[SECURITY-167] Followup tweaks to address review comments.

Addresses some comments received after the original fix was merged.

[SECURITY-167] Followup tweaks to address review comments.
Addresses some comments received after the original fix was merged.
1786daa5 · James Nord · 76ff1034 · 1786daa5 · 1786daa5 · 1786daa5
3 changed file
--- a/core/src/main/java/jenkins/util/xml/RestrictiveEntityResolver.java
+++ b/core/src/main/java/jenkins/util/xml/RestrictiveEntityResolver.java
 package jenkins.util.xml;

+import org.kohsuke.accmod.Restricted;
+import org.kohsuke.accmod.restrictions.NoExternalUse;
 import org.xml.sax.EntityResolver;
 import org.xml.sax.InputSource;
 import org.xml.sax.SAXException;
@@ -12,6 +14,7 @@ import java.io.IOException;
 *
 * @since TODO
 */
+@Restricted(NoExternalUse.class)
 public final class RestrictiveEntityResolver implements EntityResolver {

    public final static RestrictiveEntityResolver INSTANCE = new RestrictiveEntityResolver();

--- a/core/src/main/java/jenkins/util/xml/XMLUtils.java
+++ b/core/src/main/java/jenkins/util/xml/XMLUtils.java
 package jenkins.util.xml;

+import org.kohsuke.accmod.Restricted;
+import org.kohsuke.accmod.restrictions.NoExternalUse;
 import org.xml.sax.InputSource;
 import org.xml.sax.SAXException;
 import org.xml.sax.XMLReader;
@@ -20,7 +22,9 @@ import javax.xml.transform.sax.SAXTransformerFactory;

 /**
 * Utilities useful when working with various XML types.
+ * @since TODO
 */
+@Restricted(NoExternalUse.class)
 public final class XMLUtils {

    private final static Logger LOGGER = LogManager.getLogManager().getLogger(XMLUtils.class.getName());

--- a/test/src/test/java/hudson/model/AbstractItemSecurityTest.java
+++ b/test/src/test/java/hudson/model/AbstractItemSecurityTest.java
@@ -56,22 +56,14 @@ public class AbstractItemSecurityTest {

    @Test()
    // SECURITY-167
-    public void testUpdateByXmlIDoesNotProcessForeignResources() throws Exception {
+    public void testUpdateByXmlDoesNotProcessForeignResources() throws Exception {
        final String xml = "<?xml version='1.0' encoding='UTF-8'?>\n" +
                "<!DOCTYPE project[\n" +
                "  <!ENTITY foo SYSTEM \"file:///\">\n" +
                "]>\n" +
                "<project>\n" +
-                "  <actions/>\n" +
                "  <description>&foo;</description>\n" +
-                "  <keepDependencies>false</keepDependencies>\n" +
-                "  <properties/>\n" +
                "  <scm class=\"hudson.scm.NullSCM\"/>\n" +
-                "  <canRoam>true</canRoam>\n" +
-                "  <triggers/>\n" +
-                "  <builders/>\n" +
-                "  <publishers/>\n" +
-                "  <buildWrappers/>\n" +
                "</project>";

        FreeStyleProject project = jenkinsRule.createFreeStyleProject("security-167");
@@ -90,19 +82,11 @@ public class AbstractItemSecurityTest {

    @Test()
    // SECURITY-167
-    public void testhamyXmlIDoesNotFail() throws Exception {
+    public void testUpdateByXmlDoesNotFail() throws Exception {
        final String xml = "<?xml version='1.0' encoding='UTF-8'?>\n" +
                "<project>\n" +
-                "  <actions/>\n" +
                "  <description>&amp;</description>\n" +
-                "  <keepDependencies>false</keepDependencies>\n" +
-                "  <properties/>\n" +
                "  <scm class=\"hudson.scm.NullSCM\"/>\n" +
-                "  <canRoam>true</canRoam>\n" +
-                "  <triggers/>\n" +
-                "  <builders/>\n" +
-                "  <publishers/>\n" +
-                "  <buildWrappers/>\n" +
                "</project>";

        FreeStyleProject project = jenkinsRule.createFreeStyleProject("security-167");