This is an automated email from the ASF dual-hosted git repository.
acosentino pushed a commit to branch sandbox/camel-3.x
in repository https://gitbox.apache.org/repos/asf/camel.git
commit a2480d757505bb1c37802939384aef12d4101fb5
Author: Colm O hEigeartaigh <cohei...@apache.org>
AuthorDate: Tue Nov 27 13:46:24 2018 +0000
Set the secure processing feature on various DocumentBuilderFactory,
TransformerFactory, SAXParserFactory instances
Conflicts:
camel-core/src/main/java/org/apache/camel/management/mbean/RouteCoverageXmlParser.java
---
.../java/org/apache/camel/converter/jaxp/XmlConverter.java | 8 ++++++++
.../apache/camel/management/mbean/RouteCoverageXmlParser.java | 5 ++++-
.../main/java/org/apache/camel/util/XmlLineNumberParser.java | 3 +++
.../org/apache/camel/component/cm/CMSenderOneMessageImpl.java | 6 +++++-
.../apache/camel/component/flatpack/FlatpackConverter.java | 5 ++++-
.../main/java/org/apache/camel/component/fop/FopProducer.java | 7 +++++--
.../schematron/processor/SchematronProcessorFactory.java | 2 ++
.../camel/component/spring/ws/bean/CamelEndpointMapping.java | 2 ++
.../ws/filter/impl/HeaderTransformationMessageFilter.java | 10 +++++++++-
.../apache/camel/dataformat/tagsoup/TidyMarkupDataFormat.java | 5 ++++-
.../java/org/apache/camel/component/tika/TikaProducer.java | 2 ++
.../org/apache/camel/catalog/nexus/BaseNexusRepository.java | 3 +++
.../java/org/apache/camel/catalog/DefaultCamelCatalog.java | 7 ++++++-
.../org/apache/camel/parser/helper/XmlLineNumberParser.java | 4 ++++
.../apache/camel/maven/bom/generator/BomGeneratorMojo.java | 11 ++++++++---
.../src/main/java/org/apache/camel/maven/XmlHelper.java | 7 ++++++-
.../apache/camel/maven/packaging/PrepareCatalogKarafMojo.java | 3 +++
.../apache/camel/maven/packaging/SpringBootStarterMojo.java | 10 ++++++++--
18 files changed, 86 insertions(+), 14 deletions(-)
diff --git
a/camel-core/src/main/java/org/apache/camel/converter/jaxp/XmlConverter.java
b/camel-core/src/main/java/org/apache/camel/converter/jaxp/XmlConverter.java
index 1739dcf..cc48911 100644
--- a/camel-core/src/main/java/org/apache/camel/converter/jaxp/XmlConverter.java
+++ b/camel-core/src/main/java/org/apache/camel/converter/jaxp/XmlConverter.java
@@ -33,6 +33,7 @@ import java.util.List;
import java.util.Map;
import java.util.Properties;
+import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
@@ -895,6 +896,13 @@ public class XmlConverter {
factory.setIgnoringElementContentWhitespace(true);
factory.setIgnoringComments(true);
try {
+ // Set secure processing
+ factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING,
Boolean.TRUE);
+ } catch (ParserConfigurationException e) {
+ LOG.warn("DocumentBuilderFactory doesn't support the feature {}
with value {}, due to {}.",
+ new Object[]{XMLConstants.FEATURE_SECURE_PROCESSING,
true, e});
+ }
+ try {
// Disable the external-general-entities by default
factory.setFeature("http://xml.org/sax/features/external-general-entities";,
false);
} catch (ParserConfigurationException e) {
diff --git
a/camel-management-impl/src/main/java/org/apache/camel/management/mbean/RouteCoverageXmlParser.java
b/camel-management-impl/src/main/java/org/apache/camel/management/mbean/RouteCoverageXmlParser.java
index e06a833..25b9b87 100644
---
a/camel-management-impl/src/main/java/org/apache/camel/management/mbean/RouteCoverageXmlParser.java
+++
b/camel-management-impl/src/main/java/org/apache/camel/management/mbean/RouteCoverageXmlParser.java
@@ -19,6 +19,7 @@ package org.apache.camel.management.mbean;
import java.io.InputStream;
import java.util.Stack;
+import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.SAXParser;
@@ -63,8 +64,10 @@ public final class RouteCoverageXmlParser {
*/
public static Document parseXml(final CamelContext camelContext, final
