The GitHub Actions job "Java CI" on commons-configuration.git/use-copernik-xml-factory has failed. Run started by GitHub user ppkarwasz (triggered by ppkarwasz).
Head commit for run: ace8aaf9f928556afe2793a1330cd178ec34c0ab / Piotr P. Karwasz <[email protected]> Harden XML parsing via copernik-xml-factory Replace all direct JAXP factory instantiations (DocumentBuilderFactory, SAXParserFactory, TransformerFactory) with the hardened factories from eu.copernik:copernik-xml-factory 0.1.1. These factories block external DTD and entity fetching and bound internal entity expansion, regardless of the JAXP implementation on the classpath. Hardening the parsing of a configuration file is admittedly not necessary: configuration files are normally trusted. This limits the side-effects if a user (against advice) decides to parse untrusted configuration files. Changes: - Add the copernik-xml-factory dependency. - Route factory creation through XmlFactories in XMLConfiguration, XMLDocumentHelper, XMLPropertiesConfiguration and XMLPropertyListConfiguration, plus the affected tests. - Harden the source passed to XMLDocumentHelper.transform. - XMLConfiguration's entity resolver now throws a SAXException for unregistered entities instead of returning null. Returning null would let the parser fall back to fetching the external resource and would override the deny-all resolver the hardening factories install on some implementations. This is done in an anonymous DefaultEntityResolver subclass local to XMLConfiguration, leaving the public DefaultEntityResolver contract (return null for unknown entities) unchanged. Assisted-By: Claude Opus 4.8 (1M context) <[email protected]> Report URL: https://github.com/apache/commons-configuration/actions/runs/27746811646 With regards, GitHub Actions via GitBox
