eolivelli commented on a change in pull request #286: [MNG-6656] Introduce base for build/consumer process URL: https://github.com/apache/maven/pull/286#discussion_r330295497
########## File path: maven-core/src/main/java/org/apache/maven/internal/aether/DefaultRepositorySystemSessionFactory.java ########## @@ -238,9 +263,83 @@ else if ( request.isUpdateSnapshots() ) mavenRepositorySystem.injectProxy( session, request.getPluginArtifactRepositories() ); mavenRepositorySystem.injectAuthentication( session, request.getPluginArtifactRepositories() ); + if ( Boolean.getBoolean( "maven.experimental.buildconsumer" ) ) + { + session.setFileTransformerManager( newFileTransformerManager() ); + } return session; } + private FileTransformerManager newFileTransformerManager() + { + return new FileTransformerManager() + { + @Override + public Collection<FileTransformer> getTransformersForArtifact( final Artifact artifact ) + { + Collection<FileTransformer> transformers = new ArrayList<>(); + if ( "pom".equals( artifact.getExtension() ) ) + { + final TransformerFactory transformerFactory = TransformerFactory.newInstance(); Review comment: This shuld deserve a separate discussion, but aren't we following OWASP security guidelines for parsing XML potentially downloaded from remote sources? Stuff like https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.md ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services