gradle · bot-gradle · Sep 21, 2022 · Sep 15, 2022 · Sep 15, 2022 · Sep 16, 2022
@@ -17,8 +17,11 @@ package org.gradle.api.plugins.quality.checkstyle
 
 import org.gradle.integtests.fixtures.WellBehavedPluginTest
 import spock.lang.Issue
+import spock.lang.See
 
+import static org.gradle.api.plugins.quality.checkstyle.CheckstylePluginMultiProjectTest.containsClass
 import static org.gradle.api.plugins.quality.checkstyle.CheckstylePluginMultiProjectTest.javaClassWithNewLineAtEnd
+import static org.gradle.api.plugins.quality.checkstyle.CheckstylePluginMultiProjectTest.multilineJavaClass
 import static org.gradle.api.plugins.quality.checkstyle.CheckstylePluginMultiProjectTest.simpleCheckStyleConfig
 
 class CheckstylePluginIntegrationTest extends WellBehavedPluginTest {
@@ -30,6 +33,8 @@ class CheckstylePluginIntegrationTest extends WellBehavedPluginTest {
     def setup() {
         buildFile << """
             apply plugin: 'groovy'
+
+            ${mavenCentralRepository()}
         """
     }
 
@@ -40,12 +45,12 @@ class CheckstylePluginIntegrationTest extends WellBehavedPluginTest {
             apply plugin: 'checkstyle'
 
             dependencies { implementation localGroovy() }
-            ${mavenCentralRepository()}
 
             checkstyle {
                 configProperties["some"] = new URL("https://gradle.org/")
             }
         """
+
         file('src/main/java/Dummy.java') << javaClassWithNewLineAtEnd()
         file('config/checkstyle/checkstyle.xml') << simpleCheckStyleConfig()
 