InputStream is) throws Exception {
final SAXParserFactory factory = SAXParserFactory.newInstance();
+ factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING,
Boolean.TRUE);
final SAXParser parser = factory.newSAXParser();
final DocumentBuilderFactory docBuilderFactory =
DocumentBuilderFactory.newInstance();
+ docBuilderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING,
Boolean.TRUE);
final DocumentBuilder docBuilder =
docBuilderFactory.newDocumentBuilder();
final Document doc = docBuilder.newDocument();
@@ -171,4 +174,4 @@ public final class RouteCoverageXmlParser {
return doc;
}
-}
\ No newline at end of file
+}
diff --git
a/camel-util/src/main/java/org/apache/camel/util/XmlLineNumberParser.java
b/camel-util/src/main/java/org/apache/camel/util/XmlLineNumberParser.java
index d80cb45..7c01d8a 100644
--- a/camel-util/src/main/java/org/apache/camel/util/XmlLineNumberParser.java
+++ b/camel-util/src/main/java/org/apache/camel/util/XmlLineNumberParser.java
@@ -21,6 +21,7 @@ import java.io.InputStream;
import java.io.StringReader;
import java.util.Stack;
+import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.SAXParser;
@@ -107,11 +108,13 @@ public final class XmlLineNumberParser {
final Document doc;
SAXParser parser;
final SAXParserFactory factory = SAXParserFactory.newInstance();
+ factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING,
Boolean.TRUE);
parser = factory.newSAXParser();
final DocumentBuilderFactory dbf =
DocumentBuilderFactory.newInstance();
// turn off validator and loading external dtd
dbf.setValidating(false);
dbf.setNamespaceAware(true);
+ dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
dbf.setFeature("http://xml.org/sax/features/namespaces";, false);
dbf.setFeature("http://xml.org/sax/features/validation";, false);
dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-dtd-grammar";,
false);
diff --git
a/components/camel-cm-sms/src/main/java/org/apache/camel/component/cm/CMSenderOneMessageImpl.java
b/components/camel-cm-sms/src/main/java/org/apache/camel/component/cm/CMSenderOneMessageImpl.java
index 07e0e14..64bb92d 100644
---
a/components/camel-cm-sms/src/main/java/org/apache/camel/component/cm/CMSenderOneMessageImpl.java
+++
b/components/camel-cm-sms/src/main/java/org/apache/camel/component/cm/CMSenderOneMessageImpl.java
@@ -23,6 +23,7 @@ import java.io.InputStreamReader;
import java.nio.charset.Charset;
import java.util.UUID;
+import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
@@ -90,6 +91,7 @@ public class CMSenderOneMessageImpl implements CMSender {
final ByteArrayOutputStream xml = new ByteArrayOutputStream();
final DocumentBuilderFactory factory =
DocumentBuilderFactory.newInstance();
+ factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING,
Boolean.TRUE);
factory.setNamespaceAware(true);
// Get the DocumentBuilder
@@ -158,7 +160,9 @@ public class CMSenderOneMessageImpl implements CMSender {
}
// Creatate XML as String
- final Transformer aTransformer =
TransformerFactory.newInstance().newTransformer();
+ TransformerFactory transformerFactory =
TransformerFactory.newInstance();
+
transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING,
Boolean.TRUE);
+ final Transformer aTransformer =
transformerFactory.newTransformer();
aTransformer.setOutputProperty(OutputKeys.INDENT, "yes");
final Source src = new DOMSource(doc);
final Result dest = new StreamResult(xml);
diff --git
a/components/camel-flatpack/src/main/java/org/apache/camel/component/flatpack/FlatpackConverter.java
b/components/camel-flatpack/src/main/java/org/apache/camel/component/flatpack/FlatpackConverter.java
index 5dbce99..f51ab3c 100644
---
a/components/camel-flatpack/src/main/java/org/apache/camel/component/flatpack/FlatpackConverter.java
+++
