eolivelli commented on a change in pull request #286: [MNG-6656] Introduce base
for build/consumer process
URL: https://github.com/apache/maven/pull/286#discussion_r330295497
##########
File path:
maven-core/src/main/java/org/apache/maven/internal/aether/DefaultRepositorySystemSessionFactory.java
##########
@@ -238,9 +263,83 @@ else if ( request.isUpdateSnapshots() )
mavenRepositorySystem.injectProxy( session,
request.getPluginArtifactRepositories() );
mavenRepositorySystem.injectAuthentication( session,
request.getPluginArtifactRepositories() );
+ if ( Boolean.getBoolean( "maven.experimental.buildconsumer" ) )
+ {
+ session.setFileTransformerManager( newFileTransformerManager() );
+ }
return session;
}
+ private FileTransformerManager newFileTransformerManager()
+ {
+ return new FileTransformerManager()
+ {
+ @Override
+ public Collection<FileTransformer> getTransformersForArtifact(
final Artifact artifact )
+ {
+ Collection<FileTransformer> transformers = new ArrayList<>();
+ if ( "pom".equals( artifact.getExtension() ) )
+ {
+ final TransformerFactory transformerFactory =
TransformerFactory.newInstance();
Review comment:
This shuld deserve a separate discussion, but aren't we following OWASP
security guidelines for parsing XML potentially downloaded from remote sources?
Stuff like
https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.md
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
