You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@calcite.apache.org by ru...@apache.org on 2022/09/08 18:58:52 UTC
[calcite] branch main updated: [CALCITE-5274] Improve DocumentBuilderFactory in DiffRepository test class by using secure features
This is an automated email from the ASF dual-hosted git repository.
rubenql pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/calcite.git
The following commit(s) were added to refs/heads/main by this push:
new d20fd09a1d [CALCITE-5274] Improve DocumentBuilderFactory in DiffRepository test class by using secure features
d20fd09a1d is described below
commit d20fd09a1d478a87559027c5f024214f70abb622
Author: rubenada <ru...@gmail.com>
AuthorDate: Thu Sep 8 09:49:33 2022 +0100
[CALCITE-5274] Improve DocumentBuilderFactory in DiffRepository test class by using secure features
---
.../org/apache/calcite/test/DiffRepository.java | 32 ++++++++++++++++------
1 file changed, 24 insertions(+), 8 deletions(-)
diff --git a/testkit/src/main/java/org/apache/calcite/test/DiffRepository.java b/testkit/src/main/java/org/apache/calcite/test/DiffRepository.java
index 07bd6260cb..efb9e6718c 100644
--- a/testkit/src/main/java/org/apache/calcite/test/DiffRepository.java
+++ b/testkit/src/main/java/org/apache/calcite/test/DiffRepository.java
@@ -44,6 +44,7 @@ import org.xml.sax.SAXException;
import java.io.File;
import java.io.IOException;
+import java.io.InputStream;
import java.io.Writer;
import java.net.URL;
import java.util.AbstractList;
@@ -52,6 +53,7 @@ import java.util.List;
import java.util.Objects;
import java.util.SortedMap;
import java.util.TreeMap;
+import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
@@ -174,6 +176,22 @@ public class DiffRepository {
private static final LoadingCache<Key, DiffRepository> REPOSITORY_CACHE =
CacheBuilder.newBuilder().build(CacheLoader.from(Key::toRepo));
+ private static final ThreadLocal<@Nullable DocumentBuilderFactory> DOCUMENT_BUILDER_FACTORY =
+ ThreadLocal.withInitial(() -> {
+ final DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
+ documentBuilderFactory.setXIncludeAware(false);
+ documentBuilderFactory.setExpandEntityReferences(false);
+ documentBuilderFactory.setNamespaceAware(true);
+ try {
+ documentBuilderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+ documentBuilderFactory
+ .setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+ } catch (final ParserConfigurationException e) {
+ throw new IllegalStateException("Document Builder configuration failed", e);
+ }
+ return documentBuilderFactory;
+ });
+
//~ Instance fields --------------------------------------------------------
private final DiffRepository baseRepository;
@@ -207,19 +225,17 @@ public class DiffRepository {
this.modCount = 0;
// Load the document.
- DocumentBuilderFactory fac = DocumentBuilderFactory.newInstance();
try {
- DocumentBuilder docBuilder = fac.newDocumentBuilder();
- try {
+ DocumentBuilder docBuilder =
+ Nullness.castNonNull(DOCUMENT_BUILDER_FACTORY.get()).newDocumentBuilder();
+ try (InputStream inputStream = refFile.openStream()) {
// Parse the reference file.
- this.doc = docBuilder.parse(refFile.openStream());
- // Don't write a log file yet -- as far as we know, it's still
- // identical.
+ this.doc = docBuilder.parse(inputStream);
+ // Don't write a log file yet -- as far as we know, it's still identical.
} catch (IOException e) {
// There's no reference file. Create and write a log file.
this.doc = docBuilder.newDocument();
- this.doc.appendChild(
- doc.createElement(ROOT_TAG));
+ this.doc.appendChild(doc.createElement(ROOT_TAG));
flushDoc();
}
this.root = doc.getDocumentElement();