You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@camel.apache.org by co...@apache.org on 2018/11/27 13:47:08 UTC
[camel] branch master updated: Set the secure processing feature on
various DocumentBuilderFactory, TransformerFactory,
SAXParserFactory instances
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/camel.git
The following commit(s) were added to refs/heads/master by this push:
new bbe400f Set the secure processing feature on various DocumentBuilderFactory, TransformerFactory, SAXParserFactory instances
bbe400f is described below
commit bbe400f96d647d3d8991379e2bd785d642ee52c2
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Tue Nov 27 13:46:24 2018 +0000
Set the secure processing feature on various DocumentBuilderFactory, TransformerFactory, SAXParserFactory instances
---
.../java/org/apache/camel/converter/jaxp/XmlConverter.java | 8 ++++++++
.../apache/camel/management/mbean/RouteCoverageXmlParser.java | 5 ++++-
.../main/java/org/apache/camel/util/XmlLineNumberParser.java | 3 +++
.../org/apache/camel/component/cm/CMSenderOneMessageImpl.java | 6 +++++-
.../apache/camel/component/flatpack/FlatpackConverter.java | 5 ++++-
.../main/java/org/apache/camel/component/fop/FopProducer.java | 7 +++++--
.../schematron/processor/SchematronProcessorFactory.java | 2 ++
.../camel/component/spring/ws/bean/CamelEndpointMapping.java | 2 ++
.../ws/filter/impl/HeaderTransformationMessageFilter.java | 10 +++++++++-
.../apache/camel/dataformat/tagsoup/TidyMarkupDataFormat.java | 5 ++++-
.../java/org/apache/camel/component/tika/TikaProducer.java | 2 ++
.../org/apache/camel/catalog/nexus/BaseNexusRepository.java | 3 +++
.../java/org/apache/camel/catalog/DefaultCamelCatalog.java | 7 ++++++-
.../org/apache/camel/parser/helper/XmlLineNumberParser.java | 4 ++++
.../apache/camel/maven/bom/generator/BomGeneratorMojo.java | 11 ++++++++---
.../src/main/java/org/apache/camel/maven/XmlHelper.java | 7 ++++++-
.../apache/camel/maven/packaging/PrepareCatalogKarafMojo.java | 3 +++
.../apache/camel/maven/packaging/SpringBootStarterMojo.java | 10 ++++++++--
18 files changed, 86 insertions(+), 14 deletions(-)
diff --git a/camel-core/src/main/java/org/apache/camel/converter/jaxp/XmlConverter.java b/camel-core/src/main/java/org/apache/camel/converter/jaxp/XmlConverter.java
index 4f3125f..d366b55 100644
--- a/camel-core/src/main/java/org/apache/camel/converter/jaxp/XmlConverter.java
+++ b/camel-core/src/main/java/org/apache/camel/converter/jaxp/XmlConverter.java
@@ -33,6 +33,7 @@ import java.util.List;
import java.util.Map;
import java.util.Properties;
+import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
@@ -1139,6 +1140,13 @@ public class XmlConverter {
factory.setIgnoringElementContentWhitespace(true);
factory.setIgnoringComments(true);
try {
+ // Set secure processing
+ factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
+ } catch (ParserConfigurationException e) {
+ LOG.warn("DocumentBuilderFactory doesn't support the feature {} with value {}, due to {}.",
+ new Object[]{XMLConstants.FEATURE_SECURE_PROCESSING, true, e});
+ }
+ try {
// Disable the external-general-entities by default
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
} catch (ParserConfigurationException e) {
diff --git a/camel-core/src/main/java/org/apache/camel/management/mbean/RouteCoverageXmlParser.java b/camel-core/src/main/java/org/apache/camel/management/mbean/RouteCoverageXmlParser.java
index 62bc649..b9795b0 100644
--- a/camel-core/src/main/java/org/apache/camel/management/mbean/RouteCoverageXmlParser.java
+++ b/camel-core/src/main/java/org/apache/camel/management/mbean/RouteCoverageXmlParser.java
@@ -19,6 +19,7 @@ package org.apache.camel.management.mbean;
import java.io.InputStream;
import java.util.Stack;
+import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.SAXParser;
@@ -62,8 +63,10 @@ public final class RouteCoverageXmlParser {
*/
public static Document parseXml(final CamelContext camelContext, final InputStream is) throws Exception {
final SAXParserFactory factory = SAXParserFactory.newInstance();
+ factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
final SAXParser parser = factory.newSAXParser();
final DocumentBuilderFactory docBuilderFactory = DocumentBuilderFactory.newInstance();
+ docBuilderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
