[camel] branch main updated: CAMEL-18825: Make XmlHelper more secure

Mon, 19 Dec 2022 02:07:50 -0800 

This is an automated email from the ASF dual-hosted git repository.

davsclaus pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel.git


The following commit(s) were added to refs/heads/main by this push:
     new 97477331359 CAMEL-18825: Make XmlHelper more secure
97477331359 is described below

commit 9747733135980b8eacc4003fe7dd13c4a0daf5f4
Author: Claus Ibsen <[email protected]>
AuthorDate: Mon Dec 19 11:07:38 2022 +0100

    CAMEL-18825: Make XmlHelper more secure
---
 .../apache/camel/generator/openapi/RestDslXmlGenerator.java    | 10 ++++++++++
 .../apache/camel/generator/swagger/RestDslXmlGenerator.java    | 10 ++++++++++
 2 files changed, 20 insertions(+)

diff --git 
a/tooling/openapi-rest-dsl-generator/src/main/java/org/apache/camel/generator/openapi/RestDslXmlGenerator.java
 
b/tooling/openapi-rest-dsl-generator/src/main/java/org/apache/camel/generator/openapi/RestDslXmlGenerator.java
index 3a94f83b6f6..a44038e2be3 100644
--- 
a/tooling/openapi-rest-dsl-generator/src/main/java/org/apache/camel/generator/openapi/RestDslXmlGenerator.java
+++ 
b/tooling/openapi-rest-dsl-generator/src/main/java/org/apache/camel/generator/openapi/RestDslXmlGenerator.java
@@ -103,6 +103,16 @@ public class RestDslXmlGenerator extends 
RestDslGenerator<RestDslXmlGenerator> {
 
         final TransformerFactory transformerFactory = 
TransformerFactory.newInstance();
         transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, 
Boolean.TRUE);
+        try {
+            transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, 
"");
+        } catch (IllegalArgumentException e) {
+            // ignore
+        }
+        try {
+            
transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+        } catch (IllegalArgumentException e) {
+            // ignore
+        }
         final Transformer transformer = transformerFactory.newTransformer();
 
         final StringWriter writer = new StringWriter();
diff --git 
a/tooling/swagger-rest-dsl-generator/src/main/java/org/apache/camel/generator/swagger/RestDslXmlGenerator.java
 
b/tooling/swagger-rest-dsl-generator/src/main/java/org/apache/camel/generator/swagger/RestDslXmlGenerator.java
index ac58b13a99d..f18fa8e4c36 100644
--- 
a/tooling/swagger-rest-dsl-generator/src/main/java/org/apache/camel/generator/swagger/RestDslXmlGenerator.java
+++ 
b/tooling/swagger-rest-dsl-generator/src/main/java/org/apache/camel/generator/swagger/RestDslXmlGenerator.java
@@ -103,6 +103,16 @@ public class RestDslXmlGenerator extends 
RestDslGenerator<RestDslXmlGenerator> {
 
         final TransformerFactory transformerFactory = 
TransformerFactory.newInstance();
         transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, 
Boolean.TRUE);
+        try {
+            transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, 
"");
+        } catch (IllegalArgumentException e) {
+            // ignore
+        }
+        try {
+            
transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+        } catch (IllegalArgumentException e) {
+            // ignore
+        }
         final Transformer transformer = transformerFactory.newTransformer();
 
         final StringWriter writer = new StringWriter();

Reply via email to