[
https://issues.apache.org/jira/browse/GROOVY-11979?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Paul King updated GROOVY-11979:
-------------------------------
Description:
h3. PR1 — FactorySupport hardened factories (secure by default)
*What's included:*
* {{FactorySupport.java}}: every factory method now returns a hardened factory
by default
** {{createDocumentBuilderFactory()}} — delegates to
{{createDocumentBuilderFactory(false)}}; previously returned a bare JDK factory
** {{createSaxParserFactory()}} — delegates to
{{createSaxParserFactory(false)}}; previously returned a bare JDK factory
** {{createDocumentBuilderFactory(boolean allowDocTypeDeclaration)}} *(new)*
** {{createSaxParserFactory(boolean allowDocTypeDeclaration)}} *(new)*
** {{createXMLInputFactory()}} *(new)*
** {{createXMLInputFactory(boolean allowDocTypeDeclaration)}} *(new)*
** {{createTransformerFactory(boolean allowDocTypeDeclaration, boolean
allowExternalResources)}} *(new)*
** {{createSchemaFactory(String schemaLanguage)}} *(new)*
** {{createXPathFactory()}} *(new)*
* {{FactorySupport.java}}: added private quiet helpers for the new factory
types (SchemaFactory, XPathFactory, TransformerFactory {{setAttribute}},
XMLInputFactory {{setProperty}}).
* {{FactorySupportTest.java}}: 14 new tests covering hardening defaults on both
the zero-arg and boolean overloads, relax-flag round-trips for each factory
type.
*Hardening recipes applied:*
|| Factory || Settings ||
| DocumentBuilderFactory | {{FEATURE_SECURE_PROCESSING=true}},
{{disallow-doctype-decl=!allow}}, {{XIncludeAware=false}},
{{ExpandEntityReferences=false}} |
| SAXParserFactory | {{FEATURE_SECURE_PROCESSING=true}},
{{disallow-doctype-decl=!allow}} |
| XMLInputFactory | {{SUPPORT_DTD=allow}},
{{IS_SUPPORTING_EXTERNAL_ENTITIES=false}} |
| TransformerFactory | {{FEATURE_SECURE_PROCESSING=true}},
{{disallow-doctype-decl=!allow}}, {{ACCESS_EXTERNAL_DTD}} and
{{ACCESS_EXTERNAL_STYLESHEET}} = {{"all"}} or {{""}} per
{{allowExternalResources}} |
| SchemaFactory | {{FEATURE_SECURE_PROCESSING=true}} (no {{ACCESS_EXTERNAL_*}}
— preserves legitimate {{<xs:import>}}) |
| XPathFactory | {{FEATURE_SECURE_PROCESSING=true}} |
*Compat notes:*
* Direct callers of the zero-arg {{createDocumentBuilderFactory()}} /
{{createSaxParserFactory()}} now receive hardened factories. Callers that
previously parsed DOCTYPE-bearing input through those factories must switch to
the {{(true)}} overload. Internal Groovy callers ({{XmlParser}},
{{XmlSlurper}}, {{XmlUtil}}, {{DOMBuilder}}) overlay their own settings on top
of the default and are unaffected.
* No public method signatures changed. No methods deprecated.
was:
h3. Part 1 — FactorySupport hardened factory methods (foundation, additive)
*What's included:*
* {{FactorySupport.java}}: added 7 new public methods
** {{createDocumentBuilderFactory(boolean allowDocTypeDeclaration)}}
** {{createSaxParserFactory(boolean allowDocTypeDeclaration)}}
** {{createXMLInputFactory()}}
** {{createXMLInputFactory(boolean allowDocTypeDeclaration)}}
** {{createTransformerFactory(boolean allowDocTypeDeclaration, boolean
allowExternalResources)}}
** {{createSchemaFactory(String schemaLanguage)}}
** {{createXPathFactory()}}
* {{FactorySupport.java}}: marked the two existing zero-arg methods
{{@Deprecated}} with javadoc steering callers to the hardened overloads.
Behaviour of the bare methods is unchanged.
* {{FactorySupport.java}}: added private quiet helpers for the new factory
types (SchemaFactory, XPathFactory, TransformerFactory {{setAttribute}},
XMLInputFactory {{setProperty}}).
* {{FactorySupportTest.java}}: 12 new tests covering hardening defaults,
relax-flag round-trips, and a regression guard that the deprecated bare methods
still return un-hardened factories.
