Refactor XML processing

eclipse-equinox · Aug 14, 2023 · 7699a79 · 7699a79
1 parent 1a82175
commit 7699a79
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 8 deletions.
diff --git a/...lipse.equinox.p2.core/src/org/eclipse/equinox/internal/p2/core/helpers/SecureXMLUtil.java b/...lipse.equinox.p2.core/src/org/eclipse/equinox/internal/p2/core/helpers/SecureXMLUtil.java
@@ -1,5 +1,5 @@
 /*******************************************************************************
- * Copyright (c) 2017 Manumitting Technologies Inc and others.
+ * Copyright (c) 2017, 2023 Manumitting Technologies Inc and others.
  *
  * This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License 2.0
@@ -15,6 +15,7 @@
 
 import javax.xml.XMLConstants;
 import javax.xml.parsers.*;
+import javax.xml.transform.TransformerFactory;
 import org.xml.sax.*;
 
 /**
@@ -31,6 +32,9 @@ public class SecureXMLUtil {
  public static DocumentBuilderFactory newSecureDocumentBuilderFactory() throws ParserConfigurationException {
  DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
  factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+ // completely disable external entities declarations:
+ factory.setFeature("http://xml.org/sax/features/external-general-entities", false); //$NON-NLS-1$
+ factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false); //$NON-NLS-1$
  return factory;
  }
 
@@ -44,6 +48,10 @@ public static DocumentBuilderFactory newSecureDocumentBuilderFactory() throws Pa
  public static SAXParserFactory newSecureSAXParserFactory() throws SAXNotRecognizedException, SAXNotSupportedException, ParserConfigurationException {
  SAXParserFactory factory = SAXParserFactory.newInstance();
  factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+ // ignore DOCTYPE:
+ factory.setFeature("http://xml.org/sax/features/external-general-entities", false); //$NON-NLS-1$
+ factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false); //$NON-NLS-1$
+ factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); //$NON-NLS-1$
  return factory;
  }
 
@@ -58,4 +66,18 @@ public static XMLReader newSecureXMLReader() throws SAXException, ParserConfigur
  factory.setNamespaceAware(true);
  return factory.newSAXParser().getXMLReader();
  }
+
+ /**
+ * Creates TransformerFactory which throws TransformerException when detecting
+ * external entities.
+ *
+ * @return javax.xml.transform.TransformerFactory
+ */
+ public static TransformerFactory createTransformerFactoryWithErrorOnDOCTYPE() {
+ TransformerFactory factory = TransformerFactory.newInstance();
+ // prohibit the use of all protocols by external entities:
+ factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); //$NON-NLS-1$
+ factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); //$NON-NLS-1$
+ return factory;
+ }
 }
diff --git a/...lisher.eclipse/src/org/eclipse/equinox/internal/p2/publisher/eclipse/InfoPListEditor.java b/...lisher.eclipse/src/org/eclipse/equinox/internal/p2/publisher/eclipse/InfoPListEditor.java
@@ -1,5 +1,5 @@
 /*******************************************************************************
- * Copyright (c) 2015, 2017 Rapicorp, Inc and others.
+ * Copyright (c) 2015, 2023 Rapicorp, Inc and others.
  *
  * This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License 2.0
@@ -22,6 +22,7 @@
 import javax.xml.transform.dom.DOMSource;
 import javax.xml.transform.stream.StreamResult;
 import javax.xml.xpath.*;
+import org.eclipse.equinox.internal.p2.core.helpers.SecureXMLUtil;
 import org.w3c.dom.*;
 import org.xml.sax.SAXException;
 
@@ -61,18 +62,14 @@ public static InfoPListEditor loadPListEditor(File file) throws IOException {
  factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); //$NON-NLS-1$
  builder = factory.newDocumentBuilder();
  return new InfoPListEditor(builder.parse(file));
- } catch (ParserConfigurationException e) {
- exception = e;
- } catch (SAXException e) {
- exception = e;
- } catch (IOException e) {
+ } catch (ParserConfigurationException | SAXException | IOException e) {
  exception = e;
  }
  throw new IOException("Problem parsing " + file.getAbsolutePath(), exception); //$NON-NLS-1$
  }
 
  public void save(File file) throws TransformerException {
- final TransformerFactory transformerFactory = TransformerFactory.newInstance();
+ final TransformerFactory transformerFactory = SecureXMLUtil.createTransformerFactoryWithErrorOnDOCTYPE();
  final Transformer transformer = transformerFactory.newTransformer();
  final DOMSource toSerialize = new DOMSource(document);