Update dependency org.xmlunit:xmlunit-core to v2.10.0 [SECURITY] #885
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
2.9.1
->2.10.0
GitHub Vulnerability Alerts
CVE-2024-31573
Impact
When performing XSLT transformations XMLUnit for Java did not disable XSLT extension functions by default. Depending on the XSLT processor being used this could allow arbitrary code to be executed when XMLUnit is used to transform data with a stylesheet who's source can not be trusted. If the stylesheet can be provided externally this may even lead to a remote code execution.
Patches
Users are advised to upgrade to XMLUnit for Java 2.10.0 where the default has been changed by means of xmlunit/xmlunit@b81d48b
Workarounds
XMLUnit's main use-case is performing tests on code that generates or processes XML. Most users will not use it to perform arbitrary XSLT transformations.
Users running XSLT transformations with untrusted stylesheets should explicitly use XMLUnit's APIs to pass in a pre-configured TraX
TransformerFactory
with extension functions disabled via features and attributes. The requiredsetFactory
orsetTransformerFactory
methods have been available since XMLUnit for Java 2.0.0.References
Bug Report
JAXP Security Guide
Release Notes
xmlunit/xmlunit (org.xmlunit:xmlunit-core)
v2.10.0
Compare Source
add a new
ElementSelectors.byNameAndAllAttributes
variant that filters attributes before deciding whether elements canbe compared.
Inspired by Issue #259
By default the
TransformerFactory
s created will now try to disable extension functions. If you need extensionfunctions for your transformations you may want to pass in your own instance of
TransformerFactory
andTransformerFactoryConfigurer
may help with that.Inspired by Issue #264
This is tracked as CVE-2024-31573.
JAXPXPathEngine
will now try to disable the execution of extension functions by default but usesXPathFactory#setProperty
which is not available prior to Java 18. You may want to enable secure processing on anXPathFactory
instance you pass toJAXPXPathEngine
instead - andXPathFactoryConfigurer
may help with that.Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.