You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@calcite.apache.org by GitBox <gi...@apache.org> on 2022/09/07 01:24:54 UTC

[GitHub] [calcite] pjfanning commented on a diff in pull request #2892: [CALCITE-5263] Improve XmlFunctions by using an XML DocumentBuilder

pjfanning commented on code in PR #2892:
URL: https://github.com/apache/calcite/pull/2892#discussion_r964299383


##########
core/src/main/java/org/apache/calcite/runtime/XmlFunctions.java:
##########
@@ -60,13 +67,41 @@
 public class XmlFunctions {
 
   private static final ThreadLocal<@Nullable XPathFactory> XPATH_FACTORY =
-      ThreadLocal.withInitial(XPathFactory::newInstance);
+      ThreadLocal.withInitial(() -> {
+        final XPathFactory xPathFactory = XPathFactory.newInstance();
+        try {
+          xPathFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+        } catch (XPathFactoryConfigurationException e) {
+          throw new IllegalStateException("XPath Factory configuration failed", e);
+        }
+        return xPathFactory;
+      });
   private static final ThreadLocal<@Nullable TransformerFactory> TRANSFORMER_FACTORY =
       ThreadLocal.withInitial(() -> {
-        TransformerFactory transformerFactory = TransformerFactory.newInstance();
+        final TransformerFactory transformerFactory = TransformerFactory.newInstance();
         transformerFactory.setErrorListener(new InternalErrorListener());
+        try {
+          transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+        } catch (TransformerConfigurationException e) {
+          throw new IllegalStateException("Transformer Factory configuration failed", e);
+        }
         return transformerFactory;
       });
+  private static final ThreadLocal<@Nullable DocumentBuilderFactory> DOCUMENT_BUILDER_FACTORY =

Review Comment:
   Would it be possible to apply similar secure features to the DocumentBuilderFactory used in https://github.com/apache/calcite/blob/b9c2099ea92a575084b55a206efc5dd341c0df62/testkit/src/main/java/org/apache/calcite/test/DiffRepository.java#L210 ?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@calcite.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org