Skip to content

Refactor XML parsing to use safer document builders in multiple classes #12129

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: 4.20
Choose a base branch
from
Open

Refactor XML parsing to use safer document builders in multiple classes #12129

wants to merge 1 commit into from

Conversation

@YLChen-007
Copy link
Contributor

@YLChen-007 YLChen-007 commented Nov 25, 2025

Description

the improvement patch for #12120

shwstppr
shwstppr approved these changes Nov 25, 2025
View reviewed changes
Copy link
Contributor

@shwstppr shwstppr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

code change LGTM

@codecov
Copy link

codecov bot commented Nov 25, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 14.28571% with 12 lines in your changes missing coverage. Please review.
✅ Project coverage is 16.17%. Comparing base (e90e436) to head (c57fd05).
⚠️ Report is 8 commits behind head on 4.20.

Files with missing lines Patch % Lines
...ava/com/cloud/utils/cisco/n1kv/vsm/VsmCommand.java 0.00% 11 Missing ⚠️
...r/src/main/java/com/cloud/test/DatabaseConfig.java 0.00% 1 Missing ⚠️
Additional details and impacted files 
@@             Coverage Diff              @@
##               4.20   #12129      +/-   ##
============================================
- Coverage     16.18%   16.17%   -0.01%     
+ Complexity    13305    13298       -7     
============================================
  Files          5657     5657              
  Lines        498466   498470       +4     
  Branches      60491    60493       +2     
============================================
- Hits          80696    80651      -45     
- Misses       408789   408846      +57     
+ Partials       8981     8973       -8
Flag Coverage Δ
uitests 4.00% <ø> (ø)
unittests 17.03% <14.28%> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

sureshanaparti
sureshanaparti approved these changes Nov 25, 2025
View reviewed changes
Copy link
Contributor

@sureshanaparti sureshanaparti left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

code lgtm

@sureshanaparti
Copy link
Contributor

sureshanaparti commented Nov 25, 2025

@blueorangutan package

@blueorangutan
Copy link

blueorangutan commented Nov 25, 2025

@sureshanaparti a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

@sureshanaparti sureshanaparti added this to the 4.20.3 milestone Nov 25, 2025
Copilot finished reviewing on behalf of sureshanaparti November 25, 2025 13:13
Copilot AI reviewed Nov 25, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR refactors XML parsing across multiple classes to use safer document builders from ParserUtils instead of directly instantiating parser factories. This addresses security concerns related to XML External Entity (XXE) attacks mentioned in issue #12120.

Key Changes

  • Replaced DocumentBuilderFactory.newInstance() calls with ParserUtils.getSaferDocumentBuilderFactory()
  • Replaced SAXParserFactory.newInstance() with ParserUtils.getSaferSAXParserFactory()
  • Added necessary imports for ParserUtils in affected classes

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
utils/src/main/java/com/cloud/utils/cisco/n1kv/vsm/VsmCommand.java Updated 10 methods to use safer DocumentBuilderFactory from ParserUtils instead of direct instantiation
server/src/main/java/com/cloud/test/DatabaseConfig.java Replaced SAXParserFactory instantiation with safer ParserUtils method in doConfig()
plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtMigrateVolumeCommandWrapper.java Updated 2 methods to use safer DocumentBuilderFactory for XML parsing operations

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review for a chance to win a $100 gift card. Take the survey.

utils/src/main/java/com/cloud/utils/cisco/n1kv/vsm/VsmCommand.java
Comment on lines +29 to 30
import org.apache.cloudstack.utils.security.ParserUtils;
import org.apache.logging.log4j.LogManager;
Copy link

Copilot AI Nov 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The import for ParserUtils is placed between two org.apache.logging.log4j imports, breaking the proper import ordering. Imports should be grouped and sorted alphabetically within their groups. The ParserUtils import should be placed after LogManager import to maintain proper ordering of org.apache.cloudstack and org.apache.logging imports.

Suggested change
import org.apache.cloudstack.utils.security.ParserUtils;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.LogManager;
import org.apache.cloudstack.utils.security.ParserUtils;

Copilot uses AI. Check for mistakes.
@blueorangutan
Copy link

blueorangutan commented Nov 25, 2025

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 15828

@DaanHoogland DaanHoogland linked an issue Nov 26, 2025 that may be closed by this pull request
[Improvement] Refactor XML parsing logic to use secure ParserUtils in KVM and Database modules #12120
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@shwstppr shwstppr shwstppr approved these changes

@sureshanaparti sureshanaparti sureshanaparti approved these changes

Assignees

No one assigned

Labels

component:kvm status:needs-testing

Projects

None yet

Milestone

4.20.3

Development

Successfully merging this pull request may close these issues.

[Improvement] Refactor XML parsing logic to use secure ParserUtils in KVM and Database modules

6 participants

@YLChen-007 @sureshanaparti @blueorangutan @shwstppr @DaanHoogland @cyl-auth