@@ -55,4 +60,164 @@ class CheckstylePluginIntegrationTest extends WellBehavedPluginTest {
         then:
         executedAndNotSkipped ':checkstyleMain'
     }
+
+    // region: Enable External DTDs
+    @Issue("https://github.com/gradle/gradle/issues/21624")
+    @See("https://checkstyle.sourceforge.io/config_system_properties.html#Enable_External_DTD_load")
+    def "can use enable_external_dtd_load feature on extension"() {
+        given:
+        buildFile """
+            apply plugin: 'checkstyle'
+
+            checkstyle {
+                enableExternalDtdLoad = true
+            }
+        """
+
+        file('src/main/java/org/sample/MyClass.java') << multilineJavaClass()
+        file('config/checkstyle/checkstyle-common.xml') << checkStyleCommonXml()
+        file('config/checkstyle/checkstyle.xml') << checkStyleMainXml()
+
+        when:
+        fails 'checkstyleMain'
+
+        then:
+        result.assertHasErrorOutput("Checkstyle rule violations were found. See the report at:")
+        result.assertHasErrorOutput("Checkstyle files with violations: 1")
+        result.assertHasErrorOutput("Checkstyle violations by severity: [error:2]")
+        file("build/reports/checkstyle/main.xml").assertContents(containsClass("org.sample.MyClass"))
+    }
+
+    @Issue("https://github.com/gradle/gradle/issues/21624")
+    @See("https://checkstyle.sourceforge.io/config_system_properties.html#Enable_External_DTD_load")
+    def "can use enable_external_dtd_load feature on task"() {
+        given:
+        buildFile """
+            apply plugin: 'checkstyle'
+
+            tasks.withType(Checkstyle).configureEach {
+                enableExternalDtdLoad = true
+            }
+        """
+
+        file('src/main/java/org/sample/MyClass.java') << multilineJavaClass()
+        file('config/checkstyle/checkstyle-common.xml') << checkStyleCommonXml()
+        file('config/checkstyle/checkstyle.xml') << checkStyleMainXml()
+
+        when:
+        fails 'checkstyleMain'
+
+        then:
+        result.assertHasErrorOutput("Checkstyle rule violations were found. See the report at:")
+        result.assertHasErrorOutput("Checkstyle files with violations: 1")
+        result.assertHasErrorOutput("Checkstyle violations by severity: [error:2]")
+        file("build/reports/checkstyle/main.xml").assertContents(containsClass("org.sample.MyClass"))
+    }
+
+    @Issue("https://github.com/gradle/gradle/issues/21624")
+    @See("https://checkstyle.sourceforge.io/config_system_properties.html#Enable_External_DTD_load")
+    def "can use enable_external_dtd_load feature on task to override extension value for a task"() {
+        given:
+        buildFile """
+            apply plugin: 'checkstyle'
+
+            checkstyle {
+                enableExternalDtdLoad = false
+            }
+
+            tasks.withType(Checkstyle).configureEach {
+                enableExternalDtdLoad = true
+            }
+        """
+
+        file('src/main/java/org/sample/MyClass.java') << multilineJavaClass()
+        file('config/checkstyle/checkstyle-common.xml') << checkStyleCommonXml()
+        file('config/checkstyle/checkstyle.xml') << checkStyleMainXml()
+
+        when:
+        fails 'checkstyleMain'
+
+        then:
+        result.assertHasErrorOutput("Checkstyle rule violations were found. See the report at:")
+        result.assertHasErrorOutput("Checkstyle files with violations: 1")
+        result.assertHasErrorOutput("Checkstyle violations by severity: [error:2]")
+        file("build/reports/checkstyle/main.xml").assertContents(containsClass("org.sample.MyClass"))
+    }
+
+    @Issue("https://github.com/gradle/gradle/issues/21624")
+    @See("https://checkstyle.sourceforge.io/config_system_properties.html#Enable_External_DTD_load")
+    def "if use enable_external_dtd_load feature NOT enabled, error if feature used in rules XML"() {
+        given:
+        buildFile """
+            apply plugin: 'checkstyle'
+
+            checkstyle {
+                enableExternalDtdLoad = false
+            }
+        """
+
+        file('src/main/java/org/sample/MyClass.java') << multilineJavaClass()
+        file('config/checkstyle/checkstyle-common.xml') << checkStyleCommonXml()
+        file('config/checkstyle/checkstyle.xml') << checkStyleMainXml()
+
+        when:
+        fails 'checkstyleMain'
+
+        then:
+        failedDueToXmlDTDProcessingError()
+    }
+
+    @Issue("https://github.com/gradle/gradle/issues/21624")
+    @See("https://checkstyle.sourceforge.io/config_system_properties.html#Enable_External_DTD_load")
+    def "enable_external_dtd_load feature NOT enabled by default"() {
+        given:buildFile """
+            apply plugin: 'checkstyle'
+        """
+
+        file('src/main/java/org/sample/MyClass.java') << multilineJavaClass()
+        file('config/checkstyle/checkstyle-common.xml') << checkStyleCommonXml()
+        file('config/checkstyle/checkstyle.xml') << checkStyleMainXml()
+
+        when:
+        fails 'checkstyleMain'
+
+        then:
+        failedDueToXmlDTDProcessingError()
+    }
+
+    private failedDueToXmlDTDProcessingError() {
+        result.assertHasErrorOutput("A failure occurred while executing org.gradle.api.plugins.quality.internal.CheckstyleAction")
+        result.assertHasErrorOutput("java.lang.NullPointerException")
+    }
+
+    private String checkStyleCommonXml() {
+        return """
+            <module name="FileLength">
+                <property name="max" value="1"/>
+            </module>
+            """
+    }
+
+    private String checkStyleMainXml() {
+        // Leave the XML processing instruction at the very first position in the file or else the XML is not valid
+        return """<?xml version="1.0"?>
+            <!DOCTYPE module PUBLIC
+                      "-//Checkstyle//DTD Checkstyle Configuration 1.3//EN"
+                      "https://checkstyle.org/dtds/configuration_1_3.dtd" [
+                <!ENTITY common SYSTEM "checkstyle-common.xml">
+            ]>
+            <module name="Checker">
+
+                &common;
+
+                <module name="TreeWalker">
+                    <module name="MemberName">
+                        <property name="format" value="^[a-z][a-zA-Z]+\$"/>
+                    </module>
+                </module>
+
+            </module>
+            """
+    }
+    // endregion: Enable External DTDs
 }
@@ -17,8 +17,11 @@ package org.gradle.api.plugins.quality.checkstyle
 
 import org.gradle.integtests.fixtures.AbstractIntegrationSpec
 import org.gradle.test.fixtures.file.TestFile
+import org.hamcrest.Matcher
 
+import static org.gradle.util.Matchers.containsLine
 import static org.gradle.util.internal.TextUtil.getPlatformLineSeparator
+import static org.hamcrest.CoreMatchers.containsString
 
 class CheckstylePluginMultiProjectTest extends AbstractIntegrationSpec {
 
@@ -130,4 +133,18 @@ class CheckstylePluginMultiProjectTest extends AbstractIntegrationSpec {
     static String javaClassWithNewLineAtEnd() {
         "public class Dummy {}${getPlatformLineSeparator()}"
     }
+
+    static String multilineJavaClass() {
+        return """
+            package org.sample;
+
+            class MyClass {
+              int i = 0;
+            }
+            """
+    }
+
+    static Matcher<String> containsClass(String className) {
+        containsLine(containsString(className.replace(".", File.separator)))
+    }
 }
@@ -76,12 +76,14 @@ public class Checkstyle extends SourceTask implements VerificationTask, Reportin
     private final Property<JavaLauncher> javaLauncher;
     private final Property<String> minHeapSize;
     private final Property<String> maxHeapSize;
+    private final Property<Boolean> enableExternalDtdLoad;
 
