[
https://issues.apache.org/jira/browse/GROOVY-11981?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Paul King updated GROOVY-11981:
-------------------------------
Description:
Groovy's front-line XML parsing APIs ({{XmlParser}}, {{XmlSlurper}}, the static
{{DOMBuilder.parse(...)}} variants, {{XmlUtil.newSAXParser}}) have been
secure-by-default for some time — DOCTYPE declarations, external entities and
billion-laughs payloads are blocked unless the caller opts in via
{{allowDocTypeDeclaration}}. Recenly GROOVY-11979 extended that same hardening
to several behind-the-scenes pieces that had been left at JDK defaults:
factory-creation helpers, the XSLT transform path used by
{{XmlUtil.serialize}}, and the {{DOMBuilder.newInstance()}} factory. This
ticket documents the resulting default-behaviour changes for users upgrading to
Groovy 6.0.0.
h4. Tier 1 — real default flips
* *{{XmlUtil.serialize(...)}}* now blocks external {{<xsl:import>}} /
{{<xsl:include>}} and external DTD references in the underlying
{{TransformerFactory}}.
** *Affects:* callers passing XSLT documents with external resource references
through {{serialize}}. The overwhelmingly common case (pretty-printing
already-parsed Groovy nodes or DOM trees) is unaffected.
** *Relax knob:* {{new SerializeOptions().setAllowExternalResources(true)}}.
* *{{FactorySupport.createDocumentBuilderFactory()}}* and
*{{FactorySupport.createSaxParserFactory()}}* (zero-arg) now return hardened
factories instead of bare JDK factories.
** *Affects:* direct callers of these helpers who were parsing DOCTYPE-bearing
input through the returned factory.
** *Relax knob:* switch to the {{(true)}} overload —
{{createDocumentBuilderFactory(true)}} / {{createSaxParserFactory(true)}}.
h4. Tier 2 — mostly theoretical default flip
* *{{DOMBuilder.newInstance()}}* and *{{DOMBuilder.newInstance(validating,
namespaceAware)}}* now return a builder backed by a hardened factory.
** *Mostly theoretical because:* the DSL-build path doesn't parse external
input, and {{parseText}} routes through the (already-hardened) static
{{DOMBuilder.parse(...)}}. The change only bites if user code reaches into
{{domBuilder.documentBuilder}} and parses DOCTYPE-bearing XML directly — an
unusual pattern.
** *Relax knob:* new {{newInstance(validating, namespaceAware,
allowDocTypeDeclaration)}} overload.
h4. What did *not* change
* No public method signatures removed.
* No methods deprecated.
* {{XmlParser}}, {{XmlSlurper}}, the static {{DOMBuilder.parse(...)}} overloads
and {{XmlUtil.newSAXParser}} keep the same defaults and the same
{{allowDocTypeDeclaration}} relax knob they have always had.
* {{<xs:import>}} / {{<xs:include>}} schema imports continue to resolve; the
SchemaFactory hardening adds {{FEATURE_SECURE_PROCESSING}} only.
was:
Groovy's front-line XML parsing APIs ({{XmlParser}}, {{XmlSlurper}}, the static
{{DOMBuilder.parse(...)}} variants, {{XmlUtil.newSAXParser}}) have been
secure-by-default for some time — DOCTYPE declarations, external entities and
billion-laughs payloads are blocked unless the caller opts in via
{{allowDocTypeDeclaration}}. Recent work (PR1/PR2/PR3) extended that same
hardening to several behind-the-scenes pieces that had been left at JDK
defaults: factory-creation helpers, the XSLT transform path used by
{{XmlUtil.serialize}}, and the {{DOMBuilder.newInstance()}} factory. This
ticket documents the resulting default-behaviour changes for users upgrading to
Groovy 6.0.0.
h4. Tier 1 — real default flips
* *{{XmlUtil.serialize(...)}}* now blocks external {{<xsl:import>}} /
{{<xsl:include>}} and external DTD references in the underlying
{{TransformerFactory}}.
** *Affects:* callers passing XSLT documents with external resource references
through {{serialize}}. The overwhelmingly common case (pretty-printing
already-parsed Groovy nodes or DOM trees) is unaffected.
** *Relax knob:* {{new SerializeOptions().setAllowExternalResources(true)}}.
* *{{FactorySupport.createDocumentBuilderFactory()}}* and
*{{FactorySupport.createSaxParserFactory()}}* (zero-arg) now return hardened
factories instead of bare JDK factories.
** *Affects:* direct callers of these helpers who were parsing DOCTYPE-bearing
input through the returned factory.
