ppkarwasz opened a new pull request, #13:
URL: https://github.com/apache/commons-xml/pull/13

   Applies the COMMONSXML-1 capability-driven approach to the Schema path, 
replacing the per-implementation class-name dispatch for `SchemaFactory` with a 
single wrapper-based recipe shared by every implementation.
   
   - `HardeningSchemaFactory` installs a deny-all `LSResourceResolver` on the 
factory (compile-time `xs:import`/`include`/`redefine`) and rewrites every 
`newSchema(Source[])` through an `XmlFactories`-hardened reader.
   - `HardeningSchema` re-installs the resolver on each 
`Validator`/`ValidatorHandler` (validate-time `xsi:schemaLocation`), and 
`HardeningValidator` rewrites the Source on every `validate(Source)`.
   - No FSP and no limit configuration on the factory: the hardened reader from 
`XmlFactories.harden(Source)` already carries them, so DOCTYPE / 
external-entity / Billion Laughs payloads in the schema or instance document 
are bounded there.
   - `StockJdkProvider.configure(SchemaFactory)`, 
`XercesProvider.configure(SchemaFactory)` with its per-product hardeners, 
`XmlFactories.dispatch(SchemaFactory)` and `Limits.applyToJdkSchema` are 
removed; `XmlFactories.newSchemaFactory()` wraps in `HardeningSchemaFactory` 
directly. No new class is introduced (net -84 lines).
   
   **Behaviour:** the JAXP 1.5 `ACCESS_EXTERNAL_*` properties are deliberately 
not set (the deny-all resolver covers the same fetches, and dropping them 
avoids the JDK 8 property-override bug, letting a caller re-enable specific 
lookups via their own resolver). The JDK block now surfaces as 
`SecurityException` rather than `SAXException`; the attack-test assertions 
already accept both. An unrecognized implementation is hardened rather than 
rejected. The schema-engine-internal `maxOccurs` node limit is no longer pinned 
on the factory (not exercised by any test); document-parsing limits remain 
covered via the hardened reader. `mvn verify` green across the stock JDK and 
external Xerces profiles.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to