oscerd opened a new pull request, #24105: URL: https://github.com/apache/camel/pull/24105
Hardens the Schematron **rules-compilation** `TransformerFactory` against XXE / external-resource resolution. `SchematronEndpoint.createTransformerFactory()` previously set only `LINE_NUMBERING`, while the sibling `SchematronProcessorFactory` (a `SAXParserFactory`) was already hardened. This makes the two factory paths consistent. ## Changes - `createTransformerFactory()` now enables `FEATURE_SECURE_PROCESSING` and sets `accessExternalDTD` / `accessExternalStylesheet` to empty. - The bundled ISO skeleton stylesheets resolve from the classpath via the existing `ClassPathURIResolver`, so legitimate rule compilation is unaffected (verified by test). - New `SchematronTransformerFactoryHardeningTest`: legitimate rules still compile; a rules file referencing an external entity is refused rather than resolved. - Upgrade-guide note (potential breaking change for rules that intentionally reference external resources). ## Notes - The rules file is operator-supplied (trusted), so severity is low — this is defense-in-depth, consistent with the in-scope "XXE / remote DTD/stylesheet resolution in XML/XSLT parsers" class in the security model. - No `@UriParam`/metadata/API change. The `camel-schematron` module tests pass (14), and a full `mvn clean install -DskipTests` reactor build is green. Jira: https://issues.apache.org/jira/browse/CAMEL-23783 _Claude Code on behalf of Andrea Cosentino_ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
