gnodet opened a new pull request, #12256: URL: https://github.com/apache/maven/pull/12256
## Summary Alternative to #12251 — centralizes the XXE hardening into a single shared `XmlService.newXMLInputFactory()` method instead of duplicating a `newInputFactory()` helper in each class. - Adds `XmlService.newXMLInputFactory()` that creates a hardened `XMLInputFactory` with `SUPPORT_DTD=false` and `IS_SUPPORTING_EXTERNAL_ENTITIES=false` - Replaces all direct `XMLInputFactory.newFactory()` calls across 7 source files with the centralized method - Hardens the Velocity code-generation templates (`reader-stax.vm`, `reader.vm`) that generate StAX readers for settings, toolchains, metadata, and plugin descriptors — these were missed in #12251 - Includes the XXE regression test from #12251 The [maven-xinclude-extension](https://github.com/apache/maven-xinclude-extension) is unaffected — it creates its own `WstxInputFactory` with entities explicitly enabled and a restricted `LocalXmlResolver`. ## Test plan - [x] `mvn verify` passes on all affected modules - [x] `ExtensionDescriptorBuilderTest.testExternalEntityIsNotResolved` confirms XXE is blocked _Claude Code on behalf of Guillaume Nodet_ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