** *Relax knob:* switch to the {{(true)}} overload —
{{createDocumentBuilderFactory(true)}} / {{createSaxParserFactory(true)}}.
h4. Tier 2 — mostly theoretical default flip
* *{{DOMBuilder.newInstance()}}* and *{{DOMBuilder.newInstance(validating,
namespaceAware)}}* now return a builder backed by a hardened factory.
** *Mostly theoretical because:* the DSL-build path doesn't parse external
input, and {{parseText}} routes through the (already-hardened) static
{{DOMBuilder.parse(...)}}. The change only bites if user code reaches into
{{domBuilder.documentBuilder}} and parses DOCTYPE-bearing XML directly — an
unusual pattern.
** *Relax knob:* new {{newInstance(validating, namespaceAware,
allowDocTypeDeclaration)}} overload.
h4. What did *not* change
* No public method signatures removed.
* No methods deprecated.
* {{XmlParser}}, {{XmlSlurper}}, the static {{DOMBuilder.parse(...)}} overloads
and {{XmlUtil.newSAXParser}} keep the same defaults and the same
{{allowDocTypeDeclaration}} relax knob they have always had.
* {{<xs:import>}} / {{<xs:include>}} schema imports continue to resolve; the
SchemaFactory hardening adds {{FEATURE_SECURE_PROCESSING}} only.
> Document XML secure-by-default breaking changes for 6.0.0
> ---------------------------------------------------------
>
> Key: GROOVY-11981
> URL: https://issues.apache.org/jira/browse/GROOVY-11981
> Project: Groovy
> Issue Type: Task
> Reporter: Paul King
> Assignee: Paul King
> Priority: Major
> Labels: breaking
> Fix For: 6.0.0-alpha-1
>
>
> Groovy's front-line XML parsing APIs ({{XmlParser}}, {{XmlSlurper}}, the
> static {{DOMBuilder.parse(...)}} variants, {{XmlUtil.newSAXParser}}) have
> been secure-by-default for some time — DOCTYPE declarations, external
> entities and billion-laughs payloads are blocked unless the caller opts in
> via {{allowDocTypeDeclaration}}. Recenly GROOVY-11979 extended that same
> hardening to several behind-the-scenes pieces that had been left at JDK
> defaults: factory-creation helpers, the XSLT transform path used by
> {{XmlUtil.serialize}}, and the {{DOMBuilder.newInstance()}} factory. This
> ticket documents the resulting default-behaviour changes for users upgrading
> to Groovy 6.0.0.
> h4. Tier 1 — real default flips
> * *{{XmlUtil.serialize(...)}}* now blocks external {{<xsl:import>}} /
> {{<xsl:include>}} and external DTD references in the underlying
> {{TransformerFactory}}.
> ** *Affects:* callers passing XSLT documents with external resource
> references through {{serialize}}. The overwhelmingly common case
> (pretty-printing already-parsed Groovy nodes or DOM trees) is unaffected.
> ** *Relax knob:* {{new SerializeOptions().setAllowExternalResources(true)}}.
> * *{{FactorySupport.createDocumentBuilderFactory()}}* and
> *{{FactorySupport.createSaxParserFactory()}}* (zero-arg) now return hardened
> factories instead of bare JDK factories.
> ** *Affects:* direct callers of these helpers who were parsing
> DOCTYPE-bearing input through the returned factory.
> ** *Relax knob:* switch to the {{(true)}} overload —
> {{createDocumentBuilderFactory(true)}} / {{createSaxParserFactory(true)}}.
> h4. Tier 2 — mostly theoretical default flip
> * *{{DOMBuilder.newInstance()}}* and *{{DOMBuilder.newInstance(validating,
> namespaceAware)}}* now return a builder backed by a hardened factory.
> ** *Mostly theoretical because:* the DSL-build path doesn't parse external
> input, and {{parseText}} routes through the (already-hardened) static
> {{DOMBuilder.parse(...)}}. The change only bites if user code reaches into
> {{domBuilder.documentBuilder}} and parses DOCTYPE-bearing XML directly — an
> unusual pattern.
> ** *Relax knob:* new {{newInstance(validating, namespaceAware,
> allowDocTypeDeclaration)}} overload.
> h4. What did *not* change
> * No public method signatures removed.
> * No methods deprecated.
> * {{XmlParser}}, {{XmlSlurper}}, the static {{DOMBuilder.parse(...)}}
> overloads and {{XmlUtil.newSAXParser}} keep the same defaults and the same
> {{allowDocTypeDeclaration}} relax knob they have always had.
> * {{<xs:import>}} / {{<xs:include>}} schema imports continue to resolve; the
> SchemaFactory hardening adds {{FEATURE_SECURE_PROCESSING}} only.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
