Stamatis Zampetakis created CALCITE-7609:
--------------------------------------------
Summary: Use Copernik XML Factory for safely parsing XML documents
Key: CALCITE-7609
URL: https://issues.apache.org/jira/browse/CALCITE-7609
Project: Calcite
Issue Type: Task
Components: core
Reporter: Stamatis Zampetakis
There are a few places in the project where we manipulate XML documents
(notably inside the \{{XmlFunctions}} class). The default settings for the
various XML APIs provide weak security guarantees leading to vulnerabilities
like the one we had to address in CALCITE-5263.
The [copernik-xml-factory|https://github.com/copernik-eu/copernik-xml-factory]
library provides various APIs returning factory instances with tighter security
guarantees and could be used instead of calls to the raw APIs.
The goal of this ticket is to investigate if its worth introducing the copernik
library to the project for hardening the security around XML parsing.
If we decide to move forward with this change we should also find a way to
prevent the usage of the raw APIs (and always pass through copernik) otherwise
sooner or later we will end up in the same situation.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
