Disallow arbitrary namespaces in Maven and Metadata readers #11185
Conversation
| @Test | ||
| void acceptsPom41() throws Exception { | ||
| MavenStaxReader reader = new MavenStaxReader(); | ||
| Model m = reader.read(new StringReader(POM_41), /*strict*/ true, NO_INPUT_SOURCE); |
| @Test | ||
| void acceptsPomWithoutNamespace() throws Exception { | ||
| MavenStaxReader reader = new MavenStaxReader(); | ||
| Model m = reader.read(new StringReader(POM_NO_NS), true, NO_INPUT_SOURCE); |
| XMLStreamException ex = assertThrows( | ||
| XMLStreamException.class, () -> reader.read(new StringReader(POM_BAD_NS), true, NO_INPUT_SOURCE)); | ||
| // sanity check: message mentions unrecognized namespace | ||
| assertTrue(ex.getMessage().toLowerCase().contains("unrecognized pom namespace")); |
| @Test | ||
| void acceptsMetadata110() throws Exception { | ||
| MetadataStaxReader reader = new MetadataStaxReader(); | ||
| Metadata md = reader.read(new StringReader(META_110), /*strict*/ true); |
src/mdo/reader-stax.vm
Outdated
| } | ||
|
|
||
| // Enforce root namespace per model (strict mode). | ||
| String rootNs = parser.getNamespaceURI(); |
src/mdo/reader-stax.vm
Outdated
|
|
||
| // Enforce root namespace per model (strict mode). | ||
| String rootNs = parser.getNamespaceURI(); | ||
| boolean hasNs = rootNs != null && !rootNs.isEmpty(); |
elharo
changed the title
arturobernalg
force-pushed
the
10985
branch
from
25d4fb8 to
c5bbb38
Compare
src/mdo/reader-stax.vm
Outdated
| * any. | ||
| * @return ${root.name} | ||
| */ | ||
| /** |
There was a problem hiding this comment.
Fix the formatting of this file, this completely breaks the format of the generated java file.
src/mdo/reader-stax.vm
Outdated
| if (strict && hasNs) { | ||
| if ("project".equals("${rootTag}")) { | ||
| // Accept any official POM namespace version (e.g., 4.0.0, 4.1.0) | ||
| if (!rootNs.startsWith("http://maven.apache.org/POM/")) { |
There was a problem hiding this comment.
These hardcoded values are wrong. We generate much more readers than just those two: settings, lifecycles, extensions, plugin, toolchains...
In addition, accepting metadata namespace when reading a POM is just plain wrong.
The way to go would be to define a variable for the template in the POM that generates the writer and only accept that one.
Another thing to keep in mind is that the plugin configuration in the POM can actually contain external namespaces and this is valid.
There was a problem hiding this comment.
An example of such a variable is ${packageToolV4}.
Accept POM 4.1.0 and METADATA 1.1.0 plus no-namespace, reject others Add JUnit tests for valid and invalid namespaces
arturobernalg
force-pushed
the
10985
branch
from
c8fe7a7 to
da106d1
Compare
@gnodet please do another pass |
| final boolean hasNs = rootNs != null && !rootNs.isEmpty(); | ||
|
|
||
| if ("project".equals("${rootTag}")) { | ||
| if (hasNs && !rootNs.startsWith("http://maven.apache.org/POM/")) { |
There was a problem hiding this comment.
This is wrong. We have generators to generate specific readers, not a generic one which covers all use cases. So it's wrong to put hardcoded values for one or two models in the output of all readers.
The way to go is to retrieve the namespace using modello. The helper needs to be enhanced:
https://github.com/codehaus-plexus/modello/blob/ca30aba14346bf0e183efd2c442f061024c40111/modello-plugins/modello-plugin-velocity/src/main/java/org/codehaus/modello/plugin/velocity/Helper.java
It needs a new method xmlModelMetadata which would return the XmlModelMetadata from which we can get the target namespace.
Once modello is fixed, we can update the velocity templates to leverage that using Helper.xmlModelMetadata(model).namespace.
Accept POM 4.1.0 and METADATA 1.1.0 plus no-namespace, reject others Add JUnit tests for valid and invalid namespaces
Following this checklist to help us incorporate your
contribution quickly and easily:
Note that commits might be squashed by a maintainer on merge.
This may not always be possible but is a best-practice.
mvn verifyto make sure basic checks pass.A more thorough check will be performed on your pull request automatically.
If your pull request is about ~20 lines of code you don't need to sign an
Individual Contributor License Agreement if you are unsure
please ask on the developers list.
To make clear that you license your contribution under
the Apache License Version 2.0, January 2004
you have to acknowledge this by using the following check-box.