final DocumentBuilder docBuilder = docBuilderFactory.newDocumentBuilder();
final Document doc = docBuilder.newDocument();
@@ -170,4 +173,4 @@ public final class RouteCoverageXmlParser {
return doc;
}
-}
\ No newline at end of file
+}
diff --git a/camel-core/src/main/java/org/apache/camel/util/XmlLineNumberParser.java b/camel-core/src/main/java/org/apache/camel/util/XmlLineNumberParser.java
index d80cb45..7c01d8a 100644
--- a/camel-core/src/main/java/org/apache/camel/util/XmlLineNumberParser.java
+++ b/camel-core/src/main/java/org/apache/camel/util/XmlLineNumberParser.java
@@ -21,6 +21,7 @@ import java.io.InputStream;
import java.io.StringReader;
import java.util.Stack;
+import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.SAXParser;
@@ -107,11 +108,13 @@ public final class XmlLineNumberParser {
final Document doc;
SAXParser parser;
final SAXParserFactory factory = SAXParserFactory.newInstance();
+ factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
parser = factory.newSAXParser();
final DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
// turn off validator and loading external dtd
dbf.setValidating(false);
dbf.setNamespaceAware(true);
+ dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
dbf.setFeature("http://xml.org/sax/features/namespaces", false);
dbf.setFeature("http://xml.org/sax/features/validation", false);
dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-dtd-grammar", false);
diff --git a/components/camel-cm-sms/src/main/java/org/apache/camel/component/cm/CMSenderOneMessageImpl.java b/components/camel-cm-sms/src/main/java/org/apache/camel/component/cm/CMSenderOneMessageImpl.java
index 07e0e14..64bb92d 100644
--- a/components/camel-cm-sms/src/main/java/org/apache/camel/component/cm/CMSenderOneMessageImpl.java
+++ b/components/camel-cm-sms/src/main/java/org/apache/camel/component/cm/CMSenderOneMessageImpl.java
@@ -23,6 +23,7 @@ import java.io.InputStreamReader;
import java.nio.charset.Charset;
import java.util.UUID;
+import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
@@ -90,6 +91,7 @@ public class CMSenderOneMessageImpl implements CMSender {
final ByteArrayOutputStream xml = new ByteArrayOutputStream();
final DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
factory.setNamespaceAware(true);
// Get the DocumentBuilder
@@ -158,7 +160,9 @@ public class CMSenderOneMessageImpl implements CMSender {
}
// Creatate XML as String
- final Transformer aTransformer = TransformerFactory.newInstance().newTransformer();
+ TransformerFactory transformerFactory = TransformerFactory.newInstance();
+ transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
+ final Transformer aTransformer = transformerFactory.newTransformer();
aTransformer.setOutputProperty(OutputKeys.INDENT, "yes");
final Source src = new DOMSource(doc);
final Result dest = new StreamResult(xml);
diff --git a/components/camel-flatpack/src/main/java/org/apache/camel/component/flatpack/FlatpackConverter.java b/components/camel-flatpack/src/main/java/org/apache/camel/component/flatpack/FlatpackConverter.java
index e101acd..335861b 100644
--- a/components/camel-flatpack/src/main/java/org/apache/camel/component/flatpack/FlatpackConverter.java
+++ b/components/camel-flatpack/src/main/java/org/apache/camel/component/flatpack/FlatpackConverter.java
@@ -21,6 +21,7 @@ import java.util.HashMap;
import java.util.List;
import java.util.Map;
+import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
@@ -63,7 +64,9 @@ public final class FlatpackConverter {
@Converter
public static Document toDocument(DataSet dataSet) throws ParserConfigurationException {
- Document doc = DocumentBuilderFactory.newInstance().newDocumentBuilder().newDocument();
+ DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+ dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
+ Document doc = dbf.newDocumentBuilder().newDocument();
if (dataSet.getIndex() == -1) {
Element list = doc.createElement("Dataset");
diff --git a/components/camel-fop/src/main/java/org/apache/camel/component/fop/FopProducer.java b/components/camel-fop/src/main/java/org/apache/camel/component/fop/FopProducer.java
index dd77570..5aa8264 100644
--- a/components/camel-fop/src/main/java/org/apache/camel/component/fop/FopProducer.java
+++ b/components/camel-fop/src/main/java/org/apache/camel/component/fop/FopProducer.java
@@ -19,6 +19,8 @@ package org.apache.camel.component.fop;
