You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ratis.apache.org by GitBox <gi...@apache.org> on 2020/06/15 07:34:05 UTC
[GitHub] [incubator-ratis] adoroszlai opened a new pull request #126: RATIS-953. XML Parsers should not be vulnerable to XXE attacks
adoroszlai opened a new pull request #126:
URL: https://github.com/apache/incubator-ratis/pull/126
## What changes were proposed in this pull request?
Prevent external XML entities attacks:
1. Turn on "secure processing" for XML
2. Disable external DTD/schema explicitly
[SonarCloud](https://sonarcloud.io/organizations/apache/rules?open=java%3AS2755&rule_key=java%3AS2755) and SonarLint display slightly different instructions for fixing XXE. This change applies both.
https://issues.apache.org/jira/browse/RATIS-953
## How was this patch tested?
Existing unit tests (in-progress).
https://github.com/adoroszlai/incubator-ratis/runs/771645855
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [incubator-ratis] adoroszlai commented on pull request #126: RATIS-953. XML Parsers should not be vulnerable to XXE attacks
Posted by GitBox <gi...@apache.org>.
adoroszlai commented on pull request #126:
URL: https://github.com/apache/incubator-ratis/pull/126#issuecomment-737730103
Thanks @runzhiwang for triggering CI and merging it.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [incubator-ratis] runzhiwang merged pull request #126: RATIS-953. XML Parsers should not be vulnerable to XXE attacks
Posted by GitBox <gi...@apache.org>.
runzhiwang merged pull request #126:
URL: https://github.com/apache/incubator-ratis/pull/126
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [incubator-ratis] runzhiwang commented on pull request #126: RATIS-953. XML Parsers should not be vulnerable to XXE attacks
Posted by GitBox <gi...@apache.org>.
runzhiwang commented on pull request #126:
URL: https://github.com/apache/incubator-ratis/pull/126#issuecomment-721459955
Reopen pr to trigger ci.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [incubator-ratis] runzhiwang commented on pull request #126: RATIS-953. XML Parsers should not be vulnerable to XXE attacks
Posted by GitBox <gi...@apache.org>.
runzhiwang commented on pull request #126:
URL: https://github.com/apache/incubator-ratis/pull/126#issuecomment-737594916
@adoroszlai Thanks the patch. @dineshchitlangia @bshashikant Thanks for review. I have merged the patch.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [incubator-ratis] runzhiwang closed pull request #126: RATIS-953. XML Parsers should not be vulnerable to XXE attacks
Posted by GitBox <gi...@apache.org>.
runzhiwang closed pull request #126:
URL: https://github.com/apache/incubator-ratis/pull/126
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [incubator-ratis] runzhiwang closed pull request #126: RATIS-953. XML Parsers should not be vulnerable to XXE attacks
Posted by GitBox <gi...@apache.org>.
runzhiwang closed pull request #126:
URL: https://github.com/apache/incubator-ratis/pull/126
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [incubator-ratis] runzhiwang closed pull request #126: RATIS-953. XML Parsers should not be vulnerable to XXE attacks
Posted by GitBox <gi...@apache.org>.
runzhiwang closed pull request #126:
URL: https://github.com/apache/incubator-ratis/pull/126
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [incubator-ratis] runzhiwang closed pull request #126: RATIS-953. XML Parsers should not be vulnerable to XXE attacks
Posted by GitBox <gi...@apache.org>.
runzhiwang closed pull request #126:
URL: https://github.com/apache/incubator-ratis/pull/126
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [incubator-ratis] runzhiwang closed pull request #126: RATIS-953. XML Parsers should not be vulnerable to XXE attacks
Posted by GitBox <gi...@apache.org>.
runzhiwang closed pull request #126:
URL: https://github.com/apache/incubator-ratis/pull/126
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [incubator-ratis] runzhiwang closed pull request #126: RATIS-953. XML Parsers should not be vulnerable to XXE attacks
Posted by GitBox <gi...@apache.org>.
runzhiwang closed pull request #126:
URL: https://github.com/apache/incubator-ratis/pull/126
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [incubator-ratis] runzhiwang closed pull request #126: RATIS-953. XML Parsers should not be vulnerable to XXE attacks
Posted by GitBox <gi...@apache.org>.
runzhiwang closed pull request #126:
URL: https://github.com/apache/incubator-ratis/pull/126
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [incubator-ratis] runzhiwang commented on pull request #126: RATIS-953. XML Parsers should not be vulnerable to XXE attacks
Posted by GitBox <gi...@apache.org>.
runzhiwang commented on pull request #126:
URL: https://github.com/apache/incubator-ratis/pull/126#issuecomment-721477060
@adoroszlai Hi, why this PR run jenkins, but the other PR do not run jenkins ?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org