You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@camel.apache.org by fm...@apache.org on 2024/01/25 12:46:41 UTC

(camel-spring-boot) 28/40: Set features to DocumentBuilderFactory to protect from XXE; fix for SAST (#989)

This is an automated email from the ASF dual-hosted git repository.

fmariani pushed a commit to branch camel-spring-boot-4.0.0-branch
in repository https://gitbox.apache.org/repos/asf/camel-spring-boot.git

commit 1d525e1dd0ad2e6358071ad8ce9476fa6eb9ba5a
Author: Tom Cunningham <tc...@redhat.com>
AuthorDate: Thu Oct 26 03:42:11 2023 -0400

    Set features to DocumentBuilderFactory to protect from XXE; fix for SAST (#989)
---
 .../org/apache/camel/itest/springboot/util/DependencyResolver.java     | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/tests/camel-itest-spring-boot/src/test/java/org/apache/camel/itest/springboot/util/DependencyResolver.java b/tests/camel-itest-spring-boot/src/test/java/org/apache/camel/itest/springboot/util/DependencyResolver.java
index 2b0cbe6e80a..5b9566d22ec 100644
--- a/tests/camel-itest-spring-boot/src/test/java/org/apache/camel/itest/springboot/util/DependencyResolver.java
+++ b/tests/camel-itest-spring-boot/src/test/java/org/apache/camel/itest/springboot/util/DependencyResolver.java
@@ -151,6 +151,9 @@ public final class DependencyResolver {
     }
 
     private static String xpath(File pom, String expression) throws Exception {
+        factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl",true);
+        factory.setFeature("http://xml.org/sax/features/external-general-entities",false);
+        factory.setFeature("http://xml.org/sax/features/external-parameter-entities",false);
         DocumentBuilder builder = factory.newDocumentBuilder();
         Document doc = builder.parse(pom);
         XPath xpath = xPathfactory.newXPath();