     public Checkstyle() {
         this.configDirectory = getObjectFactory().directoryProperty();
         this.reports = getObjectFactory().newInstance(CheckstyleReportsImpl.class, this);
         this.minHeapSize = getObjectFactory().property(String.class);
         this.maxHeapSize = getObjectFactory().property(String.class);
+        this.enableExternalDtdLoad = getObjectFactory().property(Boolean.class);
         // Set default JavaLauncher to current JVM in case
         // CheckstylePlugin that sets Java launcher convention is not applied
         this.javaLauncher = getCurrentJvmLauncher();
@@ -198,6 +200,9 @@ private void runWithProcessIsolation() {
             spec.getForkOptions().setMinHeapSize(minHeapSize.getOrNull());
             spec.getForkOptions().setMaxHeapSize(maxHeapSize.getOrNull());
             spec.getForkOptions().setExecutable(javaLauncher.get().getExecutablePath().getAsFile().getAbsolutePath());
+            if (getEnableExternalDtdLoad().isPresent()) {
+                spec.getForkOptions().getSystemProperties().put("checkstyle.enableExternalDtdLoad", getEnableExternalDtdLoad().get());
+            }
             spec.getClasspath().from(getCheckstyleClasspath());
         });
         workQueue.submit(CheckstyleAction.class, this::setupParameters);
@@ -446,4 +451,20 @@ public Property<String> getMinHeapSize() {
     public Property<String> getMaxHeapSize() {
         return maxHeapSize;
     }
+
+    /**
+     * Enable the ability to use custom DTD files in config and load them from some location.
+     * <strong>Disabled by default due to security concerns.</strong>
+     * See <a href="https://checkstyle.org/config_system_properties.html#Enable_External_DTD_load">Checkstyle documentation</a> for more details.
+     *
+     * @return The property controlling whether to enable the ability to use custom DTD files
+     *
+     * @since 7.6
+     */
+    @Incubating
+    @Optional
+    @Input
+    public Property<Boolean> getEnableExternalDtdLoad() {
+        return enableExternalDtdLoad;
+    }
 }
@@ -15,9 +15,13 @@
  */
 package org.gradle.api.plugins.quality;
 
+import org.gradle.api.Incubating;
 import org.gradle.api.Project;
 import org.gradle.api.file.DirectoryProperty;
+import org.gradle.api.provider.Property;
 import org.gradle.api.resources.TextResource;
+import org.gradle.api.tasks.Input;
+import org.gradle.api.tasks.Optional;
 
 import java.io.File;
 import java.util.LinkedHashMap;
@@ -38,10 +42,12 @@ public class CheckstyleExtension extends CodeQualityExtension {
     private int maxWarnings = Integer.MAX_VALUE;
     private boolean showViolations = true;
     private final DirectoryProperty configDirectory;
+    private final Property<Boolean> enableExternalDtdLoad;
 
     public CheckstyleExtension(Project project) {
         this.project = project;
         this.configDirectory = project.getObjects().directoryProperty();
+        this.enableExternalDtdLoad = project.getObjects().property(Boolean.class);
     }
 
     /**
@@ -166,4 +172,20 @@ public boolean isShowViolations() {
     public void setShowViolations(boolean showViolations) {
         this.showViolations = showViolations;
     }
+
+    /**
+     * Enable the ability to use custom DTD files in config and load them from some location on all checkstyle tasks in this project.
+     * <strong>Disabled by default due to security concerns.</strong>
+     * See <a href="https://checkstyle.org/config_system_properties.html#Enable_External_DTD_load">Checkstyle documentation</a> for more details.
+     *
+     * @return The property controlling whether to enable the ability to use custom DTD files
+     *
+     * @since 7.6
+     */
+    @Incubating
+    @Optional
+    @Input
+    public Property<Boolean> getEnableExternalDtdLoad() {
+        return enableExternalDtdLoad;
+    }
 }
@@ -105,6 +105,7 @@ private void configureTaskConventionMapping(Configuration configuration, Checkst
         taskMapping.map("maxErrors", (Callable<Integer>) () -> extension.getMaxErrors());
         taskMapping.map("maxWarnings", (Callable<Integer>) () -> extension.getMaxWarnings());
         task.getConfigDirectory().convention(extension.getConfigDirectory());
+        task.getEnableExternalDtdLoad().convention(extension.getEnableExternalDtdLoad());
     }
 
     private void configureReportsConventionMapping(Checkstyle task, final String baseName) {

@@ -24,6 +24,10 @@
                 <td>configDirectory</td>
                 <td><literal>project.checkstyle.configDirectory</literal></td>
             </tr>
+            <tr>
+                <td>enableExternalDtdLoad</td>
+                <td>false</td>
+            </tr>
             <tr>
                 <td>ignoreFailures</td>
                 <td><literal>project.checkstyle.ignoreFailures</literal></td>

@@ -32,6 +32,10 @@
                 <td>configProperties</td>
                 <td><literal>[:]</literal></td>
             </tr>
+            <tr>
+                <td>enableExternalDtdLoad</td>
+                <td><literal>false</literal></td>
+            </tr>
             <tr>
                 <td>showViolations</td>
                 <td><literal>true</literal></td>