Bug 577894 - Security Issue -- XXE AttackR4_14_maintenance

Applications using XMLMemento are vulnerable to XXE Attack see https://docs.oracle.com/en/java/javase/17/security/java-api-xml-processing-jaxp-security-guide.html Change-Id: I3f413123158ce2ff76ff250f84fe338520d0882e Reviewed-on: https://git.eclipse.org/r/c/platform/eclipse.platform.debug/+/187978 Reviewed-by: Kalyan Prasad Tatavarthi <kalyan_prasad@in.ibm.com> Tested-by: Platform Bot <platform-bot@eclipse.org> (cherry picked from commit e81a54a076c159432d2e8b1c661d94a805516849) Reviewed-on: https://git.eclipse.org/r/c/platform/eclipse.platform.debug/+/188349 Tested-by: Sarika Sinha <sarika.sinha@in.ibm.com> Reviewed-by: Sarika Sinha <sarika.sinha@in.ibm.com> (cherry picked from commit cf16caed3bd6bdc33e967806b682385b2a747cae) Reviewed-on: https://git.eclipse.org/r/c/platform/eclipse.platform.debug/+/188350
author: Sarika Sinha 2021-11-22 13:04:49 +0000
committer: Sarika Sinha 2022-01-05 04:47:18 +0000
commit: 0656a997f4caf463d6c485f54dcc468c271a36b2 (patch)
tree: 164d95057b66ca124abccf70ae0eb31df41772db
parent: c833b4aec5c25b2c943e6cc523bde65a8eaf301b (diff)
download: eclipse.platform.debug-R4_14_maintenance.tar.gz
eclipse.platform.debug-R4_14_maintenance.tar.xz
eclipse.platform.debug-R4_14_maintenance.zip
1 files changed, 43 insertions, 4 deletions
diff --git a/org.eclipse.debug.core/core/org/eclipse/debug/internal/core/XMLMemento.java b/org.eclipse.debug.core/core/org/eclipse/debug/internal/core/XMLMemento.java
index d8b6fe817..55ad375a5 100644
--- a/org.eclipse.debug.core/core/org/eclipse/debug/internal/core/XMLMemento.java
+++ b/org.eclipse.debug.core/core/org/eclipse/debug/internal/core/XMLMemento.java
@@ -1,5 +1,5 @@
 /*******************************************************************************
- * Copyright (c) 2000, 2018 IBM Corporation and others.
+ * Copyright (c) 2000, 2021 IBM Corporation and others.
  *
  * This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License 2.0
@@ -19,6 +19,7 @@ import java.io.PrintWriter;
 import java.io.Reader;
 import java.io.Writer;
 import java.util.ArrayList;
+import java.util.Arrays;
 
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
@@ -43,6 +44,8 @@ public final class XMLMemento {
 
 	private Element element;
 
+	private static String FILE_STRING = "file"; //$NON-NLS-1$
+
 	/**
 	 * Creates a <code>Document</code> from the <code>Reader</code>
 	 * and returns a memento on the first <code>Element</code> for reading
@@ -61,6 +64,27 @@ public final class XMLMemento {
 	}
 
 	/**
+	 * Clients who need to use the "file" protocol can override this method to
+	 * return the original attribute value
+	 *
+	 * @param attributeOldValue
+	 * @return return the new attribute value after concatenating the "file"
+	 *         protocol restriction if does not exist already
+	 */
+	private static String getAttributeNewValue(Object attributeOldValue) {
+		StringBuffer strNewValue = new StringBuffer(FILE_STRING);
+		if (attributeOldValue instanceof String && ((String) attributeOldValue).length() != 0) {
+			String strOldValue = (String) attributeOldValue;
+			boolean exists = Arrays.asList(strOldValue.split(",")).stream().anyMatch(x -> x.trim().equals(FILE_STRING)); //$NON-NLS-1$
+			if (!exists) {
+				strNewValue.append(", ").append(strOldValue); //$NON-NLS-1$
+			} else {
+				strNewValue = new StringBuffer(strOldValue);
+			}
+		}
+		return strNewValue.toString();
+	}
+	/**
 	 * Creates a <code>Document</code> from the <code>Reader</code>
 	 * and returns a memento on the first <code>Element</code> for reading
 	 * the document.
@@ -78,10 +102,20 @@ public final class XMLMemento {
 			throws Exception {
 		String errorMessage = null;
 		Exception exception = null;
-
+		DocumentBuilderFactory factory = null;
+		Object attributeDTDOldValue = null;
+		Object attributeSchemaOldValue = null;
 		try {
-			DocumentBuilderFactory factory = DocumentBuilderFactory
-					.newInstance();
+			factory = DocumentBuilderFactory.newInstance();
+			try {
+				attributeDTDOldValue = factory.getAttribute(javax.xml.XMLConstants.ACCESS_EXTERNAL_DTD);
+				attributeSchemaOldValue = factory.getAttribute(javax.xml.XMLConstants.ACCESS_EXTERNAL_SCHEMA);
+			} catch (NullPointerException | IllegalArgumentException e) {
+				// Attributes not defined
+			}
+			factory.setAttribute(javax.xml.XMLConstants.ACCESS_EXTERNAL_DTD, getAttributeNewValue(attributeDTDOldValue));
+			factory.setAttribute(javax.xml.XMLConstants.ACCESS_EXTERNAL_SCHEMA, getAttributeNewValue(attributeSchemaOldValue));
+
 			DocumentBuilder parser = factory.newDocumentBuilder();
 			InputSource source = new InputSource(reader);
 			if (baseDir != null) {
@@ -104,6 +138,11 @@ public final class XMLMemento {
 		} catch (SAXException e) {
 			exception = e;
 			// errorMessage = WorkbenchMessages.XMLMemento_formatError;
+		} finally {
+			if (factory != null) {
+				factory.setAttribute(javax.xml.XMLConstants.ACCESS_EXTERNAL_DTD, attributeDTDOldValue);
+				factory.setAttribute(javax.xml.XMLConstants.ACCESS_EXTERNAL_SCHEMA, attributeSchemaOldValue);
+			}
 		}
 
 		String problemText = null;
author	Sarika Sinha	2021-11-22 13:04:49 +0000
committer	Sarika Sinha	2022-01-05 04:47:18 +0000
commit	0656a997f4caf463d6c485f54dcc468c271a36b2 (patch)
tree	164d95057b66ca124abccf70ae0eb31df41772db
parent	c833b4aec5c25b2c943e6cc523bde65a8eaf301b (diff)
download	eclipse.platform.debug-R4_14_maintenance.tar.gz eclipse.platform.debug-R4_14_maintenance.tar.xz eclipse.platform.debug-R4_14_maintenance.zip