[
https://issues.apache.org/jira/browse/BATIK-1395?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18086093#comment-18086093
]
Piotr Karwasz edited comment on BATIK-1395 at 6/4/26 2:03 PM:
--------------------------------------------------------------
Hi Simon,
The library does not use {{{}XMLInputHandler{}}}, but it could improve your
hardening commit if you replace {{TransformerFactory.newInstance()}} with
{{XmlFactories.newTransformerFactory()}} without any additional configuration
needed.
The edge case I mentioned above is internally handled by returning a *wrapper*
of {{{}TransformerFactory.newInstance(){}}}, which replaces a {{StreamSource}}
argument (or {{SAXSource}} without an {{{}XMLReader{}}}) with a {{SAXSource}}
referencing a hardened {{{}XMLReader{}}}.
If you are wondering why you should replace 3 lines of code with a 40 KiB
third-party library (regardless whether it is maintained by me as a personal
project, Apache Commons or Xerces), I posed myself the same question when I
wrote the library. My pros list included:
* If you use the library all XXE/SSRF reports can be rejected as out-of-scope.
Hopefully reporters will stop sending reports altogether, since Batik will not
contain any {{TransformerFactory.newInstance()}} call (wishful thinking, I
know).
* It seems like a useful dependency for libraries, since these don't know how
they will be deployed and with which parser implementation. For example Android
does not even support {{{}FEATURE_SECURE_PROCESSING{}}}. This is not a problem
for {{XMLInputHandler}} and {{{}batik-svgbrowser{}}}, but Android support might
be useful in other Batik modules.
As I mentioned above, I made my case for the existence of such a library:
* To the Apache Commons PMC, which I am part of:
[https://lists.apache.org/thread/5lrt4qgrfqv0dbzmwzmmqz18lf69lkfl]
* To the Xerces PMC, where such a library might be a better fit:
[https://lists.apache.org/thread/lxwny26689r1cbmmj27s6gdrqp64lgsy]
Before investing too much time into this, I would appreciate your opinion on
whether this could be useful. Call it a market study among OSS projects…
was (Author: pkarwasz):
Hi Simon,
The library does not use {{XMLInputHandler}}, but it could improve your
hardening commit if you replace {{TransformerFactory.newInstance()}} with
{{XmlFactories.newTransformerFactory()}} without any additional configuration
needed.
The edge case I mentioned above is internally handled by returning a *wrapper*
of {{TransformerFactory.newInstance()}}, which replaces a {{StreamSource}}
argument (or {{SAXSource}} without an {{XMLReader}}) with a {{SAXSource}}
referencing a hardened {{XMLReader}}.
If you are wondering why you should replace 3 lines of code with a 40 KiB
third-party library (regardless whether it is maintained by me as a personal
project, Apache Commons or Xerces), I posed myself the same question when I
wrote the library. My pros list included:
* If you use the library all XXE/SSRF reports can be rejected as out-of-scope.
Hopefully reporters will stop sending reports altogether, since Batik will not
contain any {{TransformerFactory.newInstance()}} call (wishful thinking, I
know).
* It seems like a useful dependency for libraries, since these don't know how
they will be deployed and with which parser implementation. For example Android
does not even support {{FEATURE_SECURE_PROCESSING}}. This is not a problem for
{{XMLInputHandler}} and {{batik-svgbrowser}}, but Android support might be
useful in other Batik modules.
As I mentioned above, I made my case for the existence of such a library:
* To the Apache Commons PMC, which I am part of:
https://lists.apache.org/thread/5lrt4qgrfqv0dbzmwzmmqz18lf69lkfl
* To the Xerces PMC, where such a library might be a better fit:
https://lists.apache.org/thread/lxwny26689r1cbmmj27s6gdrqp64lgsy
Before investing too much time into this, I would appreciate your opinion on
whether this could be useful. Call it a market study among OSS project…
> Add secure processing to XMLInputHandler
> ----------------------------------------
>
> Key: BATIK-1395
> URL: https://issues.apache.org/jira/browse/BATIK-1395
> Project: Batik
> Issue Type: Bug
> Reporter: Simon Steiner
> Assignee: Simon Steiner
> Priority: Major
> Fix For: main
>
>
> XMLInputHandler is currently not used unless you uncomment a setting in a
> services file
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