b/components/camel-flatpack/src/main/java/org/apache/camel/component/flatpack/FlatpackConverter.java
@@ -21,6 +21,7 @@ import java.util.HashMap;
import java.util.List;
import java.util.Map;
+import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
@@ -60,7 +61,9 @@ public final class FlatpackConverter {
@Converter
public static Document toDocument(DataSet dataSet) throws
ParserConfigurationException {
- Document doc =
DocumentBuilderFactory.newInstance().newDocumentBuilder().newDocument();
+ DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+ dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
+ Document doc = dbf.newDocumentBuilder().newDocument();
if (dataSet.getIndex() == -1) {
Element list = doc.createElement("Dataset");
diff --git
a/components/camel-fop/src/main/java/org/apache/camel/component/fop/FopProducer.java
b/components/camel-fop/src/main/java/org/apache/camel/component/fop/FopProducer.java
index 5eb046e..928c722 100644
---
a/components/camel-fop/src/main/java/org/apache/camel/component/fop/FopProducer.java
+++
b/components/camel-fop/src/main/java/org/apache/camel/component/fop/FopProducer.java
@@ -19,6 +19,8 @@ package org.apache.camel.component.fop;
import java.io.ByteArrayOutputStream;
import java.io.OutputStream;
import java.util.Map;
+
+import javax.xml.XMLConstants;
import javax.xml.transform.Result;
import javax.xml.transform.Source;
import javax.xml.transform.Transformer;
@@ -85,8 +87,9 @@ public class FopProducer extends DefaultProducer {
throws FOPException, TransformerException {
OutputStream out = new ByteArrayOutputStream();
Fop fop = fopFactory.newFop(outputFormat, userAgent, out);
- TransformerFactory factory = TransformerFactory.newInstance();
- Transformer transformer = factory.newTransformer();
+ TransformerFactory transformerFactory =
TransformerFactory.newInstance();
+ transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING,
Boolean.TRUE);
+ Transformer transformer = transformerFactory.newTransformer();
Result res = new SAXResult(fop.getDefaultHandler());
transformer.transform(src, res);
diff --git
a/components/camel-schematron/src/main/java/org/apache/camel/component/schematron/processor/SchematronProcessorFactory.java
b/components/camel-schematron/src/main/java/org/apache/camel/component/schematron/processor/SchematronProcessorFactory.java
index 71d9e02..739493f 100644
---
a/components/camel-schematron/src/main/java/org/apache/camel/component/schematron/processor/SchematronProcessorFactory.java
+++
b/components/camel-schematron/src/main/java/org/apache/camel/component/schematron/processor/SchematronProcessorFactory.java
@@ -16,6 +16,7 @@
*/
package org.apache.camel.component.schematron.processor;
+import javax.xml.XMLConstants;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory;
@@ -68,6 +69,7 @@ public final class SchematronProcessorFactory {
*/
private static XMLReader getXMLReader() throws
ParserConfigurationException, SAXException {
final SAXParserFactory fac = SAXParserFactory.newInstance();
+ fac.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
fac.setValidating(false);
final SAXParser parser = fac.newSAXParser();
XMLReader reader = parser.getXMLReader();
diff --git
a/components/camel-spring-ws/src/main/java/org/apache/camel/component/spring/ws/bean/CamelEndpointMapping.java
b/components/camel-spring-ws/src/main/java/org/apache/camel/component/spring/ws/bean/CamelEndpointMapping.java
index 7b27a18..78b6e25 100644
---
a/components/camel-spring-ws/src/main/java/org/apache/camel/component/spring/ws/bean/CamelEndpointMapping.java
+++
b/components/camel-spring-ws/src/main/java/org/apache/camel/component/spring/ws/bean/CamelEndpointMapping.java
@@ -21,6 +21,7 @@ import java.net.URISyntaxException;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
