[jira] [Resolved] (CAMEL-23783) camel-schematron: harden the rules TransformerFactory against external entities (XXE)

Thu, 18 Jun 2026 03:49:16 -0700 


     [ 
https://issues.apache.org/jira/browse/CAMEL-23783?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Andrea Cosentino resolved CAMEL-23783.
--------------------------------------
    Resolution: Fixed

> camel-schematron: harden the rules TransformerFactory against external 
> entities (XXE)
> -------------------------------------------------------------------------------------
>
>                 Key: CAMEL-23783
>                 URL: https://issues.apache.org/jira/browse/CAMEL-23783
>             Project: Camel
>          Issue Type: Improvement
>          Components: camel-schematron
>            Reporter: Andrea Cosentino
>            Assignee: Andrea Cosentino
>            Priority: Major
>             Fix For: 4.14.8, 4.18.3, 4.21.0
>
>
> h3. Problem
> camel-schematron has two TransformerFactory paths. 
> {{SchematronProcessorFactory}} correctly sets FEATURE_SECURE_PROCESSING, 
> disallow-doctype and disables external DTD/stylesheet access. The separate 
> {{SchematronEndpoint.createTransformerFactory()}} (used by 
> {{TemplatesFactory.getTemplates()}} to compile the ISO-DSDL rules pipeline) 
> sets only LINE_NUMBERING, omitting the secure-processing hardening. The rules 
> file is operator-supplied (trusted), so severity is low, but the two factory 
> paths should be consistent (defense-in-depth).
> h3. Evidence
> * 
> components/camel-schematron/src/main/java/org/apache/camel/component/schematron/SchematronEndpoint.java:170-179
>  (only LINE_NUMBERING) vs the hardened SchematronProcessorFactory
> h3. Suggested fix
> Set FEATURE_SECURE_PROCESSING=true and empty 
> ACCESS_EXTERNAL_DTD/ACCESS_EXTERNAL_STYLESHEET in createTransformerFactory(), 
> matching SchematronProcessorFactory.
> h3. Acceptance criteria
> * createTransformerFactory() enables FEATURE_SECURE_PROCESSING and restricts 
> ACCESS_EXTERNAL_DTD/STYLESHEET
> * Both schematron factory paths are consistent
> * Existing schematron rule-compilation tests still pass
> * A test confirms an external-entity reference in the rules pipeline is not 
> resolved
> _Created by Claude Code on behalf of Andrea Cosentino._



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to