You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@calcite.apache.org by "PJ Fanning (Jira)" <ji...@apache.org> on 2022/09/07 19:58:00 UTC
[jira] [Created] (CALCITE-5274) prevent XXE possibilities in DiffRepository (calcite testkit)
PJ Fanning created CALCITE-5274:
-----------------------------------
Summary: prevent XXE possibilities in DiffRepository (calcite testkit)
Key: CALCITE-5274
URL: https://issues.apache.org/jira/browse/CALCITE-5274
Project: Calcite
Issue Type: Improvement
Components: extensions
Reporter: PJ Fanning
[https://github.com/apache/calcite/pull/2892#discussion_r964468020]
DocumentBuilderFactory use in DiffRepository needs changes like those in [https://github.com/apache/calcite/pull/2892|https://github.com/apache/calcite/pull/2892#discussion_r964468020]
There is also an issue with `this.doc = docBuilder.parse(refFile.openStream());` - the `refFile.openStream()` gives an InputStream that should be closed - try with resources pattern would make sense.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)