[camel] branch main updated: CAMEL-18825: Make XmlHelper more secure

Mon, 19 Dec 2022 02:20:56 -0800 

This is an automated email from the ASF dual-hosted git repository.

davsclaus pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel.git


The following commit(s) were added to refs/heads/main by this push:
     new 77b514e5e6f CAMEL-18825: Make XmlHelper more secure
77b514e5e6f is described below

commit 77b514e5e6f2fa088cd3918b1cd1e3099046aaaf
Author: Claus Ibsen <[email protected]>
AuthorDate: Mon Dec 19 11:09:14 2022 +0100

    CAMEL-18825: Make XmlHelper more secure
---
 .../org/apache/camel/maven/bom/generator/BomGeneratorMojo.java | 10 ++++++++++
 .../apache/camel/generator/openapi/RestDslYamlGenerator.java   | 10 ++++++++++
 2 files changed, 20 insertions(+)

diff --git 
a/tooling/maven/bom-generator-maven-plugin/src/main/java/org/apache/camel/maven/bom/generator/BomGeneratorMojo.java
 
b/tooling/maven/bom-generator-maven-plugin/src/main/java/org/apache/camel/maven/bom/generator/BomGeneratorMojo.java
index 21ce949cac1..d1e20d886fe 100644
--- 
a/tooling/maven/bom-generator-maven-plugin/src/main/java/org/apache/camel/maven/bom/generator/BomGeneratorMojo.java
+++ 
b/tooling/maven/bom-generator-maven-plugin/src/main/java/org/apache/camel/maven/bom/generator/BomGeneratorMojo.java
@@ -224,6 +224,16 @@ public class BomGeneratorMojo extends AbstractMojo {
 
         TransformerFactory transformerFactory = 
TransformerFactory.newInstance();
         transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, 
Boolean.TRUE);
+        try {
+            transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, 
"");
+        } catch (IllegalArgumentException e) {
+            // ignore
+        }
+        try {
+            
transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+        } catch (IllegalArgumentException e) {
+            // ignore
+        }
         Transformer transformer = transformerFactory.newTransformer();
         transformer.setOutputProperty(OutputKeys.INDENT, "yes");
         transformer.setOutputProperty(OutputKeys.METHOD, "xml");
diff --git 
a/tooling/openapi-rest-dsl-generator/src/main/java/org/apache/camel/generator/openapi/RestDslYamlGenerator.java
 
b/tooling/openapi-rest-dsl-generator/src/main/java/org/apache/camel/generator/openapi/RestDslYamlGenerator.java
index 7ad447ad6a7..ba3d2c0479f 100644
--- 
a/tooling/openapi-rest-dsl-generator/src/main/java/org/apache/camel/generator/openapi/RestDslYamlGenerator.java
+++ 
b/tooling/openapi-rest-dsl-generator/src/main/java/org/apache/camel/generator/openapi/RestDslYamlGenerator.java
@@ -119,6 +119,16 @@ public class RestDslYamlGenerator extends 
RestDslGenerator<RestDslYamlGenerator>
         // convert from xml to yaml via jackson
         final TransformerFactory transformerFactory = 
TransformerFactory.newInstance();
         transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, 
Boolean.TRUE);
+        try {
+            transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, 
"");
+        } catch (IllegalArgumentException e) {
+            // ignore
+        }
+        try {
+            
transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+        } catch (IllegalArgumentException e) {
+            // ignore
+        }
         final Transformer transformer = transformerFactory.newTransformer();
 
         final StringWriter writer = new StringWriter();

Reply via email to