import java.io.ByteArrayOutputStream;
import java.io.OutputStream;
import java.util.Map;
+
+import javax.xml.XMLConstants;
import javax.xml.transform.Result;
import javax.xml.transform.Source;
import javax.xml.transform.Transformer;
@@ -85,8 +87,9 @@ public class FopProducer extends DefaultProducer {
throws FOPException, TransformerException {
OutputStream out = new ByteArrayOutputStream();
Fop fop = fopFactory.newFop(outputFormat, userAgent, out);
- TransformerFactory factory = TransformerFactory.newInstance();
- Transformer transformer = factory.newTransformer();
+ TransformerFactory transformerFactory = TransformerFactory.newInstance();
+ transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
+ Transformer transformer = transformerFactory.newTransformer();
Result res = new SAXResult(fop.getDefaultHandler());
transformer.transform(src, res);
diff --git a/components/camel-schematron/src/main/java/org/apache/camel/component/schematron/processor/SchematronProcessorFactory.java b/components/camel-schematron/src/main/java/org/apache/camel/component/schematron/processor/SchematronProcessorFactory.java
index c093b23..13f146e 100644
--- a/components/camel-schematron/src/main/java/org/apache/camel/component/schematron/processor/SchematronProcessorFactory.java
+++ b/components/camel-schematron/src/main/java/org/apache/camel/component/schematron/processor/SchematronProcessorFactory.java
@@ -16,6 +16,7 @@
*/
package org.apache.camel.component.schematron.processor;
+import javax.xml.XMLConstants;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory;
@@ -68,6 +69,7 @@ public final class SchematronProcessorFactory {
*/
private static XMLReader getXMLReader() throws ParserConfigurationException, SAXException {
final SAXParserFactory fac = SAXParserFactory.newInstance();
+ fac.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
fac.setValidating(false);
final SAXParser parser = fac.newSAXParser();
XMLReader reader = parser.getXMLReader();
diff --git a/components/camel-spring-ws/src/main/java/org/apache/camel/component/spring/ws/bean/CamelEndpointMapping.java b/components/camel-spring-ws/src/main/java/org/apache/camel/component/spring/ws/bean/CamelEndpointMapping.java
index 7b27a18..78b6e25 100644
--- a/components/camel-spring-ws/src/main/java/org/apache/camel/component/spring/ws/bean/CamelEndpointMapping.java
+++ b/components/camel-spring-ws/src/main/java/org/apache/camel/component/spring/ws/bean/CamelEndpointMapping.java
@@ -21,6 +21,7 @@ import java.net.URISyntaxException;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
+import javax.xml.XMLConstants;
import javax.xml.namespace.QName;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.stream.XMLStreamException;
@@ -248,6 +249,7 @@ public class CamelEndpointMapping extends AbstractEndpointMapping implements Ini
xmlConverter.setTransformerFactory(transformerFactory);
} else {
transformerFactory = TransformerFactory.newInstance();
+ transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
}
}
diff --git a/components/camel-spring-ws/src/main/java/org/apache/camel/component/spring/ws/filter/impl/HeaderTransformationMessageFilter.java b/components/camel-spring-ws/src/main/java/org/apache/camel/component/spring/ws/filter/impl/HeaderTransformationMessageFilter.java
index 60b7b2a..57ae41c 100644
--- a/components/camel-spring-ws/src/main/java/org/apache/camel/component/spring/ws/filter/impl/HeaderTransformationMessageFilter.java
+++ b/components/camel-spring-ws/src/main/java/org/apache/camel/component/spring/ws/filter/impl/HeaderTransformationMessageFilter.java
@@ -18,9 +18,11 @@ package org.apache.camel.component.spring.ws.filter.impl;
import java.util.Map;
+import javax.xml.XMLConstants;
import javax.xml.transform.ErrorListener;
import javax.xml.transform.Source;
import javax.xml.transform.Transformer;
+import javax.xml.transform.TransformerConfigurationException;
import javax.xml.transform.TransformerException;
import javax.xml.transform.TransformerFactory;
@@ -130,6 +132,12 @@ public class HeaderTransformationMessageFilter implements MessageFilter {
throw new IllegalStateException("Cannot resolve a transformer factory");
}
+ try {
+ transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
+ } catch (TransformerConfigurationException ex) {
+ // ignore
+ }
+
transformerFactory.setErrorListener(new ErrorListener() {