*Hardening recipes applied:*
|| Factory || Settings ||
| DocumentBuilderFactory | {{FEATURE_SECURE_PROCESSING=true}},
{{disallow-doctype-decl=!allow}}, {{XIncludeAware=false}},
{{ExpandEntityReferences=false}} |
| SAXParserFactory | {{FEATURE_SECURE_PROCESSING=true}},
{{disallow-doctype-decl=!allow}} |
| XMLInputFactory | {{SUPPORT_DTD=allow}},
{{IS_SUPPORTING_EXTERNAL_ENTITIES=false}} |
| TransformerFactory | {{FEATURE_SECURE_PROCESSING=true}},
{{disallow-doctype-decl=!allow}}, {{ACCESS_EXTERNAL_DTD}} and
{{ACCESS_EXTERNAL_STYLESHEET}} = {{"all"}} or {{""}} per
{{allowExternalResources}} |
| SchemaFactory | {{FEATURE_SECURE_PROCESSING=true}} (no {{ACCESS_EXTERNAL_*}}
— preserves legitimate {{<xs:import>}}) |
| XPathFactory | {{FEATURE_SECURE_PROCESSING=true}} |
*Risks / compat:*
* Pure-additive PR. No call-site changes. No existing public method signatures
changed. Bare factory methods retain bare semantics; deprecation is javadoc
steering only.
> Consolidate XML factory hardening and document secure-by-default parsing
> ------------------------------------------------------------------------
>
> Key: GROOVY-11979
> URL: https://issues.apache.org/jira/browse/GROOVY-11979
> Project: Groovy
> Issue Type: Improvement
> Reporter: Paul King
> Priority: Major
>
> h3. PR1 — FactorySupport hardened factories (secure by default)
> *What's included:*
> * {{FactorySupport.java}}: every factory method now returns a hardened
> factory by default
> ** {{createDocumentBuilderFactory()}} — delegates to
> {{createDocumentBuilderFactory(false)}}; previously returned a bare JDK
> factory
> ** {{createSaxParserFactory()}} — delegates to
> {{createSaxParserFactory(false)}}; previously returned a bare JDK factory
> ** {{createDocumentBuilderFactory(boolean allowDocTypeDeclaration)}} *(new)*
> ** {{createSaxParserFactory(boolean allowDocTypeDeclaration)}} *(new)*
> ** {{createXMLInputFactory()}} *(new)*
> ** {{createXMLInputFactory(boolean allowDocTypeDeclaration)}} *(new)*
> ** {{createTransformerFactory(boolean allowDocTypeDeclaration, boolean
> allowExternalResources)}} *(new)*
> ** {{createSchemaFactory(String schemaLanguage)}} *(new)*
> ** {{createXPathFactory()}} *(new)*
> * {{FactorySupport.java}}: added private quiet helpers for the new factory
> types (SchemaFactory, XPathFactory, TransformerFactory {{setAttribute}},
> XMLInputFactory {{setProperty}}).
> * {{FactorySupportTest.java}}: 14 new tests covering hardening defaults on
> both the zero-arg and boolean overloads, relax-flag round-trips for each
> factory type.
> *Hardening recipes applied:*
> || Factory || Settings ||
> | DocumentBuilderFactory | {{FEATURE_SECURE_PROCESSING=true}},
> {{disallow-doctype-decl=!allow}}, {{XIncludeAware=false}},
> {{ExpandEntityReferences=false}} |
> | SAXParserFactory | {{FEATURE_SECURE_PROCESSING=true}},
> {{disallow-doctype-decl=!allow}} |
> | XMLInputFactory | {{SUPPORT_DTD=allow}},
> {{IS_SUPPORTING_EXTERNAL_ENTITIES=false}} |
> | TransformerFactory | {{FEATURE_SECURE_PROCESSING=true}},
> {{disallow-doctype-decl=!allow}}, {{ACCESS_EXTERNAL_DTD}} and
> {{ACCESS_EXTERNAL_STYLESHEET}} = {{"all"}} or {{""}} per
> {{allowExternalResources}} |
> | SchemaFactory | {{FEATURE_SECURE_PROCESSING=true}} (no
> {{ACCESS_EXTERNAL_*}} — preserves legitimate {{<xs:import>}}) |
> | XPathFactory | {{FEATURE_SECURE_PROCESSING=true}} |
> *Compat notes:*
> * Direct callers of the zero-arg {{createDocumentBuilderFactory()}} /
> {{createSaxParserFactory()}} now receive hardened factories. Callers that
> previously parsed DOCTYPE-bearing input through those factories must switch
> to the {{(true)}} overload. Internal Groovy callers ({{XmlParser}},
> {{XmlSlurper}}, {{XmlUtil}}, {{DOMBuilder}}) overlay their own settings on
> top of the default and are unaffected.
> * No public method signatures changed. No methods deprecated.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
