You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@calcite.apache.org by "PJ Fanning (Jira)" <ji...@apache.org> on 2022/09/07 19:58:00 UTC

[jira] [Created] (CALCITE-5274) prevent XXE possibilities in DiffRepository (calcite testkit)

PJ Fanning created CALCITE-5274:
-----------------------------------

             Summary: prevent XXE possibilities in DiffRepository (calcite testkit)
                 Key: CALCITE-5274
                 URL: https://issues.apache.org/jira/browse/CALCITE-5274
             Project: Calcite
          Issue Type: Improvement
          Components: extensions
            Reporter: PJ Fanning


[https://github.com/apache/calcite/pull/2892#discussion_r964468020]

DocumentBuilderFactory use in DiffRepository needs changes like those in [https://github.com/apache/calcite/pull/2892|https://github.com/apache/calcite/pull/2892#discussion_r964468020]

There is also an issue with `this.doc = docBuilder.parse(refFile.openStream());` - the `refFile.openStream()` gives an InputStream that should be closed - try with resources pattern would make sense.

 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)