@Override
@@ -191,4 +199,4 @@ public class HeaderTransformationMessageFilter implements MessageFilter {
this.saxon = saxon;
}
-}
\ No newline at end of file
+}
diff --git a/components/camel-tagsoup/src/main/java/org/apache/camel/dataformat/tagsoup/TidyMarkupDataFormat.java b/components/camel-tagsoup/src/main/java/org/apache/camel/dataformat/tagsoup/TidyMarkupDataFormat.java
index cfad01c..3ed7c10 100644
--- a/components/camel-tagsoup/src/main/java/org/apache/camel/dataformat/tagsoup/TidyMarkupDataFormat.java
+++ b/components/camel-tagsoup/src/main/java/org/apache/camel/dataformat/tagsoup/TidyMarkupDataFormat.java
@@ -23,6 +23,7 @@ import java.io.Writer;
import java.util.Map;
import java.util.Map.Entry;
+import javax.xml.XMLConstants;
import javax.xml.transform.Transformer;
import javax.xml.transform.TransformerFactory;
import javax.xml.transform.dom.DOMResult;
@@ -177,7 +178,9 @@ public class TidyMarkupDataFormat extends ServiceSupport implements DataFormat,
parser.setContentHandler(createContentHandler(w));
try {
- Transformer transformer = TransformerFactory.newInstance().newTransformer();
+ TransformerFactory transformerFactory = TransformerFactory.newInstance();
+ transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
+ Transformer transformer = transformerFactory.newTransformer();
DOMResult result = new DOMResult();
transformer.transform(new SAXSource(parser, new InputSource(inputStream)), result);
return result.getNode();
diff --git a/components/camel-tika/src/main/java/org/apache/camel/component/tika/TikaProducer.java b/components/camel-tika/src/main/java/org/apache/camel/component/tika/TikaProducer.java
index a504d18..ced69a6 100644
--- a/components/camel-tika/src/main/java/org/apache/camel/component/tika/TikaProducer.java
+++ b/components/camel-tika/src/main/java/org/apache/camel/component/tika/TikaProducer.java
@@ -23,6 +23,7 @@ import java.io.OutputStream;
import java.io.OutputStreamWriter;
import java.io.UnsupportedEncodingException;
+import javax.xml.XMLConstants;
import javax.xml.transform.OutputKeys;
import javax.xml.transform.TransformerConfigurationException;
import javax.xml.transform.TransformerFactory;
@@ -150,6 +151,7 @@ public class TikaProducer extends DefaultProducer {
private TransformerHandler getTransformerHandler(OutputStream output, String method,
boolean prettyPrint) throws TransformerConfigurationException, UnsupportedEncodingException {
SAXTransformerFactory factory = (SAXTransformerFactory) TransformerFactory.newInstance();
+ factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
TransformerHandler handler = factory.newTransformerHandler();
handler.getTransformer().setOutputProperty(OutputKeys.METHOD, method);
handler.getTransformer().setOutputProperty(OutputKeys.INDENT, prettyPrint ? "yes" : "no");
diff --git a/platforms/camel-catalog-nexus/src/main/java/org/apache/camel/catalog/nexus/BaseNexusRepository.java b/platforms/camel-catalog-nexus/src/main/java/org/apache/camel/catalog/nexus/BaseNexusRepository.java
index d46b304..38bdd6f 100644
--- a/platforms/camel-catalog-nexus/src/main/java/org/apache/camel/catalog/nexus/BaseNexusRepository.java
+++ b/platforms/camel-catalog-nexus/src/main/java/org/apache/camel/catalog/nexus/BaseNexusRepository.java
@@ -27,6 +27,8 @@ import java.util.concurrent.Executors;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicBoolean;
+
+import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.xpath.XPath;
@@ -194,6 +196,7 @@ public abstract class BaseNexusRepository {
factory.setNamespaceAware(true);
factory.setIgnoringElementContentWhitespace(true);
factory.setIgnoringComments(true);
+ factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
DocumentBuilder documentBuilder = factory.newDocumentBuilder();
diff --git a/platforms/camel-catalog/src/main/java/org/apache/camel/catalog/DefaultCamelCatalog.java b/platforms/camel-catalog/src/main/java/org/apache/camel/catalog/DefaultCamelCatalog.java
index 4fde346..1c6057f 100644
--- a/platforms/camel-catalog/src/main/java/org/apache/camel/catalog/DefaultCamelCatalog.java
+++ b/platforms/camel-catalog/src/main/java/org/apache/camel/catalog/DefaultCamelCatalog.java
@@ -29,6 +29,8 @@ import java.util.Set;
import java.util.SortedSet;
import java.util.TreeSet;
import java.util.regex.PatternSyntaxException;
+
