch}} block and log any exception appropriately.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
