Skip to content

CAMEL-24110: camel-xslt-saxon - fix saxonReaderProperties null-guard, DOMSource URIResolver, unhardened SAXParser#24779

Merged
davsclaus merged 1 commit into
mainfrom
fix/CAMEL-24110
Jul 16, 2026
Merged

CAMEL-24110: camel-xslt-saxon - fix saxonReaderProperties null-guard, DOMSource URIResolver, unhardened SAXParser#24779
davsclaus merged 1 commit into
mainfrom
fix/CAMEL-24110

Conversation

@davsclaus

Copy link
Copy Markdown
Contributor

Summary

Claude Code on behalf of davsclaus

Fixes four interrelated bugs in XsltSaxonEndpoint originating from CAMEL-14501 (2020):

  • Dead null-guard: saxonReaderProperties is initialized to an empty HashMap, so if (saxonReaderProperties != null) is always true — every stylesheet is unconditionally re-wrapped through createReaderForSource(). Fixed by guarding with !saxonReaderProperties.isEmpty().

  • DOMSource broken: A custom URIResolver returning a DOMSource gets SAXSource.sourceToInputSource()null, producing a SAXSource with null InputSource. Fixed by checking if sourceToInputSource() returns null and passing the original source through unchanged.

  • Unhardened SAXParserFactory: createReaderForSource() creates a bare SAXParserFactory.newInstance() with zero security features. Fixed by enabling FEATURE_SECURE_PROCESSING, disallow-doctype-decl, and disabling external entities — matching the hardening used elsewhere in Camel.

  • Unreachable null-source error: In loadResource(), the wrap happened before the source == null check, so the intended IOException("Cannot load schema resource ...") could never fire. Fixed by checking null first, matching the parent XsltEndpoint.loadResource().

Additionally: Boolean.valueOf()Boolean.parseBoolean() (avoids unnecessary boxing), and error fallback returns the original source instead of null.

Test plan

  • New XsltSaxonUriResolverDomSourceTest — custom URIResolver returning DOMSource with xslt-saxon route (was broken, now passes)
  • All 38 existing camel-xslt-saxon tests pass

🤖 Generated with Claude Code

Co-Authored-By: Claude Opus 4.6 noreply@anthropic.com

…always true, DOMSource from URIResolver broken, unhardened SAXParser

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Claus Ibsen <claus.ibsen@gmail.com>
@github-actions

Copy link
Copy Markdown
Contributor

🌟 Thank you for your contribution to the Apache Camel project! 🌟
🤖 CI automation will test this PR automatically.

🐫 Apache Camel Committers, please review the following items:

  • First-time contributors require MANUAL approval for the GitHub Actions to run
  • You can use the command /component-test (camel-)component-name1 (camel-)component-name2.. to request a test from the test bot although they are normally detected and executed by CI.
  • You can label PRs using skip-tests and test-dependents to fine-tune the checks executed by this PR.
  • Build and test logs are available in the summary page. Only Apache Camel committers have access to the summary.

⚠️ Be careful when sharing logs. Review their contents before sharing them publicly.

@gnodet gnodet left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM — four well-identified bugs fixed with proper security hardening.

Verification of each fix:

  1. Dead null-guard ✅ — Confirmed saxonReaderProperties is initialized as new HashMap<>() (line 76), so the != null check was always true. The !isEmpty() fix correctly skips the unnecessary createReaderForSource() wrapping when no reader properties are configured.

  2. DOMSource broken ✅ — SAXSource.sourceToInputSource() returns null for DOMSource (by spec — DOMSource has no InputSource representation). Moving the null check to the top of createReaderForSource() and returning the original source unchanged is the correct fix. The new XsltSaxonUriResolverDomSourceTest directly exercises this path.

  3. Unhardened SAXParser ✅ — The SAXParserFactory.newInstance() without security features was exposed to XXE. The added features (FEATURE_SECURE_PROCESSING, disallow-doctype-decl, disable external entities) match the standard Camel XML hardening pattern. The Apache Xerces-specific disallow-doctype-decl feature is safely wrapped in the try-catch — if a non-Xerces parser is used, it falls through to the catch and returns the original source.

  4. Unreachable null-source error ✅ — Confirmed the parent XsltEndpoint.loadResource() checks source == null first (before any wrapping). The Saxon override had the wrapping before the null check, making the IOException unreachable. Fixed by matching the parent's order.

Additional fixes ✅ — Boolean.valueOf()Boolean.parseBoolean() avoids unnecessary boxing. Error fallback return source instead of return null prevents NPE downstream.

Static analysis: ast-grep found 3 pre-existing mutable-collection-return warnings on getter methods — these are unrelated to this PR (standard Camel endpoint configuration pattern).

Note: This PR and #24778 both modify XsltSaxonEndpoint.java from the same base. The changes are in different regions (doInit/doStart removal vs. loadResource/createReaderForSource), so they should merge cleanly.

CI: Builds still in progress.

Reviewed with Claude Code on behalf of @gnodet. This review was generated by an AI agent and may contain inaccuracies; please verify all suggestions before applying.

@github-actions

Copy link
Copy Markdown
Contributor

🧪 CI tested the following changed modules:

  • components/camel-xslt-saxon

🔬 Scalpel shadow comparison — Scalpel: 11 tested, 29 compile-only — current: 11 all tested

Maveniverse Scalpel detected 40 affected modules (current approach: 11).