+import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.xpath.XPathConstants;
import javax.xml.xpath.XPathFactory;
@@ -1379,7 +1381,10 @@ public class DefaultCamelCatalog extends AbstractCamelCatalog implements CamelCa
int archetypes = 0;
try {
String xml = archetypeCatalogAsXml();
- Document dom = DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(new ByteArrayInputStream(xml.getBytes()));
+
+ DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+ dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
+ Document dom = dbf.newDocumentBuilder().parse(new ByteArrayInputStream(xml.getBytes()));
Object val = XPathFactory.newInstance().newXPath().evaluate("count(/archetype-catalog/archetypes/archetype)", dom, XPathConstants.NUMBER);
double num = (double) val;
archetypes = (int) num;
diff --git a/tooling/camel-route-parser/src/main/java/org/apache/camel/parser/helper/XmlLineNumberParser.java b/tooling/camel-route-parser/src/main/java/org/apache/camel/parser/helper/XmlLineNumberParser.java
index a96fb86..129740b 100644
--- a/tooling/camel-route-parser/src/main/java/org/apache/camel/parser/helper/XmlLineNumberParser.java
+++ b/tooling/camel-route-parser/src/main/java/org/apache/camel/parser/helper/XmlLineNumberParser.java
@@ -25,6 +25,8 @@ import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import java.util.Stack;
+
+import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.SAXParser;
@@ -86,11 +88,13 @@ public final class XmlLineNumberParser {
final Document doc;
SAXParser parser;
final SAXParserFactory factory = SAXParserFactory.newInstance();
+ factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
parser = factory.newSAXParser();
final DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
// turn off validator and loading external dtd
dbf.setValidating(false);
dbf.setNamespaceAware(true);
+ dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
dbf.setFeature("http://xml.org/sax/features/namespaces", false);
dbf.setFeature("http://xml.org/sax/features/validation", false);
dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-dtd-grammar", false);
diff --git a/tooling/maven/bom-generator-maven-plugin/src/main/java/org/apache/camel/maven/bom/generator/BomGeneratorMojo.java b/tooling/maven/bom-generator-maven-plugin/src/main/java/org/apache/camel/maven/bom/generator/BomGeneratorMojo.java
index 2a54e0d..8599c5b 100644
--- a/tooling/maven/bom-generator-maven-plugin/src/main/java/org/apache/camel/maven/bom/generator/BomGeneratorMojo.java
+++ b/tooling/maven/bom-generator-maven-plugin/src/main/java/org/apache/camel/maven/bom/generator/BomGeneratorMojo.java
@@ -28,6 +28,8 @@ import java.util.HashSet;
import java.util.List;
import java.util.Set;
import java.util.TreeSet;
+
+import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.transform.OutputKeys;
@@ -204,7 +206,9 @@ public class BomGeneratorMojo extends AbstractMojo {
}
private Document loadBasePom() throws Exception {
- DocumentBuilder builder = DocumentBuilderFactory.newInstance().newDocumentBuilder();
+ DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+ dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
+ DocumentBuilder builder = dbf.newDocumentBuilder();
Document pom = builder.parse(sourcePom);
XPath xpath = XPathFactory.newInstance().newXPath();
@@ -235,7 +239,9 @@ public class BomGeneratorMojo extends AbstractMojo {
emptyNode.getParentNode().removeChild(emptyNode);
}
- Transformer transformer = TransformerFactory.newInstance().newTransformer();
+ TransformerFactory transformerFactory = TransformerFactory.newInstance();
+ transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
+ Transformer transformer = transformerFactory.newTransformer();
transformer.setOutputProperty(OutputKeys.INDENT, "yes");
transformer.setOutputProperty(OutputKeys.METHOD, "xml");
transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "2");
@@ -284,7 +290,6 @@ public class BomGeneratorMojo extends AbstractMojo {
private void overwriteDependencyManagement(Document pom, List<Dependency> dependencies) throws Exception {
-
XPath xpath = XPathFactory.newInstance().newXPath();
XPathExpression expr = xpath.compile("/project/dependencyManagement/dependencies");
diff --git a/tooling/maven/camel-eip-documentation-enricher-maven-plugin/src/main/java/org/apache/camel/maven/XmlHelper.java b/tooling/maven/camel-eip-documentation-enricher-maven-plugin/src/main/java/org/apache/camel/maven/XmlHelper.java
