This is an automated email from the ASF dual-hosted git repository.
matrei pushed a commit to branch 7.0.x
in repository https://gitbox.apache.org/repos/asf/grails-core.git
The following commit(s) were added to refs/heads/7.0.x by this push:
new 8dc40cd5df fix: issue reported by CodeQL (#14936)
8dc40cd5df is described below
commit 8dc40cd5dfd1a05f172c3860cc724b0d0bb89272
Author: Mattias Reichel <mat...@apache.org>
AuthorDate: Tue Jul 29 16:34:49 2025 +0200
fix: issue reported by CodeQL (#14936)
Error from CodeQL:
Resolving XML external entity in user-controlled data
XML parsing depends on a without guarding against external
entity expansion.
---
.../src/main/java/grails/init/GrailsUpdater.java | 19 +++++++++++++------
1 file changed, 13 insertions(+), 6 deletions(-)
diff --git a/grails-wrapper/src/main/java/grails/init/GrailsUpdater.java
b/grails-wrapper/src/main/java/grails/init/GrailsUpdater.java
index 17be08c739..792d31dce0 100644
--- a/grails-wrapper/src/main/java/grails/init/GrailsUpdater.java
+++ b/grails-wrapper/src/main/java/grails/init/GrailsUpdater.java
@@ -285,12 +285,10 @@ public class GrailsUpdater {
}
private GrailsVersion getRootVersion(GrailsWrapperRepo repo) throws
IOException, SAXException, ParserConfigurationException {
- SAXParserFactory factory = SAXParserFactory.newInstance();
- SAXParser saxParser = factory.newSAXParser();
RootMetadataHandler findLastReleaseHandler = new
RootMetadataHandler(grailsWrapperHome.allowedReleaseTypes);
try (InputStream stream = retrieveMavenMetadata(repo,
repo.getRootMetadataUrl())) {
- saxParser.parse(stream, findLastReleaseHandler);
+ createSAXParser().parse(stream, findLastReleaseHandler);
List<GrailsVersion> foundVersions =
findLastReleaseHandler.getVersions();
if (foundVersions.isEmpty()) {
throw new IllegalStateException("No Grails Releases were found
for the allowed types: " +
grailsWrapperHome.allowedReleaseTypes.stream().map(Enum::name).collect(Collectors.joining(",
")));
@@ -306,12 +304,10 @@ public class GrailsUpdater {
private String fetchSnapshotForVersion(GrailsWrapperRepo repo,
GrailsVersion baseVersion) throws IOException, SAXException,
ParserConfigurationException {
System.out.println("...A Grails snapshot version has been detected.
Downloading latest snapshot.");
- SAXParserFactory factory = SAXParserFactory.newInstance();
- SAXParser saxParser = factory.newSAXParser();
FindLastSnapshotHandler findVersionHandler = new
FindLastSnapshotHandler();
try (InputStream stream = retrieveMavenMetadata(repo,
repo.getMetadataUrl(baseVersion))) {
- saxParser.parse(stream, findVersionHandler);
+ createSAXParser().parse(stream, findVersionHandler);
return findVersionHandler.getVersion();
}
}
@@ -323,4 +319,15 @@ public class GrailsUpdater {
conn.setInstanceFollowRedirects(true);
return conn;
}
+
+ private static SAXParser createSAXParser() throws
ParserConfigurationException, SAXException {
+ SAXParserFactory factory = SAXParserFactory.newInstance();
+
factory.setFeature("http://javax.xml.XMLConstants/feature/secure-processing";,
true);
+
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl";,
true);
+
factory.setFeature("http://xml.org/sax/features/external-general-entities";,
false);
+
factory.setFeature("http://xml.org/sax/features/external-parameter-entities";,
false);
+ factory.setXIncludeAware(false);
+ factory.setNamespaceAware(true);
+ return factory.newSAXParser();
+ }
}
