Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue #10066 - Allow customization of SAXParserFactory and SAXParser in XmlParser #10299

Merged
merged 8 commits into from
Aug 14, 2023
Merged

Issue #10066 - Allow customization of SAXParserFactory and SAXParser in XmlParser #10299

merged 8 commits into from
Aug 14, 2023

Conversation

joakime
Copy link
Contributor

@joakime joakime commented Aug 11, 2023

Backport of PR #10067 to jetty-9.4.x

  • Allow customization of SAXParserFactory / SAXParser in XmlParser
  • Introduce method .getSAXParser()

@joakime @gregw
Issue #10066 - Allow customization of SAXParserFactory and `SAXPars…
15da450 
…er` in `XmlParser` (#10067)

* Allow customization of SAXParserFactory / SAXParser in XmlParser
* Introduce method `.getSAXParser()`
---------

Signed-off-by: Joakim Erdfelt <joakim.erdfelt@gmail.com>
Co-authored-by: Greg Wilkins <gregw@webtide.com>
@joakime joakime added Enhancement Sponsored This issue affects a user with a commercial support agreement labels Aug 11, 2023
@joakime joakime added this to the 9.4.x milestone Aug 11, 2023
@joakime joakime requested a review from sbordet August 11, 2023 18:52
@joakime joakime self-assigned this Aug 11, 2023
@joakime
Copy link
Contributor Author

joakime commented Aug 11, 2023

Strange test failures on 8u382 that didn't happen on my 8u362 machine.
Investigating.

@joakime
Prepending doctype in testcases
45032ae 
Signed-off-by: Joakim Erdfelt <joakim.erdfelt@gmail.com>
@joakime
Copy link
Contributor Author

joakime commented Aug 11, 2023

The JDK difference was a red herring.
The test failures are reproducible on my machine too.
Pushed a fix (really a backport of an old fix from jetty-10.0.x)

@joakime
More comprehensive changes to redirectEntity config
9a0ad21 
Signed-off-by: Joakim Erdfelt <joakim.erdfelt@gmail.com>
@joakime
Updating various old/moved URL references found across project (`jett…
a7dea3e 
…y-10.0.x`) (#10098)

* Now that the migration of `https://eclipse.org/jetty/` to `https://eclipse.dev/jetty/` has occurred, it is time to review the URI use in our project

+ Added more URIs to XmlConfiguration

---------

Signed-off-by: Joakim Erdfelt <joakim.erdfelt@gmail.com>
@joakime
Copy link
Contributor Author

joakime commented Aug 11, 2023

Had to cherry-pick a (limited form of) commit a9c596e back to jetty-9.4.x to get it to be happy.

@joakime
Better SAXParseException handling to report resource that is causing …
972e2c7 
…the problem

Signed-off-by: Joakim Erdfelt <joakim.erdfelt@gmail.com>
@joakime
Uncomment line (I was testing errors)
65ecd64 
Signed-off-by: Joakim Erdfelt <joakim.erdfelt@gmail.com>
@joakime
Add missing DOCTYPE declarations
459234a 
Signed-off-by: Joakim Erdfelt <joakim.erdfelt@gmail.com>
@joakime
Enforcing unique XML ids
a399bc9
@joakime joakime merged commit d4d8832 into jetty-9.4.x Aug 14, 2023
@joakime joakime deleted the fix/9.4.x/xmlparser-customization branch August 14, 2023 20:37
@chadlwilson
Copy link
Contributor

Thanks for backporting this! 🙏

Does this backport mean the affected versions of GHSA-58qw-p7qm-5rvh can be updated to exclude 9.4.52.v20230823 ?

@chadlwilson chadlwilson mentioned this pull request Aug 29, 2023
Closed
@chadlwilson
Copy link
Contributor

On the assumption that this appears to do so, based on how the earlier advisory was structured for 10.x and 11.x and affected versions and PRs, I've suggested updating the main advisory via github/advisory-database#2673

I am not entirely clear how GHSA-58qw-p7qm-5rvh is linked to the github-reviewed variant, so if this is inappropriate,let me know and I'll cancel it. Just trying to help out. 🙏

@joakime joakime mentioned this pull request Aug 29, 2023
Closed
49 tasks
@joakime
Copy link
Contributor Author

joakime commented Aug 29, 2023
edited
Loading

@chadlwilson do you use Jetty's org.eclipse.jetty.xml.XmlParser directly in your webapp (as in your own code uses the Jetty org.eclipse.jetty.xml.XmlParser class)?

If the answer is no, then you are not vulnerable to GHSA-58qw-p7qm-5rvh

@chadlwilson
Copy link
Contributor

@joakime I am aware of this distinction. This isn't about my personal usage - already suppressed the reported vulns on that basis a while back.

However it's still useful to get scanner noise to go away for the wider community so there are fewer reported vulns for folks to investigate if they keep their dependencies updated. Trivy is detecting this one right now on container image scans which also means the Helm Artifact Hub is doing the same if publishing OSS images there.

@joakime
Copy link
Contributor Author

joakime commented Aug 30, 2023

@chadlwilson we updated the affected / patched versions in our repository version of the GHSA-58qw-p7qm-5rvh advisory

And submitted a PR to change the public advisory as well

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sbordet sbordet sbordet approved these changes

Assignees

@joakime joakime

Labels
Enhancement Sponsored This issue affects a user with a commercial support agreement
Projects
None yet
Milestone
9.4.x
Development

Successfully merging this pull request may close these issues.
3 participants
@joakime @chadlwilson @sbordet