+import javax.xml.XMLConstants;
import javax.xml.namespace.QName;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.stream.XMLStreamException;
@@ -248,6 +249,7 @@ public class CamelEndpointMapping extends
AbstractEndpointMapping implements Ini
xmlConverter.setTransformerFactory(transformerFactory);
} else {
transformerFactory = TransformerFactory.newInstance();
+
transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING,
Boolean.TRUE);
}
}
diff --git
a/components/camel-spring-ws/src/main/java/org/apache/camel/component/spring/ws/filter/impl/HeaderTransformationMessageFilter.java
b/components/camel-spring-ws/src/main/java/org/apache/camel/component/spring/ws/filter/impl/HeaderTransformationMessageFilter.java
index b7bce5b..be0a853 100644
---
a/components/camel-spring-ws/src/main/java/org/apache/camel/component/spring/ws/filter/impl/HeaderTransformationMessageFilter.java
+++
b/components/camel-spring-ws/src/main/java/org/apache/camel/component/spring/ws/filter/impl/HeaderTransformationMessageFilter.java
@@ -18,9 +18,11 @@ package org.apache.camel.component.spring.ws.filter.impl;
import java.util.Map;
+import javax.xml.XMLConstants;
import javax.xml.transform.ErrorListener;
import javax.xml.transform.Source;
import javax.xml.transform.Transformer;
+import javax.xml.transform.TransformerConfigurationException;
import javax.xml.transform.TransformerException;
import javax.xml.transform.TransformerFactory;
@@ -130,6 +132,12 @@ public class HeaderTransformationMessageFilter implements
MessageFilter {
throw new IllegalStateException("Cannot resolve a transformer
factory");
}
+ try {
+
transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING,
Boolean.TRUE);
+ } catch (TransformerConfigurationException ex) {
+ // ignore
+ }
+
transformerFactory.setErrorListener(new ErrorListener() {
@Override
@@ -191,4 +199,4 @@ public class HeaderTransformationMessageFilter implements
MessageFilter {
this.saxon = saxon;
}
-}
\ No newline at end of file
+}
diff --git
a/components/camel-tagsoup/src/main/java/org/apache/camel/dataformat/tagsoup/TidyMarkupDataFormat.java
b/components/camel-tagsoup/src/main/java/org/apache/camel/dataformat/tagsoup/TidyMarkupDataFormat.java
index bf3c308..8ebbed2 100644
---
a/components/camel-tagsoup/src/main/java/org/apache/camel/dataformat/tagsoup/TidyMarkupDataFormat.java
+++
b/components/camel-tagsoup/src/main/java/org/apache/camel/dataformat/tagsoup/TidyMarkupDataFormat.java
@@ -23,6 +23,7 @@ import java.io.Writer;
import java.util.Map;
import java.util.Map.Entry;
+import javax.xml.XMLConstants;
import javax.xml.transform.Transformer;
import javax.xml.transform.TransformerFactory;
import javax.xml.transform.dom.DOMResult;
@@ -176,7 +177,9 @@ public class TidyMarkupDataFormat extends ServiceSupport
implements DataFormat,
parser.setContentHandler(createContentHandler(w));
try {
- Transformer transformer =
TransformerFactory.newInstance().newTransformer();
+ TransformerFactory transformerFactory =
TransformerFactory.newInstance();
+
transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING,
Boolean.TRUE);
+ Transformer transformer = transformerFactory.newTransformer();
DOMResult result = new DOMResult();
transformer.transform(new SAXSource(parser, new
InputSource(inputStream)), result);
return result.getNode();
diff --git
a/components/camel-tika/src/main/java/org/apache/camel/component/tika/TikaProducer.java
b/components/camel-tika/src/main/java/org/apache/camel/component/tika/TikaProducer.java
index c9b1f12..62b5bf2 100644
---
a/components/camel-tika/src/main/java/org/apache/camel/component/tika/TikaProducer.java
+++
b/components/camel-tika/src/main/java/org/apache/camel/component/tika/TikaProducer.java
@@ -23,6 +23,7 @@ import java.io.OutputStream;
import java.io.OutputStreamWriter;