index af6b528..863779a 100644
--- a/tooling/maven/camel-eip-documentation-enricher-maven-plugin/src/main/java/org/apache/camel/maven/XmlHelper.java
+++ b/tooling/maven/camel-eip-documentation-enricher-maven-plugin/src/main/java/org/apache/camel/maven/XmlHelper.java
@@ -18,6 +18,8 @@ package org.apache.camel.maven;
import java.io.File;
import java.io.IOException;
+
+import javax.xml.XMLConstants;
import javax.xml.namespace.NamespaceContext;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
@@ -38,11 +40,14 @@ public final class XmlHelper {
public static Document buildNamespaceAwareDocument(File xml) throws SAXException, ParserConfigurationException, IOException {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.setNamespaceAware(true);
+ factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
return factory.newDocumentBuilder().parse(xml);
}
public static Transformer buildTransformer() throws TransformerConfigurationException {
- Transformer transformer = TransformerFactory.newInstance().newTransformer();
+ TransformerFactory transformerFactory = TransformerFactory.newInstance();
+ transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
+ Transformer transformer = transformerFactory.newTransformer();
transformer.setOutputProperty(OutputKeys.INDENT, "yes");
transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "2");
return transformer;
diff --git a/tooling/maven/camel-package-maven-plugin/src/main/java/org/apache/camel/maven/packaging/PrepareCatalogKarafMojo.java b/tooling/maven/camel-package-maven-plugin/src/main/java/org/apache/camel/maven/packaging/PrepareCatalogKarafMojo.java
index 3529522..f2abc7b 100644
--- a/tooling/maven/camel-package-maven-plugin/src/main/java/org/apache/camel/maven/packaging/PrepareCatalogKarafMojo.java
+++ b/tooling/maven/camel-package-maven-plugin/src/main/java/org/apache/camel/maven/packaging/PrepareCatalogKarafMojo.java
@@ -29,6 +29,8 @@ import java.util.LinkedHashSet;
import java.util.List;
import java.util.Set;
import java.util.TreeSet;
+
+import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilderFactory;
import org.w3c.dom.Document;
@@ -640,6 +642,7 @@ public class PrepareCatalogKarafMojo extends AbstractMojo {
dbf.setNamespaceAware(false);
dbf.setValidating(false);
dbf.setXIncludeAware(false);
+ dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
Document dom = dbf.newDocumentBuilder().parse(is);
NodeList children = dom.getElementsByTagName("features");
diff --git a/tooling/maven/camel-package-maven-plugin/src/main/java/org/apache/camel/maven/packaging/SpringBootStarterMojo.java b/tooling/maven/camel-package-maven-plugin/src/main/java/org/apache/camel/maven/packaging/SpringBootStarterMojo.java
index 2bace64..5f74954 100644
--- a/tooling/maven/camel-package-maven-plugin/src/main/java/org/apache/camel/maven/packaging/SpringBootStarterMojo.java
+++ b/tooling/maven/camel-package-maven-plugin/src/main/java/org/apache/camel/maven/packaging/SpringBootStarterMojo.java
@@ -34,6 +34,8 @@ import java.util.Properties;
import java.util.Set;
import java.util.TreeSet;
import java.util.stream.Collectors;
+
+import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.transform.OutputKeys;
@@ -269,7 +271,9 @@ public class SpringBootStarterMojo extends AbstractMojo {
private void fixAdditionalRepositories(Document pom) throws Exception {
if (project.getFile() != null) {
- DocumentBuilder builder = DocumentBuilderFactory.newInstance().newDocumentBuilder();
+ DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+ dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
+ DocumentBuilder builder = dbf.newDocumentBuilder();
Document originalPom = builder.parse(project.getFile());
XPath xpath = XPathFactory.newInstance().newXPath();
@@ -612,7 +616,9 @@ public class SpringBootStarterMojo extends AbstractMojo {
pom.setXmlStandalone(true);
- Transformer transformer = TransformerFactory.newInstance().newTransformer();
+ TransformerFactory transformerFactory = TransformerFactory.newInstance();
+ transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
+ Transformer transformer = transformerFactory.newTransformer();
transformer.setOutputProperty(OutputKeys.INDENT, "yes");
transformer.setOutputProperty(OutputKeys.METHOD, "xml");
transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "2");