[CALCITE-5274] Improve DocumentBuilderFactory in DiffRepository test class by using secure features - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Minor
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 1.32.0
Component/s: extensions
Labels:
- pull-request-available

Description

https://github.com/apache/calcite/pull/2892#discussion_r964468020

DocumentBuilderFactory use in DiffRepository needs changes like those in https://github.com/apache/calcite/pull/2892

There is also an issue with `this.doc = docBuilder.parse(refFile.openStream());` - the `refFile.openStream()` gives an InputStream that should be closed - try with resources pattern would make sense.

Attachments

Issue Links

relates to

CALCITE-5263 XML External Entity (XEE) vulnerability that allows a SQL query to read the contents of files via the SQL functions EXISTS_NODE, EXTRACT_XML, XML_TRANSFORM or EXTRACT_VALUE (CVE-2022-39135)

Closed

links to

GitHub Pull Request #2898

Activity

People

Assignee:: Ruben Q L

Reporter:: PJ Fanning

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 07/Sep/22 19:57

Updated:: 10/Sep/22 08:40

Resolved:: 08/Sep/22 18:59

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

20m