github-advanced-security[bot] commented on code in PR #14696:
URL: https://github.com/apache/grails-core/pull/14696#discussion_r2072044566
##########
grails-wrapper/src/main/java/grails/init/Start.java:
##########
@@ -56,6 +55,26 @@
return GRAILS_RELEASE_MAVEN_REPO_BASE_URL;
}
+ private static String getSnapshotVersion(String baseVersion) {
+ System.out.println("A Grails snapshot version has been detected.
Downloading latest snapshot.");
+ try {
+ SAXParserFactory factory = SAXParserFactory.newInstance();
+ SAXParser saxParser = factory.newSAXParser();
+ FindSnapshotHandler findVersionHandler = new FindSnapshotHandler();
+ final String mavenMetadataFileUrl = getMavenBaseUrl() +
WRAPPER_PATH + "/" + baseVersion + "/maven-metadata.xml";
+ HttpURLConnection conn =
createHttpURLConnection(mavenMetadataFileUrl);
+ saxParser.parse(conn.getInputStream(), findVersionHandler);
Review Comment:
## Resolving XML external entity in user-controlled data
XML parsing depends on a [user-provided value](1) without guarding against
external entity expansion.
[Show more
details](https://github.com/apache/grails-core/security/code-scanning/21)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
