Update dependency org.xmlunit:xmlunit-core to v2.10.0 [SECURITY] #885
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=60&v=4){kind=small}
renovate
bot
added
Mend: dependency security fix
and removed
Mend: dependency security fix
labels
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
2.9.1->2.10.0GitHub Vulnerability Alerts
CVE-2024-31573
Impact
When performing XSLT transformations XMLUnit for Java did not disable XSLT extension functions by default. Depending on the XSLT processor being used this could allow arbitrary code to be executed when XMLUnit is used to transform data with a stylesheet who's source can not be trusted. If the stylesheet can be provided externally this may even lead to a remote code execution.
Patches
Users are advised to upgrade to XMLUnit for Java 2.10.0 where the default has been changed by means of xmlunit/xmlunit@b81d48b
Workarounds
XMLUnit's main use-case is performing tests on code that generates or processes XML. Most users will not use it to perform arbitrary XSLT transformations.
Users running XSLT transformations with untrusted stylesheets should explicitly use XMLUnit's APIs to pass in a pre-configured TraX
TransformerFactorywith extension functions disabled via features and attributes. The requiredsetFactoryorsetTransformerFactorymethods have been available since XMLUnit for Java 2.0.0.References
Bug Report
JAXP Security Guide
Release Notes
xmlunit/xmlunit (org.xmlunit:xmlunit-core)
v2.10.0Compare Source
add a new
ElementSelectors.byNameAndAllAttributesvariant that filters attributes before deciding whether elements canbe compared.
Inspired by Issue #259
By default the
TransformerFactorys created will now try to disable extension functions. If you need extensionfunctions for your transformations you may want to pass in your own instance of
TransformerFactoryandTransformerFactoryConfigurermay help with that.Inspired by Issue #264
This is tracked as CVE-2024-31573.
JAXPXPathEnginewill now try to disable the execution of extension functions by default but usesXPathFactory#setPropertywhich is not available prior to Java 18. You may want to enable secure processing on anXPathFactoryinstance you pass toJAXPXPathEngineinstead - andXPathFactoryConfigurermay help with that.Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.