import java.io.UnsupportedEncodingException;
+import javax.xml.XMLConstants;
import javax.xml.transform.OutputKeys;
import javax.xml.transform.TransformerConfigurationException;
import javax.xml.transform.TransformerFactory;
@@ -150,6 +151,7 @@ public class TikaProducer extends DefaultProducer {
private TransformerHandler getTransformerHandler(OutputStream output,
String method,
boolean prettyPrint) throws TransformerConfigurationException,
UnsupportedEncodingException {
SAXTransformerFactory factory = (SAXTransformerFactory)
TransformerFactory.newInstance();
+ factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING,
Boolean.TRUE);
TransformerHandler handler = factory.newTransformerHandler();
handler.getTransformer().setOutputProperty(OutputKeys.METHOD, method);
handler.getTransformer().setOutputProperty(OutputKeys.INDENT,
prettyPrint ? "yes" : "no");
diff --git
a/platforms/camel-catalog-nexus/src/main/java/org/apache/camel/catalog/nexus/BaseNexusRepository.java
b/platforms/camel-catalog-nexus/src/main/java/org/apache/camel/catalog/nexus/BaseNexusRepository.java
index d46b304..38bdd6f 100644
---
a/platforms/camel-catalog-nexus/src/main/java/org/apache/camel/catalog/nexus/BaseNexusRepository.java
+++
b/platforms/camel-catalog-nexus/src/main/java/org/apache/camel/catalog/nexus/BaseNexusRepository.java
@@ -27,6 +27,8 @@ import java.util.concurrent.Executors;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicBoolean;
+
+import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.xpath.XPath;
@@ -194,6 +196,7 @@ public abstract class BaseNexusRepository {
factory.setNamespaceAware(true);
factory.setIgnoringElementContentWhitespace(true);
factory.setIgnoringComments(true);
+ factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING,
Boolean.TRUE);
DocumentBuilder documentBuilder = factory.newDocumentBuilder();
diff --git
a/platforms/camel-catalog/src/main/java/org/apache/camel/catalog/DefaultCamelCatalog.java
b/platforms/camel-catalog/src/main/java/org/apache/camel/catalog/DefaultCamelCatalog.java
index 4fde346..1c6057f 100644
---
a/platforms/camel-catalog/src/main/java/org/apache/camel/catalog/DefaultCamelCatalog.java
+++
b/platforms/camel-catalog/src/main/java/org/apache/camel/catalog/DefaultCamelCatalog.java
@@ -29,6 +29,8 @@ import java.util.Set;
import java.util.SortedSet;
import java.util.TreeSet;
import java.util.regex.PatternSyntaxException;
+
+import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.xpath.XPathConstants;
import javax.xml.xpath.XPathFactory;
@@ -1379,7 +1381,10 @@ public class DefaultCamelCatalog extends
AbstractCamelCatalog implements CamelCa
int archetypes = 0;
try {
String xml = archetypeCatalogAsXml();
- Document dom =
DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(new
ByteArrayInputStream(xml.getBytes()));
+
+ DocumentBuilderFactory dbf =
DocumentBuilderFactory.newInstance();
+ dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING,
Boolean.TRUE);
+ Document dom = dbf.newDocumentBuilder().parse(new
ByteArrayInputStream(xml.getBytes()));
Object val =
XPathFactory.newInstance().newXPath().evaluate("count(/archetype-catalog/archetypes/archetype)",
dom, XPathConstants.NUMBER);
double num = (double) val;
archetypes = (int) num;
diff --git
a/tooling/camel-route-parser/src/main/java/org/apache/camel/parser/helper/XmlLineNumberParser.java
b/tooling/camel-route-parser/src/main/java/org/apache/camel/parser/helper/XmlLineNumberParser.java
index a96fb86..129740b 100644
---
a/tooling/camel-route-parser/src/main/java/org/apache/camel/parser/helper/XmlLineNumberParser.java
+++
b/tooling/camel-route-parser/src/main/java/org/apache/camel/parser/helper/XmlLineNumberParser.java
@@ -25,6 +25,8 @@ import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import java.util.Stack;
+