⚠️ Modules only in Scalpel (29)
  • apache-camel
  • camel-allcomponents
  • camel-catalog
  • camel-catalog-console
  • camel-catalog-lucene
  • camel-catalog-maven
  • camel-catalog-suggest
  • camel-componentdsl
  • camel-csimple-maven-plugin
  • camel-endpointdsl
  • camel-endpointdsl-support
  • camel-itest
  • camel-jbang-core
  • camel-jbang-it
  • camel-jbang-main
  • camel-jbang-plugin-edit
  • camel-jbang-plugin-generate
  • camel-jbang-plugin-kubernetes
  • camel-jbang-plugin-test
  • camel-kamelet-main
  • camel-launcher
  • camel-report-maven-plugin
  • camel-route-parser
  • camel-yaml-dsl
  • camel-yaml-dsl-deserializers
  • camel-yaml-dsl-maven-plugin
  • coverage
  • docs
  • dummy-component

Skip-tests mode would test 11 modules (1 direct + 10 downstream), skip tests for 29 (generated code, meta-modules)

Modules Scalpel would test (11)
  • camel-jbang-mcp
  • camel-jbang-plugin-mcp
  • camel-jbang-plugin-route-parser
  • camel-jbang-plugin-tui
  • camel-jbang-plugin-validate
  • camel-launcher-container
  • camel-spring-ws
  • camel-xj
  • camel-xslt-saxon
  • camel-yaml-dsl-validator
  • camel-yaml-dsl-validator-maven-plugin
Modules with tests skipped (29)
  • apache-camel
  • camel-allcomponents
  • camel-catalog
  • camel-catalog-console
  • camel-catalog-lucene
  • camel-catalog-maven
  • camel-catalog-suggest
  • camel-componentdsl
  • camel-csimple-maven-plugin
  • camel-endpointdsl
  • camel-endpointdsl-support
  • camel-itest
  • camel-jbang-core
  • camel-jbang-it
  • camel-jbang-main
  • camel-jbang-plugin-edit
  • camel-jbang-plugin-generate
  • camel-jbang-plugin-kubernetes
  • camel-jbang-plugin-test
  • camel-kamelet-main
  • camel-launcher
  • camel-report-maven-plugin
  • camel-route-parser
  • camel-yaml-dsl
  • camel-yaml-dsl-deserializers
  • camel-yaml-dsl-maven-plugin
  • coverage
  • docs
  • dummy-component

ℹ️ Shadow mode — Scalpel observes but does not affect test execution. Learn more

All tested modules (40 modules)
  • Camel :: All Components Sync point
  • Camel :: Assembly
  • Camel :: Catalog :: CSimple Maven Plugin (deprecated)
  • Camel :: Catalog :: Camel Catalog
  • Camel :: Catalog :: Camel Report Maven Plugin
  • Camel :: Catalog :: Camel Route Parser
  • Camel :: Catalog :: Console
  • Camel :: Catalog :: Dummy Component
  • Camel :: Catalog :: Lucene (deprecated)
  • Camel :: Catalog :: Maven
  • Camel :: Catalog :: Suggest
  • Camel :: Component DSL
  • Camel :: Coverage
  • Camel :: Docs
  • Camel :: Endpoint DSL
  • Camel :: Endpoint DSL :: Support
  • Camel :: Integration Tests
  • Camel :: JBang :: Core
  • Camel :: JBang :: Integration tests
  • Camel :: JBang :: MCP
  • Camel :: JBang :: Main
  • Camel :: JBang :: Plugin :: Edit
  • Camel :: JBang :: Plugin :: Generate
  • Camel :: JBang :: Plugin :: Kubernetes
  • Camel :: JBang :: Plugin :: MCP
  • Camel :: JBang :: Plugin :: Route Parser
  • Camel :: JBang :: Plugin :: TUI
  • Camel :: JBang :: Plugin :: Testing
  • Camel :: JBang :: Plugin :: Validate
  • Camel :: Kamelet Main
  • Camel :: Launcher
  • Camel :: Launcher :: Container
  • Camel :: Spring Web Services
  • Camel :: XJ
  • Camel :: XSLT Saxon
  • Camel :: YAML DSL
  • Camel :: YAML DSL :: Deserializers
  • Camel :: YAML DSL :: Maven Plugins
  • Camel :: YAML DSL :: Validator
  • Camel :: YAML DSL :: Validator Maven Plugin

⚙️ View full build and test results

@oscerd oscerd left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM — real XXE hardening on the stylesheet-parse path. createReaderForSource now sets FEATURE_SECURE_PROCESSING=true, disallow-doctype-decl=true, and external general/parameter entities =false on the SAXParserFactory before newSAXParser(), so the hardening lands on the actual parser that produces the returned SAXSource (not a throwaway). disallow-doctype-decl also makes load-external-dtd/XInclude moot. The DOMSource fix is sound too — a DOMSource from a custom URIResolver is already parsed, so returning it unwrapped introduces no re-parse/SSRF (and it fixes the previously-broken SAXSource(reader, null)).

Two non-blocking notes:

  • Changing the guard from saxonReaderProperties != null to !saxonReaderProperties.isEmpty() means setSaxonReaderProperties(null) would NPE — low risk since the field defaults to an empty map, but a != null belt is cheap.
  • The newly-hardened path has only a happy-path DOMSource test; a negative test feeding a malicious DOCTYPE/external-entity stylesheet and asserting it's now rejected would lock the hardening in against regressions.

Reviewed with Claude Code on behalf of Andrea Cosentino. This review was generated by an AI agent and may contain inaccuracies; please verify all suggestions before applying.

@davsclaus davsclaus added this to the 4.22.0 milestone Jul 16, 2026
@davsclaus davsclaus self-assigned this Jul 16, 2026
@davsclaus davsclaus added the bug Something isn't working label Jul 16, 2026
@davsclaus
davsclaus merged commit 0557edc into main Jul 16, 2026
5 checks passed
@davsclaus
davsclaus deleted the fix/CAMEL-24110 branch July 16, 2026 13:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug Something isn't working components

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants