The GitHub Actions job "Java CI" on commons-xml.git/feature/sax-feature-based-hardening has failed. Run started by GitHub user ppkarwasz (triggered by ppkarwasz).
Head commit for run: 87c7172992180fa600fe2254e0df492cef8cc41e / Piotr P. Karwasz <[email protected]> Base SAXParserFactory hardening on feature support Replace the per-implementation class-name dispatch for SAX with a single capability-driven recipe, mirroring the DocumentBuilderFactory rework. A new SAXParserHardener probes feature and property support and adapts: - harden(SAXParserFactory) sets FSP (skipped on Android's Expat, which rejects it) and wraps the factory in the now-universal HardeningSAXParserFactory, since SAXParserFactory exposes no property API. - hardenReader(XMLReader) sets FSP, skips the external DTD subset where supported, applies limits and probes ACCESS_EXTERNAL_*: the bare reader is returned when the JAXP 1.5 properties are honoured (stock JDK), otherwise a deny-all EntityResolver is installed (external Xerces). - Limits.tryApply(XMLReader) picks the Xerces SecurityManager vs JDK limit-property path by class name (the JDK reader is itself a Xerces fork exposing the same property, so a probe cannot tell them apart). - JaxpSetters gains setOptionalFeature(XMLReader) and trySetProperty(XMLReader). StockJdkProvider and XercesProvider lose their SAX recipes; XercesProvider now handles only Schema factories. HardeningSAXParserFactory becomes a single-argument wrapper that returns a HardeningSAXParser, which exposes the hardened reader and a matching SAX 1 Parser (cast or XMLReaderAdapter, lazily) so consumers reaching the parser through either path, including Xalan's identity transformer, get the same hardening. Android keeps its fixups rather than becoming a pass-through. Expat ignores external fetches silently when no resolver is set, so a subset-aware deny-all resolver is installed to fail on external entities while still letting an unused external subset load, and an ExpatReaderWrapper rejects the unsupported namespace-prefixes feature eagerly instead of failing mid-parse. DOM (KXmlParser) remains a pass-through. Behaviour change: the returned SAXParserFactory no longer forces namespace awareness. The previous StockJdkProvider and XercesProvider SAX recipes called setNamespaceAware(true); whether to parse namespace-aware is the caller's decision, not a hardening concern, so it is now left at the implementation default (DOM never set it). The internal Source-parsing path keeps it on: XmlFactories.harden(Source) sets namespace awareness itself, since schema, XSLT and validator sources are parsed in a namespace-aware context. Adds SchemaLocationSaxTest (the SAX counterpart of SchemaLocationDomTest, reusing AttackTestSupport's shared strict reporter) and a SAX case in UnsupportedXmlImplementationTest. AndroidProvider is removed. Assisted-By: Claude Opus 4.8 (1M context) <[email protected]> Report URL: https://github.com/apache/commons-xml/actions/runs/28329584482 With regards, GitHub Actions via GitBox