+import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.SAXParser;
@@ -86,11 +88,13 @@ public final class XmlLineNumberParser {
final Document doc;
SAXParser parser;
final SAXParserFactory factory = SAXParserFactory.newInstance();
+ factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING,
Boolean.TRUE);
parser = factory.newSAXParser();
final DocumentBuilderFactory dbf =
DocumentBuilderFactory.newInstance();
// turn off validator and loading external dtd
dbf.setValidating(false);
dbf.setNamespaceAware(true);
+ dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
dbf.setFeature("http://xml.org/sax/features/namespaces";, false);
dbf.setFeature("http://xml.org/sax/features/validation";, false);
dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-dtd-grammar";,
false);
diff --git
a/tooling/maven/bom-generator-maven-plugin/src/main/java/org/apache/camel/maven/bom/generator/BomGeneratorMojo.java
b/tooling/maven/bom-generator-maven-plugin/src/main/java/org/apache/camel/maven/bom/generator/BomGeneratorMojo.java
index ea83c74..c309cab 100644
---
a/tooling/maven/bom-generator-maven-plugin/src/main/java/org/apache/camel/maven/bom/generator/BomGeneratorMojo.java
+++
b/tooling/maven/bom-generator-maven-plugin/src/main/java/org/apache/camel/maven/bom/generator/BomGeneratorMojo.java
@@ -28,6 +28,8 @@ import java.util.HashSet;
import java.util.List;
import java.util.Set;
import java.util.TreeSet;
+
+import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.transform.OutputKeys;
@@ -205,7 +207,9 @@ public class BomGeneratorMojo extends AbstractMojo {
}
private Document loadBasePom() throws Exception {
- DocumentBuilder builder =
DocumentBuilderFactory.newInstance().newDocumentBuilder();
+ DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+ dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
+ DocumentBuilder builder = dbf.newDocumentBuilder();
Document pom = builder.parse(sourcePom);
XPath xpath = XPathFactory.newInstance().newXPath();
@@ -236,7 +240,9 @@ public class BomGeneratorMojo extends AbstractMojo {
emptyNode.getParentNode().removeChild(emptyNode);
}
- Transformer transformer =
TransformerFactory.newInstance().newTransformer();
+ TransformerFactory transformerFactory =
TransformerFactory.newInstance();
+ transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING,
Boolean.TRUE);
+ Transformer transformer = transformerFactory.newTransformer();
transformer.setOutputProperty(OutputKeys.INDENT, "yes");
transformer.setOutputProperty(OutputKeys.METHOD, "xml");
transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount";, "2");
@@ -285,7 +291,6 @@ public class BomGeneratorMojo extends AbstractMojo {
private void overwriteDependencyManagement(Document pom, List<Dependency>
dependencies) throws Exception {
-
XPath xpath = XPathFactory.newInstance().newXPath();
XPathExpression expr =
xpath.compile("/project/dependencyManagement/dependencies");
diff --git
a/tooling/maven/camel-eip-documentation-enricher-maven-plugin/src/main/java/org/apache/camel/maven/XmlHelper.java
b/tooling/maven/camel-eip-documentation-enricher-maven-plugin/src/main/java/org/apache/camel/maven/XmlHelper.java
index af6b528..863779a 100644
---
a/tooling/maven/camel-eip-documentation-enricher-maven-plugin/src/main/java/org/apache/camel/maven/XmlHelper.java
+++
b/tooling/maven/camel-eip-documentation-enricher-maven-plugin/src/main/java/org/apache/camel/maven/XmlHelper.java
@@ -18,6 +18,8 @@ package org.apache.camel.maven;
import java.io.File;
import java.io.IOException;
+
+import javax.xml.XMLConstants;
import javax.xml.namespace.NamespaceContext;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
@@ -38,11 +40,14 @@ public final class XmlHelper {
public static Document buildNamespaceAwareDocument(File xml) throws
