Fix namespace handling in Maven and Metadata readers

arturobernalg · arturobernalg · commit c5bbb38a66ae · 2025-09-28T21:18:59.000+02:00
Accept POM 4.1.0 and METADATA 1.1.0 plus no-namespace, reject others
Add JUnit tests for valid and invalid namespaces
diff --git a/impl/maven-support/src/test/java/org/apache/maven/model/v4/MavenStaxReaderNamespaceTest.java b/impl/maven-support/src/test/java/org/apache/maven/model/v4/MavenStaxReaderNamespaceTest.java
@@ -0,0 +1,110 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.maven.model.v4;
+
+import javax.xml.stream.XMLStreamException;
+
+import java.io.StringReader;
+
+import org.apache.maven.api.model.InputSource;
+import org.apache.maven.api.model.Model;
+import org.junit.jupiter.api.Test;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+class MavenStaxReaderNamespaceTest {
+
+    private static final InputSource NO_INPUT_SOURCE = null;
+
+    private static final String POM_41 = ""
+            + "<project xmlns=\"http://maven.apache.org/POM/4.1.0\" "
+            + "         xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\">"
+            + "  <modelVersion>4.1.0</modelVersion>"
+            + "  <groupId>com.acme</groupId>"
+            + "  <artifactId>demo</artifactId>"
+            + "  <version>1.0</version>"
+            + "</project>";
+
+    private static final String POM_40 = ""
+            + "<project xmlns=\"http://maven.apache.org/POM/4.0.0\" "
+            + "         xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\">"
+            + "  <modelVersion>4.0.0</modelVersion>"
+            + "  <groupId>com.acme</groupId>"
+            + "  <artifactId>demo</artifactId>"
+            + "  <version>1.0</version>"
+            + "</project>";
+
+    private static final String POM_NO_NS = ""
+            + "<project>"
+            + "  <modelVersion>4.0.0</modelVersion>"
+            + "  <groupId>com.acme</groupId>"
+            + "  <artifactId>demo</artifactId>"
+            + "  <version>1.0</version>"
+            + "</project>";
+
+    private static final String POM_BAD_NS = ""
+            + "<project xmlns=\"http://example.com/not/pom\">"
+            + "  <modelVersion>4.1.0</modelVersion>"
+            + "  <groupId>com.acme</groupId>"
+            + "  <artifactId>demo</artifactId>"
+            + "  <version>1.0</version>"
+            + "</project>";
+
+    @Test
+    void acceptsPom41() throws Exception {
+        MavenStaxReader reader = new MavenStaxReader();
+        Model model = reader.read(new StringReader(POM_41), /*strict*/ true, NO_INPUT_SOURCE);
+        assertNotNull(model);
+        assertEquals("com.acme", model.getGroupId());
+        assertEquals("demo", model.getArtifactId());
+        assertEquals("1.0", model.getVersion());
+    }
+
+    @Test
+    void acceptsPom40() throws Exception {
+        MavenStaxReader reader = new MavenStaxReader();
+        Model model = reader.read(new StringReader(POM_40), true, NO_INPUT_SOURCE);
+        assertNotNull(model);
+        assertEquals("com.acme", model.getGroupId());
+        assertEquals("demo", model.getArtifactId());
+        assertEquals("1.0", model.getVersion());
+    }
+
+    @Test
+    void acceptsPomWithoutNamespace() throws Exception {
+        MavenStaxReader reader = new MavenStaxReader();
+        Model model = reader.read(new StringReader(POM_NO_NS), true, NO_INPUT_SOURCE);
+        assertNotNull(model);
+        assertEquals("com.acme", model.getGroupId());
+        assertEquals("demo", model.getArtifactId());
+        assertEquals("1.0", model.getVersion());
+    }
+
+    @Test
+    void rejectsUnexpectedPomNamespace() {
