The GitHub Actions job "Java CI" on 
commons-configuration.git/use-copernik-xml-factory has failed.
Run started by GitHub user ppkarwasz (triggered by ppkarwasz).

Head commit for run:
ace8aaf9f928556afe2793a1330cd178ec34c0ab / Piotr P. Karwasz 
<[email protected]>
Harden XML parsing via copernik-xml-factory

Replace all direct JAXP factory instantiations (DocumentBuilderFactory,
SAXParserFactory, TransformerFactory) with the hardened factories from
eu.copernik:copernik-xml-factory 0.1.1. These factories block external
DTD and entity fetching and bound internal entity expansion, regardless
of the JAXP implementation on the classpath.

Hardening the parsing of a configuration file is admittedly not
necessary: configuration files are normally trusted. This limits the
side-effects if a user (against advice) decides to parse untrusted
configuration files.

Changes:
- Add the copernik-xml-factory dependency.
- Route factory creation through XmlFactories in XMLConfiguration,
  XMLDocumentHelper, XMLPropertiesConfiguration and
  XMLPropertyListConfiguration, plus the affected tests.
- Harden the source passed to XMLDocumentHelper.transform.
- XMLConfiguration's entity resolver now throws a SAXException for
  unregistered entities instead of returning null. Returning null would
  let the parser fall back to fetching the external resource and would
  override the deny-all resolver the hardening factories install on some
  implementations. This is done in an anonymous DefaultEntityResolver
  subclass local to XMLConfiguration, leaving the public
  DefaultEntityResolver contract (return null for unknown entities)
  unchanged.

Assisted-By: Claude Opus 4.8 (1M context) <[email protected]>

Report URL: 
https://github.com/apache/commons-configuration/actions/runs/27746811646

With regards,
GitHub Actions via GitBox

Reply via email to