Le mer. 17 nov. 2021 à 20:12, Guillaume Nodet a écrit :
> Le mer. 17 nov. 2021 à 18:06, Romain Manni-Bucau a
> écrit :
>
> > Well for the security issue: this is trivially solved since we own the
> > parser and the related implementation so we can enforce the include is in
> > project.basedir of
Le mer. 17 nov. 2021 à 18:06, Romain Manni-Bucau a
écrit :
> Well for the security issue: this is trivially solved since we own the
> parser and the related implementation so we can enforce the include is in
> project.basedir of the root module.
>
> About solving an issue:
>
> > If we only allow
I really don't get this FUD around xincludes. Entity attacks are a problem
if you're using XML as a transfer data format. As the article says "Since
the entire XML document is communicated from an untrusted client". Ok, but
the pom.xml is the heart of the source code. There plenty other things to
t
Well for the security issue: this is trivially solved since we own the
parser and the related implementation so we can enforce the include is in
project.basedir of the root module.
About solving an issue:
> If we only allow importing other files that reside in the same
repository, then those bit
Gary beat me to it :-) I would be hesitant to add support for XML
Entities or XML Includes. Both have proven themselves to be a frequent
source of security issues ([1], [2] and probably a lot more). The
problem is that XML parsers typically do not allow selective includes,
so if we want to prev
The parsers I've seen don't "prevent" XI, you have to enable the feature;
note that some folks don't like DTD processing and XI for security reasons.
Gary
On Wed, Nov 17, 2021, 09:17 Romain Manni-Bucau
wrote:
> Hi all,
>
> Almost everything is in the subject: any reason our pom parser prevents
That's clearly a limitation of XPP3 which is a minimal xml parser.
For simple use cases, it may be easier to rely on adding support for custom
XML entities, it should be much easier to support than xinclude.
Le mer. 17 nov. 2021 à 15:17, Romain Manni-Bucau a
écrit :
> Hi all,
>
> Almost everythi
Hi all,
Almost everything is in the subject: any reason our pom parser prevents to
use XML includes (https://www.w3.org/TR/xinclude/)?
It would be very convenient to import some part of pom definition from
.mvn/ or a project folder (indeed remote/insecured imports would be
forbidden).
Just a xpp