+        MavenStaxReader reader = new MavenStaxReader();
+        XMLStreamException ex = assertThrows(
+                XMLStreamException.class, () -> reader.read(new StringReader(POM_BAD_NS), true, NO_INPUT_SOURCE));
+        // sanity check: message mentions unrecognized namespace
+        assertTrue(ex.getMessage().toLowerCase().contains("unrecognized pom namespace"));
+    }
+}
diff --git a/impl/maven-support/src/test/java/org/apache/maven/model/v4/MetadataStaxReaderNamespaceTest.java b/impl/maven-support/src/test/java/org/apache/maven/model/v4/MetadataStaxReaderNamespaceTest.java
@@ -0,0 +1,88 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.maven.model.v4;
+
+import javax.xml.stream.XMLStreamException;
+
+import java.io.StringReader;
+
+import org.apache.maven.api.metadata.Metadata;
+import org.apache.maven.metadata.v4.MetadataStaxReader;
+import org.junit.jupiter.api.Test;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+class MetadataStaxReaderNamespaceTest {
+
+    private static final String META_110 = ""
+            + "<metadata xmlns=\"http://maven.apache.org/METADATA/1.1.0\">"
+            + "  <groupId>com.acme</groupId>"
+            + "  <artifactId>demo</artifactId>"
+            + "  <versioning>"
+            + "    <latest>1.0</latest>"
+            + "    <release>1.0</release>"
+            + "  </versioning>"
+            + "</metadata>";
+
+    private static final String META_NO_NS = ""
+            + "<metadata>"
+            + "  <groupId>com.acme</groupId>"
+            + "  <artifactId>demo</artifactId>"
+            + "  <versioning>"
+            + "    <latest>1.0</latest>"
+            + "  </versioning>"
+            + "</metadata>";
+
+    private static final String META_BAD_NS = ""
+            + "<metadata xmlns=\"http://example.com/not/metadata\">"
+            + "  <groupId>com.acme</groupId>"
+            + "  <artifactId>demo</artifactId>"
+            + "</metadata>";
+
+    @Test
+    void acceptsMetadata110() throws Exception {
+        MetadataStaxReader reader = new MetadataStaxReader();
+        Metadata md = reader.read(new StringReader(META_110), /*strict*/ true);
+        assertNotNull(md);
+        assertEquals("com.acme", md.getGroupId());
+        assertEquals("demo", md.getArtifactId());
+        assertNotNull(md.getVersioning());
+        assertEquals("1.0", md.getVersioning().getLatest());
+    }
+
+    @Test
+    void acceptsMetadataWithoutNamespace() throws Exception {
+        MetadataStaxReader reader = new MetadataStaxReader();
+        Metadata md = reader.read(new StringReader(META_NO_NS), true);
+        assertNotNull(md);
+        assertEquals("com.acme", md.getGroupId());
+        assertEquals("demo", md.getArtifactId());
+    }
+
+    @Test
+    void rejectsUnexpectedMetadataNamespace() {
+        MetadataStaxReader reader = new MetadataStaxReader();
+        XMLStreamException ex =
+                assertThrows(XMLStreamException.class, () -> reader.read(new StringReader(META_BAD_NS), true));
+        assertTrue(ex.getMessage().toLowerCase().contains("unrecognized metadata namespace"));
+    }
+}
diff --git a/src/mdo/reader-stax.vm b/src/mdo/reader-stax.vm
@@ -246,51 +246,76 @@ public class ${className} {
 #end
     } //-- ${root.name} read(InputStream, boolean)
 
-    /**
-     * Method read.
-     *
-     * @param parser a parser object.
-     * @param strict a strict object.
-     * @throws XMLStreamException XMLStreamException if
-     * any.
-     * @return ${root.name}
-     */
+/**
+* Method read.
+*
+* @param parser a parser object.
+* @param strict a strict object.
+* @throws XMLStreamException XMLStreamException if any.
