[jira] [Updated] (GROOVY-11979) Consolidate XML factory hardening and document secure-by-default parsing

Sat, 02 May 2026 13:43:10 -0700 


     [ 
https://issues.apache.org/jira/browse/GROOVY-11979?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Paul King updated GROOVY-11979:
-------------------------------
    Description: 
h3. Part 1 — FactorySupport hardened factory methods (foundation, additive)

*What's included:*
* {{FactorySupport.java}}: added 7 new public methods
** {{createDocumentBuilderFactory(boolean allowDocTypeDeclaration)}}
** {{createSaxParserFactory(boolean allowDocTypeDeclaration)}}
** {{createXMLInputFactory()}}
** {{createXMLInputFactory(boolean allowDocTypeDeclaration)}}
** {{createTransformerFactory(boolean allowDocTypeDeclaration, boolean 
allowExternalResources)}}
** {{createSchemaFactory(String schemaLanguage)}}
** {{createXPathFactory()}}
* {{FactorySupport.java}}: marked the two existing zero-arg methods 
{{@Deprecated}} with javadoc steering callers to the hardened overloads. 
Behaviour of the bare methods is unchanged.
* {{FactorySupport.java}}: added private quiet helpers for the new factory 
types (SchemaFactory, XPathFactory, TransformerFactory {{setAttribute}}, 
XMLInputFactory {{setProperty}}).
* {{FactorySupportTest.java}}: 12 new tests covering hardening defaults, 
relax-flag round-trips, and a regression guard that the deprecated bare methods 
still return un-hardened factories.

*Hardening recipes applied:*
|| Factory || Settings ||
| DocumentBuilderFactory | {{FEATURE_SECURE_PROCESSING=true}}, 
{{disallow-doctype-decl=!allow}}, {{XIncludeAware=false}}, 
{{ExpandEntityReferences=false}} |
| SAXParserFactory | {{FEATURE_SECURE_PROCESSING=true}}, 
{{disallow-doctype-decl=!allow}} |
| XMLInputFactory | {{SUPPORT_DTD=allow}}, 
{{IS_SUPPORTING_EXTERNAL_ENTITIES=false}} |
| TransformerFactory | {{FEATURE_SECURE_PROCESSING=true}}, 
{{disallow-doctype-decl=!allow}}, {{ACCESS_EXTERNAL_DTD}} and 
{{ACCESS_EXTERNAL_STYLESHEET}} = {{"all"}} or {{""}} per 
{{allowExternalResources}} |
| SchemaFactory | {{FEATURE_SECURE_PROCESSING=true}} (no {{ACCESS_EXTERNAL_*}} 
— preserves legitimate {{<xs:import>}}) |
| XPathFactory | {{FEATURE_SECURE_PROCESSING=true}} |

*Risks / compat:*
* Pure-additive PR. No call-site changes. No existing public method signatures 
changed. Bare factory methods retain bare semantics; deprecation is javadoc 
steering only.

> Consolidate XML factory hardening and document secure-by-default parsing
> ------------------------------------------------------------------------
>
>                 Key: GROOVY-11979
>                 URL: https://issues.apache.org/jira/browse/GROOVY-11979
>             Project: Groovy
>          Issue Type: Improvement
>            Reporter: Paul King
>            Priority: Major
>
> h3. Part 1 — FactorySupport hardened factory methods (foundation, additive)
> *What's included:*
> * {{FactorySupport.java}}: added 7 new public methods
> ** {{createDocumentBuilderFactory(boolean allowDocTypeDeclaration)}}
> ** {{createSaxParserFactory(boolean allowDocTypeDeclaration)}}
> ** {{createXMLInputFactory()}}
> ** {{createXMLInputFactory(boolean allowDocTypeDeclaration)}}
> ** {{createTransformerFactory(boolean allowDocTypeDeclaration, boolean 
> allowExternalResources)}}
> ** {{createSchemaFactory(String schemaLanguage)}}
> ** {{createXPathFactory()}}
> * {{FactorySupport.java}}: marked the two existing zero-arg methods 
> {{@Deprecated}} with javadoc steering callers to the hardened overloads. 
> Behaviour of the bare methods is unchanged.
> * {{FactorySupport.java}}: added private quiet helpers for the new factory 
> types (SchemaFactory, XPathFactory, TransformerFactory {{setAttribute}}, 
> XMLInputFactory {{setProperty}}).
> * {{FactorySupportTest.java}}: 12 new tests covering hardening defaults, 
> relax-flag round-trips, and a regression guard that the deprecated bare 
> methods still return un-hardened factories.
> *Hardening recipes applied:*
> || Factory || Settings ||
> | DocumentBuilderFactory | {{FEATURE_SECURE_PROCESSING=true}}, 
> {{disallow-doctype-decl=!allow}}, {{XIncludeAware=false}}, 
> {{ExpandEntityReferences=false}} |
> | SAXParserFactory | {{FEATURE_SECURE_PROCESSING=true}}, 
> {{disallow-doctype-decl=!allow}} |
> | XMLInputFactory | {{SUPPORT_DTD=allow}}, 
> {{IS_SUPPORTING_EXTERNAL_ENTITIES=false}} |
> | TransformerFactory | {{FEATURE_SECURE_PROCESSING=true}}, 
> {{disallow-doctype-decl=!allow}}, {{ACCESS_EXTERNAL_DTD}} and 
> {{ACCESS_EXTERNAL_STYLESHEET}} = {{"all"}} or {{""}} per 
> {{allowExternalResources}} |
> | SchemaFactory | {{FEATURE_SECURE_PROCESSING=true}} (no 
> {{ACCESS_EXTERNAL_*}} — preserves legitimate {{<xs:import>}}) |
> | XPathFactory | {{FEATURE_SECURE_PROCESSING=true}} |
> *Risks / compat:*
> * Pure-additive PR. No call-site changes. No existing public method 
> signatures changed. Bare factory methods retain bare semantics; deprecation 
> is javadoc steering only.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to