Andrea Cosentino created CAMEL-23783:
----------------------------------------
Summary: camel-schematron: harden the rules TransformerFactory
against external entities (XXE)
Key: CAMEL-23783
URL: https://issues.apache.org/jira/browse/CAMEL-23783
Project: Camel
Issue Type: Improvement
Components: camel-schematron
Reporter: Andrea Cosentino
Assignee: Andrea Cosentino
h3. Problem
camel-schematron has two TransformerFactory paths.
{{SchematronProcessorFactory}} correctly sets FEATURE_SECURE_PROCESSING,
disallow-doctype and disables external DTD/stylesheet access. The separate
{{SchematronEndpoint.createTransformerFactory()}} (used by
{{TemplatesFactory.getTemplates()}} to compile the ISO-DSDL rules pipeline)
sets only LINE_NUMBERING, omitting the secure-processing hardening. The rules
file is operator-supplied (trusted), so severity is low, but the two factory
paths should be consistent (defense-in-depth).
h3. Evidence
*
components/camel-schematron/src/main/java/org/apache/camel/component/schematron/SchematronEndpoint.java:170-179
(only LINE_NUMBERING) vs the hardened SchematronProcessorFactory
h3. Suggested fix
Set FEATURE_SECURE_PROCESSING=true and empty
ACCESS_EXTERNAL_DTD/ACCESS_EXTERNAL_STYLESHEET in createTransformerFactory(),
matching SchematronProcessorFactory.
h3. Acceptance criteria
* createTransformerFactory() enables FEATURE_SECURE_PROCESSING and restricts
ACCESS_EXTERNAL_DTD/STYLESHEET
* Both schematron factory paths are consistent
* Existing schematron rule-compilation tests still pass
* A test confirms an external-entity reference in the rules pipeline is not
resolved
_Created by Claude Code on behalf of Andrea Cosentino._
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
