This is an automated email from the ASF dual-hosted git repository.
davsclaus pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel.git
commit 6c7d0c84b4aa5a481bd864e7f17db66d51659acf
Author: Claus Ibsen <claus.ib...@gmail.com>
AuthorDate: Sun Dec 18 14:38:39 2022 +0100
Make XmlHelper more secure
---
.../apache/camel/dsl/jbang/core/common/XmlHelper.java | 5 +++++
.../main/java/org/apache/camel/maven/XmlHelper.java | 19 ++++++++++++++++++-
2 files changed, 23 insertions(+), 1 deletion(-)
diff --git
a/dsl/camel-jbang/camel-jbang-core/src/main/java/org/apache/camel/dsl/jbang/core/common/XmlHelper.java
b/dsl/camel-jbang/camel-jbang-core/src/main/java/org/apache/camel/dsl/jbang/core/common/XmlHelper.java
index afc58f99cd9..452307af4cd 100644
---
a/dsl/camel-jbang/camel-jbang-core/src/main/java/org/apache/camel/dsl/jbang/core/common/XmlHelper.java
+++
b/dsl/camel-jbang/camel-jbang-core/src/main/java/org/apache/camel/dsl/jbang/core/common/XmlHelper.java
@@ -42,6 +42,11 @@ public final class XmlHelper {
factory.setFeature("http://xml.org/sax/features/external-general-entities";,
false);
} catch (ParserConfigurationException e) {
}
+ try {
+ // Disable the external-parameter-entities by default
+
factory.setFeature("http://xml.org/sax/features/external-parameter-entities";,
false);
+ } catch (ParserConfigurationException e) {
+ }
// setup the SecurityManager by default if it's apache xerces
try {
Class<?> smClass =
ObjectHelper.loadClass("org.apache.xerces.util.SecurityManager");
diff --git
a/tooling/maven/camel-eip-documentation-enricher-maven-plugin/src/main/java/org/apache/camel/maven/XmlHelper.java
b/tooling/maven/camel-eip-documentation-enricher-maven-plugin/src/main/java/org/apache/camel/maven/XmlHelper.java
index 5d0e9d1ec10..bcb505d833d 100644
---
a/tooling/maven/camel-eip-documentation-enricher-maven-plugin/src/main/java/org/apache/camel/maven/XmlHelper.java
+++
b/tooling/maven/camel-eip-documentation-enricher-maven-plugin/src/main/java/org/apache/camel/maven/XmlHelper.java
@@ -41,9 +41,26 @@ public final class XmlHelper {
public static Document buildNamespaceAwareDocument(File xml)
throws SAXException, ParserConfigurationException, IOException {
+
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.setNamespaceAware(true);
- factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING,
Boolean.TRUE);
+ factory.setIgnoringElementContentWhitespace(true);
+ factory.setIgnoringComments(true);
+ try {
+ // Set secure processing
+ factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING,
Boolean.TRUE);
+ } catch (ParserConfigurationException e) {
+ }
+ try {
+ // Disable the external-general-entities by default
+
factory.setFeature("http://xml.org/sax/features/external-general-entities";,
false);
+ } catch (ParserConfigurationException e) {
+ }
+ try {
+ // Disable the external-parameter-entities by default
+
factory.setFeature("http://xml.org/sax/features/external-parameter-entities";,
false);
+ } catch (ParserConfigurationException e) {
+ }
return factory.newDocumentBuilder().parse(xml);
}
