[jira] [Assigned] (GROOVY-11979) Consolidate XML factory hardening and document secure-by-default parsing

Sat, 02 May 2026 14:01:07 -0700 


     [ 
https://issues.apache.org/jira/browse/GROOVY-11979?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Paul King reassigned GROOVY-11979:
----------------------------------

    Assignee: Paul King

> Consolidate XML factory hardening and document secure-by-default parsing
> ------------------------------------------------------------------------
>
>                 Key: GROOVY-11979
>                 URL: https://issues.apache.org/jira/browse/GROOVY-11979
>             Project: Groovy
>          Issue Type: Improvement
>            Reporter: Paul King
>            Assignee: Paul King
>            Priority: Major
>
> h3. PR1 — FactorySupport hardened factories (secure by default)
> *What's included:*
> * {{FactorySupport.java}}: every factory method now returns a hardened 
> factory by default
> ** {{createDocumentBuilderFactory()}} — delegates to 
> {{createDocumentBuilderFactory(false)}}; previously returned a bare JDK 
> factory
> ** {{createSaxParserFactory()}} — delegates to 
> {{createSaxParserFactory(false)}}; previously returned a bare JDK factory
> ** {{createDocumentBuilderFactory(boolean allowDocTypeDeclaration)}} *(new)*
> ** {{createSaxParserFactory(boolean allowDocTypeDeclaration)}} *(new)*
> ** {{createXMLInputFactory()}} *(new)*
> ** {{createXMLInputFactory(boolean allowDocTypeDeclaration)}} *(new)*
> ** {{createTransformerFactory(boolean allowDocTypeDeclaration, boolean 
> allowExternalResources)}} *(new)*
> ** {{createSchemaFactory(String schemaLanguage)}} *(new)*
> ** {{createXPathFactory()}} *(new)*
> * {{FactorySupport.java}}: added private quiet helpers for the new factory 
> types (SchemaFactory, XPathFactory, TransformerFactory {{setAttribute}}, 
> XMLInputFactory {{setProperty}}).
> * {{FactorySupportTest.java}}: 14 new tests covering hardening defaults on 
> both the zero-arg and boolean overloads, relax-flag round-trips for each 
> factory type.
> *Hardening recipes applied:*
> || Factory || Settings ||
> | DocumentBuilderFactory | {{FEATURE_SECURE_PROCESSING=true}}, 
> {{disallow-doctype-decl=!allow}}, {{XIncludeAware=false}}, 
> {{ExpandEntityReferences=false}} |
> | SAXParserFactory | {{FEATURE_SECURE_PROCESSING=true}}, 
> {{disallow-doctype-decl=!allow}} |
> | XMLInputFactory | {{SUPPORT_DTD=allow}}, 
> {{IS_SUPPORTING_EXTERNAL_ENTITIES=false}} |
> | TransformerFactory | {{FEATURE_SECURE_PROCESSING=true}}, 
> {{disallow-doctype-decl=!allow}}, {{ACCESS_EXTERNAL_DTD}} and 
> {{ACCESS_EXTERNAL_STYLESHEET}} = {{"all"}} or {{""}} per 
> {{allowExternalResources}} |
> | SchemaFactory | {{FEATURE_SECURE_PROCESSING=true}} (no 
> {{ACCESS_EXTERNAL_*}} — preserves legitimate {{<xs:import>}}) |
> | XPathFactory | {{FEATURE_SECURE_PROCESSING=true}} |
> *Compat notes:*
> * Direct callers of the zero-arg {{createDocumentBuilderFactory()}} / 
> {{createSaxParserFactory()}} now receive hardened factories. Callers that 
> previously parsed DOCTYPE-bearing input through those factories must switch 
> to the {{(true)}} overload. Internal Groovy callers ({{XmlParser}}, 
> {{XmlSlurper}}, {{XmlUtil}}, {{DOMBuilder}}) overlay their own settings on 
> top of the default and are unaffected.
> * No public method signatures changed. No methods deprecated.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to