[580542] Disabled external entity processing in DTD

Change-Id: I828a920afcef142fd2890442fdddaff89e868c43 Signed-off-by: Balázs Grill <balazs.grill@incquerylabs.com>
author: Balázs Grill 2022-08-13 11:11:47 +0000
committer: Balazs Grill 2022-08-15 04:34:16 +0000
commit: 241b0f554f2974639c86c86e4b6b7fca78a1a83f (patch)
tree: b67da0194ed20e621f33f6af387b08e3e4c91cf0
parent: 225f12a05ac7480ea261a1496b59224b12d9b7a4 (diff)
download: org.eclipse.sphinx-241b0f554f2974639c86c86e4b6b7fca78a1a83f.tar.gz
org.eclipse.sphinx-241b0f554f2974639c86c86e4b6b7fca78a1a83f.tar.xz
org.eclipse.sphinx-241b0f554f2974639c86c86e4b6b7fca78a1a83f.zip
2 files changed, 23 insertions, 8 deletions
diff --git a/plugins/org.eclipse.sphinx.emf/src/org/eclipse/sphinx/emf/resource/ExtendedXMLLoadImpl.java b/plugins/org.eclipse.sphinx.emf/src/org/eclipse/sphinx/emf/resource/ExtendedXMLLoadImpl.java
index 16c7ae49..a39c7d58 100644
--- a/plugins/org.eclipse.sphinx.emf/src/org/eclipse/sphinx/emf/resource/ExtendedXMLLoadImpl.java
+++ b/plugins/org.eclipse.sphinx.emf/src/org/eclipse/sphinx/emf/resource/ExtendedXMLLoadImpl.java
@@ -137,6 +137,12 @@ public class ExtendedXMLLoadImpl extends XMLLoadImpl {
 		Map<String, Object> parserProperties = (Map<String, Object>) options.get(XMLResource.OPTION_PARSER_PROPERTIES);
 		parserProperties = parserProperties == null ? new HashMap<String, Object>() : parserProperties;
 
+		// Disable doctypes and external entities to prevent XML Entity attacks
+		parserFeatures.put(Constants.XERCES_FEATURE_PREFIX + Constants.DISALLOW_DOCTYPE_DECL_FEATURE, true);
+		parserFeatures.put(Constants.SAX_FEATURE_PREFIX + Constants.EXTERNAL_GENERAL_ENTITIES_FEATURE, false);
+		parserFeatures.put(Constants.SAX_FEATURE_PREFIX + Constants.EXTERNAL_PARAMETER_ENTITIES_FEATURE, false);
+		parserFeatures.put(Constants.XERCES_FEATURE_PREFIX + Constants.LOAD_EXTERNAL_DTD_FEATURE, false);
+
 		// Perform namespace processing (prefixes will be stripped off element and attribute names and replaced with the
 		// corresponding namespace URIs) but do not report attributes used for namespace declarations, and do not report
 		// original prefixed names
diff --git a/plugins/org.eclipse.sphinx.platform/src/org/eclipse/sphinx/platform/util/XMLRootElementHandler.java b/plugins/org.eclipse.sphinx.platform/src/org/eclipse/sphinx/platform/util/XMLRootElementHandler.java
index af96a8e5..a17fc3f4 100644
--- a/plugins/org.eclipse.sphinx.platform/src/org/eclipse/sphinx/platform/util/XMLRootElementHandler.java
+++ b/plugins/org.eclipse.sphinx.platform/src/org/eclipse/sphinx/platform/util/XMLRootElementHandler.java
@@ -1,15 +1,15 @@
 /**
  * <copyright>
- * 
+ *
  * Copyright (c) 2008-2010 See4sys and others.
  * All rights reserved. This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License v1.0
  * which accompanies this distribution, and is available at
  * http://www.eclipse.org/legal/epl-v10.html
- * 
- * Contributors: 
+ *
+ * Contributors:
  *     See4sys - Initial API and implementation
- * 
+ *
  * </copyright>
  */
 package org.eclipse.sphinx.platform.util;
@@ -38,7 +38,7 @@ import org.xml.sax.helpers.DefaultHandler;
  * An XML event handler for detecting the root element's namespace, target namespace, and schema location.
  */
 /**
- * 
+ *
  */
 public class XMLRootElementHandler extends DefaultHandler implements LexicalHandler {
 
@@ -83,6 +83,15 @@ public class XMLRootElementHandler extends DefaultHandler implements LexicalHand
 			parserFactory.setNamespaceAware(true);
 			parserFactory.setValidating(false);
 			parserFactory.setXIncludeAware(false);
+			try {
+				parserFactory.setFeature(Constants.XERCES_FEATURE_PREFIX + Constants.DISALLOW_DOCTYPE_DECL_FEATURE, true);
+				parserFactory.setFeature(Constants.XERCES_FEATURE_PREFIX + Constants.LOAD_EXTERNAL_DTD_FEATURE, false);
+			} catch (SAXNotRecognizedException | SAXNotSupportedException e) {
+				// These exceptions are expected if Xerces is not used as the underlying parser.
+			}
+			parserFactory.setFeature(Constants.SAX_FEATURE_PREFIX + Constants.EXTERNAL_GENERAL_ENTITIES_FEATURE, false);
+			parserFactory.setFeature(Constants.SAX_FEATURE_PREFIX + Constants.EXTERNAL_PARAMETER_ENTITIES_FEATURE, false);
+
 		}
 		SAXParser parser = createParser(parserFactory);
 		if (useLexicalHandler) {
@@ -91,8 +100,8 @@ public class XMLRootElementHandler extends DefaultHandler implements LexicalHand
 		return parser;
 	}
 
-	protected SAXParser createParser(SAXParserFactory parserFactory) throws ParserConfigurationException, SAXException, SAXNotRecognizedException,
-			SAXNotSupportedException {
+	protected SAXParser createParser(SAXParserFactory parserFactory)
+			throws ParserConfigurationException, SAXException, SAXNotRecognizedException, SAXNotSupportedException {
 		return parserFactory.newSAXParser();
 	}
 
@@ -264,7 +273,7 @@ public class XMLRootElementHandler extends DefaultHandler implements LexicalHand
 
 	/**
 	 * Retrieves all comments located before the root element of the document.
-	 * 
+	 *
 	 * @return Collection of strings representing the retrieved comments or empty collection if no such could be found.
 	 */
 	public Collection<String> getRootElementComments() {
author	Balázs Grill	2022-08-13 11:11:47 +0000
committer	Balazs Grill	2022-08-15 04:34:16 +0000
commit	241b0f554f2974639c86c86e4b6b7fca78a1a83f (patch)
tree	b67da0194ed20e621f33f6af387b08e3e4c91cf0
parent	225f12a05ac7480ea261a1496b59224b12d9b7a4 (diff)
download	org.eclipse.sphinx-241b0f554f2974639c86c86e4b6b7fca78a1a83f.tar.gz org.eclipse.sphinx-241b0f554f2974639c86c86e4b6b7fca78a1a83f.tar.xz org.eclipse.sphinx-241b0f554f2974639c86c86e4b6b7fca78a1a83f.zip