ppkarwasz opened a new pull request, #18: URL: https://github.com/apache/commons-xml/pull/18
Fixes [COMMONSXML-9](https://issues.apache.org/jira/browse/COMMONSXML-9). ## Problem A hardened factory from `XmlFactories` blocks external DTDs, entities, schemas and stylesheets. On Apache Xerces, Woodstox, Xalan and the JDK's built-in StAX (Zephyr), installing a custom resolver silently removed that protection. Unlike the stock JDK (JEP 185 `ACCESS_EXTERNAL_*`), Saxon (`allowedProtocols`) and Android (ignore-all), these implementations fall back to fetching whatever a resolver leaves unresolved, so a caller's `set*Resolver` overwrote the deny floor the hardening relied on and re-opened the XXE/SSRF surface. ## Change Install a non-removable resolver floor on every resolver channel: `EntityResolver` (DOM/SAX), `LSResourceResolver` (schema), `URIResolver` (XSLT) and `XMLResolver` (StAX). The hardened wrappers keep their own floor installed and route a caller's resolver through it as a delegate: - the caller's resolver is consulted first, so it can still opt a specific resource in by returning a non-`null` value; - anything left unresolved (a `null` return, or no caller resolver) takes the floor's default action, deny (or ignore for the Woodstox DTD-subset and undeclared-entity hooks), instead of the implementation's resolve-all fallback. Installing a resolver is now in scope: a custom resolver can add permitted resources but can no longer remove the block. ## Threat model The threat model is amended to explicitly allow users to install their own resolvers, except implementation-specific types like Xerces `http://apache.org/xml/properties/internal/entity-resolver`. ## Tests - New `EntityResolverFloorTest` is the core coverage: on every channel (`EntityResolver`, `LSResourceResolver`, `URIResolver`, `XMLResolver`), an allow-list resolver still opts a specific resource in, while a resolver that resolves nothing cannot re-open a blocked fetch. - It also adds DOM and SAX tests that resolve a relative XInclude sibling through a caller resolver, skipped where JAXP does not support `setXIncludeAware` (Android). - The full JVM suite and the Android connected suite pass. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
