Add CMake to CI, guard libxml2 APIs and harden XML parsing (fix leak)#80
Open
Easton97-Jens wants to merge 8 commits intov3/master-json2from
Open
Add CMake to CI, guard libxml2 APIs and harden XML parsing (fix leak)#80Easton97-Jens wants to merge 8 commits intov3/master-json2from
Easton97-Jens wants to merge 8 commits intov3/master-json2from
Conversation
…g-offener-sonar-probleme-7954xf Modernize codebase: nullptr/default initializers, std::string_view, smart pointers and minor cleanups
…nar-befunde-in-pr-#3540 Address open CRITICAL Sonar nesting and cognitive-complexity findings
…ocessing-improvements Refactor XML processing, add secure libxml2 handling and vendored build support
59fbb13 to
3ec86cf
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation
cmakeis not installed.VariableValueallocation and restore Windows/libxml2 cross-version compatibility for XML hardening changes.Description
cmakein Linux dependency steps and makebuild/libxml.m4detectcmakeviaAC_PATH_PROG, emitting a clear error if missing, so vendored libxml2 remains the desired path.src/request_body_processor/xml.ccto use a neutral scheme parserisRemoteResource(parses URI scheme and matcheshttp/https/ftp/ftps/sftp) instead of direct"http://"/"https://"literals, removing the Sonar hotspot while retaining blocking semantics.#if LIBXML_VERSION >= 21400) around newer APIs (xmlCtxtSetOptions/xmlCtxtSetResourceLoader/xmlSchemaSetResourceLoaderand related resource-loader code) and provide fallbacks for older versions (usexmlCtxtUseOptionsand a scoped external-entity loader fallback) so Windows/older-libxml2 builds remain protected.initializeSecurityPolicy) to ensureXML_PARSE_NONETis always set andXML_PARSE_NO_XXEis used when available, otherwise the scoped fallback denies external resources without weakening protection.src/variables/xml.ccby usingstd::unique_ptr<VariableValue>and callingrelease()only when the value is actually pushed into the output vector, making ownership explicit and analyzer-friendly.Testing
./build.sh(autotools prep) and it completed successfully in this environment../configure --enable-assertions=yeswhich failed due to a missing git submodule (libInjection) unrelated to these changes; this is expected in the current container and not caused by the PR.pkg-config --modversion libxml-2.0which returned2.9.14, confirming code compiles against an older libxml2 for fallback paths.g++ -std=c++17 -DWITH_LIBXML2 -I. -I./headers $(pkg-config --cflags libxml-2.0) -fsyntax-only src/request_body_processor/xml.ccand... src/variables/xml.ccand both passed.git diff --checkand there were no whitespace/patch errors.Notes: full
make/make checkand Windows-native builds could not be completed inside this container due to missing git submodules and lack of a Windows toolchain; these remain recommended CI validations and the PR preserves the security guarantees across libxml2 versions with documented fallbacks.Codex Task