SAXException, ParserConfigurationException, IOException {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.setNamespaceAware(true);
+ factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING,
Boolean.TRUE);
return factory.newDocumentBuilder().parse(xml);
}
public static Transformer buildTransformer() throws
TransformerConfigurationException {
- Transformer transformer =
TransformerFactory.newInstance().newTransformer();
+ TransformerFactory transformerFactory =
TransformerFactory.newInstance();
+ transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING,
Boolean.TRUE);
+ Transformer transformer = transformerFactory.newTransformer();
transformer.setOutputProperty(OutputKeys.INDENT, "yes");
transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount";, "2");
return transformer;
diff --git
a/tooling/maven/camel-package-maven-plugin/src/main/java/org/apache/camel/maven/packaging/PrepareCatalogKarafMojo.java
b/tooling/maven/camel-package-maven-plugin/src/main/java/org/apache/camel/maven/packaging/PrepareCatalogKarafMojo.java
index 1d8c79e..3db3d78 100644
---
a/tooling/maven/camel-package-maven-plugin/src/main/java/org/apache/camel/maven/packaging/PrepareCatalogKarafMojo.java
+++
b/tooling/maven/camel-package-maven-plugin/src/main/java/org/apache/camel/maven/packaging/PrepareCatalogKarafMojo.java
@@ -29,6 +29,8 @@ import java.util.LinkedHashSet;
import java.util.List;
import java.util.Set;
import java.util.TreeSet;
+
+import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilderFactory;
import org.w3c.dom.Document;
@@ -641,6 +643,7 @@ public class PrepareCatalogKarafMojo extends AbstractMojo {
dbf.setNamespaceAware(false);
dbf.setValidating(false);
dbf.setXIncludeAware(false);
+ dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING,
Boolean.TRUE);
Document dom = dbf.newDocumentBuilder().parse(is);
NodeList children = dom.getElementsByTagName("features");
diff --git
a/tooling/maven/camel-package-maven-plugin/src/main/java/org/apache/camel/maven/packaging/SpringBootStarterMojo.java
b/tooling/maven/camel-package-maven-plugin/src/main/java/org/apache/camel/maven/packaging/SpringBootStarterMojo.java
index b4f6560..3ef6d13 100644
---
a/tooling/maven/camel-package-maven-plugin/src/main/java/org/apache/camel/maven/packaging/SpringBootStarterMojo.java
+++
b/tooling/maven/camel-package-maven-plugin/src/main/java/org/apache/camel/maven/packaging/SpringBootStarterMojo.java
@@ -34,6 +34,8 @@ import java.util.Properties;
import java.util.Set;
import java.util.TreeSet;
import java.util.stream.Collectors;
+
+import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.transform.OutputKeys;
@@ -270,7 +272,9 @@ public class SpringBootStarterMojo extends AbstractMojo {
private void fixAdditionalRepositories(Document pom) throws Exception {
if (project.getFile() != null) {
- DocumentBuilder builder =
DocumentBuilderFactory.newInstance().newDocumentBuilder();
+ DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+ dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING,
Boolean.TRUE);
+ DocumentBuilder builder = dbf.newDocumentBuilder();
Document originalPom = builder.parse(project.getFile());
XPath xpath = XPathFactory.newInstance().newXPath();
@@ -613,7 +617,9 @@ public class SpringBootStarterMojo extends AbstractMojo {
pom.setXmlStandalone(true);
- Transformer transformer =
TransformerFactory.newInstance().newTransformer();
+ TransformerFactory transformerFactory =
TransformerFactory.newInstance();
+ transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING,
Boolean.TRUE);
+ Transformer transformer = transformerFactory.newTransformer();
transformer.setOutputProperty(OutputKeys.INDENT, "yes");
transformer.setOutputProperty(OutputKeys.METHOD, "xml");
transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount";, "2");
