New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Set Load external DTD feature to be enabled #3605

Closed
liutikas opened this Issue Dec 2, 2016 · 3 comments

Comments

Projects
None yet
2 participants
@liutikas

liutikas commented Dec 2, 2016

I realize this is a somewhat odd request, but here it goes. In our project (Android OS) we use ENTITY in our config to allow composing our config files from many different files as some subprojects of Android OS have different style requirements. This normally works great with Checkstyle, however our default java installation has load-external-dtd feature disabled (due to security reasons). This is a request to add
final SAXParserFactory factory = SAXParserFactory.newInstance(); factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", true);

to com.puppycrawl.tools.checkstyle.api.AbstractLoader.

This would not affect anyone, except to allow us to keep using Checkstyle without any downstream modifications.

both features load-external-dtd and external-general-entities are normally default set to true. Our company has set their java defaults to false as it can lead to cross scripting attacks if not handled correctly. load-external-dtd feature allows to load external DTD into a an XML document and external-general-entities feature allows to these these external DTDs in elements. Using these two we are able to compose configuration files from multiple XML files. Since both of these features are enabled by default in default java set ups it should be a no-op for most checkstyle users.


Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

@romani

This comment has been minimized.

Show comment
Hide comment
@romani

romani Dec 2, 2016

Member

https://docs.oracle.com/javase/tutorial/jaxp/properties/scope.html

https://xerces.apache.org/xerces2-j/features.html#nonvalidating.load-external-dtd , default is "true"... but in issue specified as disabled in java installation due to security reason.

Should be fine to do such update as we actually enforce default value.

Member

romani commented Dec 2, 2016

https://docs.oracle.com/javase/tutorial/jaxp/properties/scope.html

https://xerces.apache.org/xerces2-j/features.html#nonvalidating.load-external-dtd , default is "true"... but in issue specified as disabled in java installation due to security reason.

Should be fine to do such update as we actually enforce default value.

@romani romani added the approved label Dec 2, 2016

@romani

This comment has been minimized.

Show comment
Hide comment
@romani

romani Dec 2, 2016

Member

@liutikas , please provide PR with update.

Member

romani commented Dec 2, 2016

@liutikas , please provide PR with update.

liutikas pushed a commit to liutikas/checkstyle that referenced this issue Dec 6, 2016

Aurimas Liutikas
Issue #3605: enable certain SAXParserFactory features.
These features are enabled by default already by most systems
and hence will be no-op. This helps developers that have stricter
java set-ups.

liutikas pushed a commit to liutikas/checkstyle that referenced this issue Dec 6, 2016

Aurimas Liutikas
Issue #3605: enable certain SAXParserFactory features.
These features are enabled by default already by most systems
and hence will be no-op. This helps developers that have stricter
java set-ups.

liutikas pushed a commit to liutikas/checkstyle that referenced this issue Dec 6, 2016

liutikas pushed a commit to liutikas/checkstyle that referenced this issue Dec 6, 2016

liutikas pushed a commit to liutikas/checkstyle that referenced this issue Dec 6, 2016

romani added a commit that referenced this issue Dec 6, 2016

@romani romani added the miscellaneous label Dec 6, 2016

@romani romani added this to the 7.4 milestone Dec 6, 2016

@romani

This comment has been minimized.

Show comment
Hide comment
@romani

romani Dec 6, 2016

Member

fix is merged.

Member

romani commented Dec 6, 2016

fix is merged.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment