The GitHub Actions job "Java CI" on 
commons-xml.git/feature/sax-feature-based-hardening has failed.
Run started by GitHub user ppkarwasz (triggered by ppkarwasz).

Head commit for run:
87c7172992180fa600fe2254e0df492cef8cc41e / Piotr P. Karwasz 
<[email protected]>
Base SAXParserFactory hardening on feature support

Replace the per-implementation class-name dispatch for SAX with a single
capability-driven recipe, mirroring the DocumentBuilderFactory rework. A new
SAXParserHardener probes feature and property support and adapts:

- harden(SAXParserFactory) sets FSP (skipped on Android's Expat, which rejects
  it) and wraps the factory in the now-universal HardeningSAXParserFactory,
  since SAXParserFactory exposes no property API.
- hardenReader(XMLReader) sets FSP, skips the external DTD subset where
  supported, applies limits and probes ACCESS_EXTERNAL_*: the bare reader is
  returned when the JAXP 1.5 properties are honoured (stock JDK), otherwise a
  deny-all EntityResolver is installed (external Xerces).
- Limits.tryApply(XMLReader) picks the Xerces SecurityManager vs JDK
  limit-property path by class name (the JDK reader is itself a Xerces fork
  exposing the same property, so a probe cannot tell them apart).
- JaxpSetters gains setOptionalFeature(XMLReader) and trySetProperty(XMLReader).
  StockJdkProvider and XercesProvider lose their SAX recipes; XercesProvider now
  handles only Schema factories.

HardeningSAXParserFactory becomes a single-argument wrapper that returns a
HardeningSAXParser, which exposes the hardened reader and a matching SAX 1
Parser (cast or XMLReaderAdapter, lazily) so consumers reaching the parser
through either path, including Xalan's identity transformer, get the same
hardening.

Android keeps its fixups rather than becoming a pass-through. Expat ignores
external fetches silently when no resolver is set, so a subset-aware deny-all
resolver is installed to fail on external entities while still letting an unused
external subset load, and an ExpatReaderWrapper rejects the unsupported
namespace-prefixes feature eagerly instead of failing mid-parse. DOM
(KXmlParser) remains a pass-through.

Behaviour change: the returned SAXParserFactory no longer forces namespace
awareness. The previous StockJdkProvider and XercesProvider SAX recipes called
setNamespaceAware(true); whether to parse namespace-aware is the caller's
decision, not a hardening concern, so it is now left at the implementation
default (DOM never set it). The internal Source-parsing path keeps it on:
XmlFactories.harden(Source) sets namespace awareness itself, since schema, XSLT
and validator sources are parsed in a namespace-aware context.

Adds SchemaLocationSaxTest (the SAX counterpart of SchemaLocationDomTest,
reusing AttackTestSupport's shared strict reporter) and a SAX case in
UnsupportedXmlImplementationTest. AndroidProvider is removed.

Assisted-By: Claude Opus 4.8 (1M context) <[email protected]>

Report URL: https://github.com/apache/commons-xml/actions/runs/28329584482

With regards,
GitHub Actions via GitBox

Reply via email to