Merge pull request #7 from jenkinsci-cert/SECURITY-167_2

[SECURITY-167] Followup tweaks to address review comments.

core/src/main/java/jenkins/util/xml/RestrictiveEntityResolver.java

 package jenkins.util.xml;
 
+import org.kohsuke.accmod.Restricted;
+import org.kohsuke.accmod.restrictions.NoExternalUse;
 import org.xml.sax.EntityResolver;
 import org.xml.sax.InputSource;
 import org.xml.sax.SAXException;
@@ -9,9 +11,8 @@ import java.io.IOException;
 /**
  * An EntityResolver that will fail to resolve any entities.
  * Useful in preventing External XML Entity injection attacks.
- *
- * @since TODO
  */
+@Restricted(NoExternalUse.class)
 public final class RestrictiveEntityResolver implements EntityResolver {
 
     public final static RestrictiveEntityResolver INSTANCE = new RestrictiveEntityResolver();

core/src/main/java/jenkins/util/xml/XMLUtils.java

 package jenkins.util.xml;
 
+import org.kohsuke.accmod.Restricted;
+import org.kohsuke.accmod.restrictions.NoExternalUse;
 import org.xml.sax.InputSource;
 import org.xml.sax.SAXException;
 import org.xml.sax.XMLReader;
@@ -21,6 +23,7 @@ import javax.xml.transform.sax.SAXTransformerFactory;
 /**
  * Utilities useful when working with various XML types.
  */
+@Restricted(NoExternalUse.class)
 public final class XMLUtils {
 
     private final static Logger LOGGER = LogManager.getLogManager().getLogger(XMLUtils.class.getName());

test/src/test/java/hudson/model/AbstractItemSecurityTest.java

@@ -56,22 +56,14 @@ public class AbstractItemSecurityTest {
 
     @Test()
     // SECURITY-167
-    public void testUpdateByXmlIDoesNotProcessForeignResources() throws Exception {
+    public void testUpdateByXmlDoesNotProcessForeignResources() throws Exception {
         final String xml = "<?xml version='1.0' encoding='UTF-8'?>\n" +
                 "<!DOCTYPE project[\n" +
                 "  <!ENTITY foo SYSTEM \"file:///\">\n" +
                 "]>\n" +
                 "<project>\n" +
-                "  <actions/>\n" +
                 "  <description>&foo;</description>\n" +
-                "  <keepDependencies>false</keepDependencies>\n" +
-                "  <properties/>\n" +
                 "  <scm class=\"hudson.scm.NullSCM\"/>\n" +
-                "  <canRoam>true</canRoam>\n" +
-                "  <triggers/>\n" +
-                "  <builders/>\n" +
-                "  <publishers/>\n" +
-                "  <buildWrappers/>\n" +
                 "</project>";
 
         FreeStyleProject project = jenkinsRule.createFreeStyleProject("security-167");
@@ -90,19 +82,11 @@ public class AbstractItemSecurityTest {
 
     @Test()
     // SECURITY-167
-    public void testhamyXmlIDoesNotFail() throws Exception {
+    public void testUpdateByXmlDoesNotFail() throws Exception {
         final String xml = "<?xml version='1.0' encoding='UTF-8'?>\n" +
                 "<project>\n" +
-                "  <actions/>\n" +
                 "  <description>&amp;</description>\n" +
-                "  <keepDependencies>false</keepDependencies>\n" +
-                "  <properties/>\n" +
                 "  <scm class=\"hudson.scm.NullSCM\"/>\n" +
-                "  <canRoam>true</canRoam>\n" +
-                "  <triggers/>\n" +
-                "  <builders/>\n" +
-                "  <publishers/>\n" +
-                "  <buildWrappers/>\n" +
                 "</project>";
 
         FreeStyleProject project = jenkinsRule.createFreeStyleProject("security-167");