HDDS-14857. Use XMLUtils.newSecure...Factory#9951
Conversation
sarvekshayr
left a comment
sarvekshayr
left a comment
There was a problem hiding this comment.
Thanks @Russole for working on this.
I’m concerned about adding hadoop-common as a dependency to hadoop-hdds/config. By pulling in hadoop-common just to use XMLUtils in ConfigFileAppender.java, I see that it provides transitive vulnerable dependency.
Can we look into an alternative?
cc: @adoroszlai
adoroszlai
left a comment
adoroszlai
left a comment
There was a problem hiding this comment.
Thanks @Russole for the patch.
| <dependencies> | ||
| <dependency> | ||
| <groupId>org.apache.hadoop</groupId> | ||
| <artifactId>hadoop-common</artifactId> |
There was a problem hiding this comment.
I’m concerned about adding
hadoop-commonas a dependency tohadoop-hdds/config. By pulling inhadoop-commonjust to useXMLUtilsinConfigFileAppender.javaCan we look into an alternative?
Thanks @sarvekshayr for raising the concern. Since XMLUtils is annotated as @InterfaceAudience.Private, we may be better off by copying it to Ozone. We can do that as a follow-up, and add exclusions for transitive dependencies now.
| <artifactId>hadoop-common</artifactId> | |
| <artifactId>hadoop-common</artifactId> | |
| <exclusions> | |
| <exclusion> | |
| <groupId>*</groupId> | |
| <artifactId>*</artifactId> | |
| </exclusion> | |
| </exclusions> |
| try { | ||
| DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); | ||
| DocumentBuilderFactory factory = XMLUtils.newSecureDocumentBuilderFactory(); | ||
| factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); |
There was a problem hiding this comment.
FEATURE_SECURE_PROCESSING can be removed.
| factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); |
| try { | ||
| TransformerFactory factory = TransformerFactory.newInstance(); | ||
| TransformerFactory factory = XMLUtils.newSecureTransformerFactory(); | ||
| factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); |
There was a problem hiding this comment.
FEATURE_SECURE_PROCESSING can be removed.
| factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); |
| // Read and parse the schema file. | ||
| DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); | ||
| DocumentBuilderFactory dbf = XMLUtils.newSecureDocumentBuilderFactory(); | ||
| dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); |
There was a problem hiding this comment.
| dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); |
| context = JAXBContext.newInstance(cls); | ||
| saxParserFactory = SAXParserFactory.newInstance(); | ||
| saxParserFactory = XMLUtils.newSecureSAXParserFactory(); | ||
| saxParserFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); |
There was a problem hiding this comment.
| saxParserFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); |
|
Thanks @sarvekshayr and @adoroszlai for the review. I’ve updated the patch based on the comments. |
|
Thanks @Russole for updating the patch. Sorry, I failed to mention that |
|
Thanks @Russole for the patch and @adoroszlai for the review. |
3 participants
What changes were proposed in this pull request?
XMLUtils.TestNodeSchemaLoaderto reflect changes in XML parsing behaviorWhat is the link to the Apache JIRA
https://issues.apache.org/jira/browse/HDDS-14857
How was this patch tested?