XMLUnit for Java's Transform's default transformation
allowed the use of XSLT extension functions - this has been changed in
2.10.0.
If you've been using XMLUnit to run XSLT transformations with untrusted stylesheets and your setup is so that an attacker can chose the stylesheet and ensure your XSLT processor can run the extensions this may lead to a remote code execution in the worst setup. Therefore the old default has been assigned CVE-2024-31573.
Some XSLT processors - e.g. Apache Xalan - allow the extension code to be specified inline with an Apache BSF enabled scripting language - note that would require your code executing the transformation to also have BSF around. In outher cases your transformation would need to allow the attacker to also inject Java classes into your running process. This combined with my believe that XMLUnit is very unlikely to be run in a setup like this made me set the impact to "Low".
Advisory: https://github.com/xmlunit/xmlunit/security/advisories/GHSA-chfm-68vv-pvw5
path: /en/oss/XMLUnit | #
- add a new
ElementSelectors.byNameAndAllAttributesvariant that filters attributes before deciding whether elements can be compared.
Inspired by Issue #259. - By default the
TransformerFactorys created will now try to disable extension functions. If you need extension functions for your transformations you may want to pass in your own instance ofTransformerFactoryandTransformerFactoryConfigurermay help with that.
Inspired by Issue #264. JAXPXPathEnginewill now try to disable the execution of extension functions by default but usesXPathFactory#setPropertywhich is not available prior to Java 18. You may want to enable secure processing on anXPathFactoryinstance you pass toJAXPXPathEngineinstead - andXPathFactoryConfigurermay help with that.
path: /en/oss/XMLUnit | #
I've just released a small minor release of XMLUnit.NET that fixes
a bug with whitespace normalization/stripping and adds a small feature
simplifying the use of NodeFilters.
Full list of changes:
- added
NodeFilters#SatisfiesAllandSatifiesAnymethods to make it easier to combine multiple node filters.
added to simplify the use case of xmlunit/#249 - when documents contained element content whitespace represented by
System.Xml.XmlWhitespacethe types and methods that are supposed to strip or normalize whitespace would fail.
Issue #38
path: /en/oss/XMLUnit | #
Full list of changes:
- fixed some AssertJ tests that didn't work on Windows.
Issue #252 and PR #253 by @Boiarshinov - added overloads to
ElementSelectors.byXPaththat accept aXPathEngineargument.
Issue #255 - added Cyclone DX SBOMs to release artifacts
path: /en/oss/XMLUnit | #
The major change of XMLUnit for Java 2.9.0 is the addition of a new
module xmlunit-jakarta-jaxb-impl that can be used in addition to
xmlunit-core when you want to use the Jakarta XML Binding API in
version 3. For details please see the user's guide.
The full list of changes of XMLUnit for Java 2.9.0 is:
added a new module
xmlunit-jakarta-jaxb-implthat makesInput.fromJaxbusejakarta.xml.bindrather thanjavax.xml.bind. For more details see the User's Guide.This change is not fully backwards compatible. The
JaxbBuilderclass has become abstract and thewithMarshallermethod has changed its signature. For most cases the change will not be noticed and for almost all other cases it should be enough to re-compile your code against XMLUnit 2.9.x.added
NodeFilters#satisfiesAllandsatifiesAnymethods to make it easier to combine multiple node filters. added to simplify the use case of #249
path: /en/oss/XMLUnit | #