Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add helper method to XmlUtil to enable XXE protection in the SAXParserFactory and XMLInputFactory (4.2) #20942

Merged
merged 2 commits into from Mar 15, 2022
Merged

Add helper method to XmlUtil to enable XXE protection in the SAXParserFactory and XMLInputFactory (4.2) #20942

merged 2 commits into from Mar 15, 2022

Conversation

joschi
Copy link

@joschi joschi commented Mar 11, 2022

Backport (git cherry-pick [...]) of the changes in #20407 into the Hazelcast 4.2.z version branch.

Fixes #20928 (for 4.2.z branch)

Backport of: #20407

Checklist:

  • Labels (Team:, Type:, Source:, Module:) and Milestone set
  • Label Add to Release Notes or Not Release Notes content set
  • Request reviewers if possible
  • Send backports/forwardports if fix needs to be applied to past/future releases
  • New public APIs have @Nonnull/@Nullable annotations
  • New public APIs have @since tags in Javadoc

@hz-devops-test hz-devops-test added the Source: Community PR or issue was opened by a community user label Mar 11, 2022
@devOpsHazelcast
Copy link
Collaborator

Can one of the admins verify this patch?

@kwart
Copy link
Member

kwart commented Mar 14, 2022

run-lab-run

@hz-devops-test
Copy link

The job Hazelcast-pr-builder of your PR failed. (Hazelcast internal details: build log, artifacts).
Through arcane magic we have determined that the following fragments from the build log may contain information about the problem.

Click to expand the log file 
--------------------------
---------SUMMARY----------
--------------------------
[ERROR] COMPILATION ERROR : 
--------------------------
[ERROR] /home/jenkins/jenkins_slave/workspace/Hazelcast-pr-builder_3/hazelcast/src/test/java/com/hazelcast/internal/memory/impl/BaseMemoryAccessorTest.java:[28,15] Unsafe is internal proprietary API and may be removed in a future release
--------------------------
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-compiler-plugin:2.5.1:testCompile (default-testCompile) on project hazelcast: Compilation failure: Compilation failure: 
--------------------------
---------ERRORS-----------
--------------------------
[ERROR] /home/jenkins/jenkins_slave/workspace/Hazelcast-pr-builder_3/hazelcast/src/test/java/com/hazelcast/internal/memory/impl/BaseMemoryAccessorTest.java:[28,15] Unsafe is internal proprietary API and may be removed in a future release
--------------------------
[ERROR] /home/jenkins/jenkins_slave/workspace/Hazelcast-pr-builder_3/hazelcast/src/test/java/com/hazelcast/internal/memory/impl/BaseMemoryAccessorTest.java:[28,15] Unsafe is internal proprietary API and may be removed in a future release
--------------------------
[ERROR] /home/jenkins/jenkins_slave/workspace/Hazelcast-pr-builder_3/hazelcast/src/test/java/com/hazelcast/internal/util/XmlUtilTest.java:[45,29] error: package org.fusesource.hawtbuf does not exist
--------------------------
[ERROR] /home/jenkins/jenkins_slave/workspace/Hazelcast-pr-builder_3/hazelcast/src/test/java/com/hazelcast/internal/memory/impl/BaseMemoryAccessorTest.java:[28,15] Unsafe is internal proprietary API and may be removed in a future release
--------------------------
[ERROR] /home/jenkins/jenkins_slave/workspace/Hazelcast-pr-builder_3/hazelcast/src/test/java/com/hazelcast/internal/memory/impl/BaseMemoryAccessorTest.java:[28,15] Unsafe is internal proprietary API and may be removed in a future release
--------------------------
[ERROR] /home/jenkins/jenkins_slave/workspace/Hazelcast-pr-builder_3/hazelcast/src/test/java/com/hazelcast/internal/memory/impl/BaseMemoryAccessorTest.java:[28,15] Unsafe is internal proprietary API and may be removed in a future release
--------------------------
[ERROR] /home/jenkins/jenkins_slave/workspace/Hazelcast-pr-builder_3/hazelcast/src/test/java/com/hazelcast/internal/util/XmlUtilTest.java:[45,29] error: package org.fusesource.hawtbuf does not exist
--------------------------
[ERROR] /home/jenkins/jenkins_slave/workspace/Hazelcast-pr-builder_3/hazelcast/src/test/java/com/hazelcast/internal/memory/impl/BaseMemoryAccessorTest.java:[28,15] Unsafe is internal proprietary API and may be removed in a future release
--------------------------

@hazelcast hazelcast deleted a comment from devOpsHazelcast Mar 14, 2022
@hazelcast hazelcast deleted a comment from devOpsHazelcast Mar 14, 2022
@hazelcast hazelcast deleted a comment from devOpsHazelcast Mar 14, 2022
@hazelcast hazelcast deleted a comment from devOpsHazelcast Mar 14, 2022
@hazelcast hazelcast deleted a comment from devOpsHazelcast Mar 14, 2022
@hazelcast hazelcast deleted a comment from devOpsHazelcast Mar 14, 2022
@hazelcast hazelcast deleted a comment from devOpsHazelcast Mar 14, 2022
@hazelcast hazelcast deleted a comment from devOpsHazelcast Mar 14, 2022
@hazelcast hazelcast deleted a comment from devOpsHazelcast Mar 14, 2022
@kwart
Copy link
Member

kwart commented Mar 14, 2022

run-lab-run

@joschi joschi marked this pull request as ready for review March 14, 2022 08:20
@kwart kwart added Team: Core Backport Module: Config security Pull requests that address a security vulnerability labels Mar 14, 2022
@kwart kwart added this to the 4.2.5 milestone Mar 14, 2022
@kwart kwart requested review from kwart and olukas March 14, 2022 08:36
kwart
kwart approved these changes Mar 14, 2022
View reviewed changes
Copy link
Member

@kwart kwart left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks for the backport.

@kwart kwart merged commit f17ef85 into hazelcast:4.2.z Mar 15, 2022
@joschi joschi deleted the pr-20407-4.2.z branch March 15, 2022 16:39
@hutupro
Copy link

hutupro commented Mar 16, 2022

When will version 4.2.5 be released?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kwart kwart kwart approved these changes

@olukas olukas olukas approved these changes

Assignees
No one assigned
Labels
Backport Module: Config security Pull requests that address a security vulnerability Source: Community PR or issue was opened by a community user Team: Core
Projects
None yet
Milestone
4.2.5
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@joschi @devOpsHazelcast @kwart @hz-devops-test @hutupro @olukas