+* @return ${root.name}
+*/
 #if ( $locationTracking )
-    public ${root.name} read(XMLStreamReader parser, boolean strict, InputSource inputSrc) throws XMLStreamException {
+public ${root.name} read(XMLStreamReader parser, boolean strict, InputSource inputSrc) throws XMLStreamException {
 #else
-    public ${root.name} read(XMLStreamReader parser, boolean strict) throws XMLStreamException {
+public ${root.name} read(XMLStreamReader parser, boolean strict) throws XMLStreamException {
 #end
 #if ( $needXmlContext )
-        Deque<Object> context = new ArrayDeque<>();
+Deque<Object> context = new ArrayDeque<>();
 #end
-        $rootUcapName $rootLcapName = null;
-        int eventType = parser.getEventType();
-        boolean parsed = false;
-        while (eventType != XMLStreamReader.END_DOCUMENT) {
-            if (eventType == XMLStreamReader.START_ELEMENT) {
-                if (strict && ! "${rootTag}".equals(parser.getLocalName())) {
-                    throw new XMLStreamException("Expected root element '${rootTag}' but found '" + parser.getName() + "'", parser.getLocation(), null);
-                } else if (parsed) {
-                    // fallback, already expected a XMLStreamException due to invalid XML
-                    throw new XMLStreamException("Duplicated tag: '${rootTag}'", parser.getLocation(), null);
-                }
+$rootUcapName $rootLcapName = null;
+    int eventType = parser.getEventType();
+    boolean parsed = false;
+    while (eventType != XMLStreamReader.END_DOCUMENT) {
+    if (eventType == XMLStreamReader.START_ELEMENT) {
+    if (strict && ! "${rootTag}".equals(parser.getLocalName())) {
+    throw new XMLStreamException("Expected root element '${rootTag}' but found '" + parser.getName() + "'", parser.getLocation(), null);
+    } else if (parsed) {
+    throw new XMLStreamException("Duplicated tag: '${rootTag}'", parser.getLocation(), null);
+    }
+
+    // Enforce root namespace per model (strict mode).
+    String rootNs = parser.getNamespaceURI();
+    boolean hasNs = rootNs != null && !rootNs.isEmpty();
+    if (strict && hasNs) {
+    if ("project".equals("${rootTag}")) {
+    // Accept any official POM namespace version (e.g., 4.0.0, 4.1.0)
+    if (!rootNs.startsWith("http://maven.apache.org/POM/")) {
+    throw new XMLStreamException(
+    "Unrecognized POM namespace '" + rootNs
+    + "'. Expected something like 'http://maven.apache.org/POM/4.x.y' or no namespace.",
+    parser.getLocation(), null);
+    }
+    } else if ("metadata".equals("${rootTag}")) {
+    // Accept official METADATA namespaces (e.g., 1.1.0)
+    if (!rootNs.startsWith("http://maven.apache.org/METADATA/")) {
+    throw new XMLStreamException(
+    "Unrecognized METADATA namespace '" + rootNs
+    + "'. Expected something like 'http://maven.apache.org/METADATA/1.x.y' or no namespace.",
+    parser.getLocation(), null);
+    }
+    } else {
+    // Other models: do not enforce at root level.
+    }
+    }
+
 #if ( $locationTracking )
-                $rootLcapName = parse${rootUcapName}(parser, strict, parser.getNamespaceURI(), inputSrc);
+    $rootLcapName = parse${rootUcapName}(parser, strict, rootNs, inputSrc);
 #elseif ( $needXmlContext )
-                $rootLcapName = parse${rootUcapName}(parser, strict, parser.getNamespaceURI(), context);
+    $rootLcapName = parse${rootUcapName}(parser, strict, rootNs, context);
 #else
-                $rootLcapName = parse${rootUcapName}(parser, strict, parser.getNamespaceURI());
+    $rootLcapName = parse${rootUcapName}(parser, strict, rootNs);
 #end
-                parsed = true;
-            }
-            eventType = parser.next();
-        }
-        if (parsed) {
-            return $rootLcapName;
-        }
-            throw new XMLStreamException("Expected root element '${rootTag}' but found no element at all: invalid XML document", parser.getLocation(), null);
+    parsed = true;
+    }
+    eventType = parser.next();
+    }
+    if (parsed) {
+    return $rootLcapName;
+    }
+    throw new XMLStreamException("Expected root element '${rootTag}' but found no element at all: invalid XML document", parser.getLocation(), null);
     } //-- ${root.name} read(XMLStreamReader, boolean)
 
+
 #foreach ( $class in $model.allClasses )
  #if ( $class.name != "InputSource" && $class.name != "InputLocation" )
   #set ( $classUcapName = $Helper.capitalise( $class.name ) )
