Bug 577894 - Security Issue -- XXE Attack Applications using XMLMemento are vulnerable to XXE Attack see https://docs.oracle.com/en/java/javase/17/security/java-api-xml-processing-jaxp-security-guide.html Change-Id: I31013372fe98566731410406dcad3044dc6992d9 Reviewed-on: https://git.eclipse.org/r/c/platform/eclipse.platform.ui/+/188792 Reviewed-by: Kalyan Prasad Tatavarthi <kalyan_prasad@in.ibm.com> Tested-by: Platform Bot <platform-bot@eclipse.org> (cherry picked from commit 0e1a84ff99587099d104c0ecd0f35e25fe400d74) Reviewed-on: https://git.eclipse.org/r/c/platform/eclipse.platform.ui/+/189016 Tested-by: Sarika Sinha <sarika.sinha@in.ibm.com> Reviewed-by: Sarika Sinha <sarika.sinha@in.ibm.com> (cherry picked from commit e74a513e0f0269842ebd5f133efee94e83562d84) Reviewed-on: https://git.eclipse.org/r/c/platform/eclipse.platform.ui/+/189030 (cherry picked from commit 04989448df32a5698a4a5cd6f26bd1f3b3be613c) Reviewed-on: https://git.eclipse.org/r/c/platform/eclipse.platform.ui/+/189271 (cherry picked from commit 0909d771ba66b9bdde554a0f1ec2271c63c8b741) Reviewed-on: https://git.eclipse.org/r/c/platform/eclipse.platform.ui/+/189272 (cherry picked from commit 179c6870178c6ac9f84afffea9480519b70018c4) Reviewed-on: https://git.eclipse.org/r/c/platform/eclipse.platform.ui/+/189274 (cherry picked from commit 8b551e012dac5497baf51f5eea6cd597ed9aeff7) Reviewed-on: https://git.eclipse.org/r/c/platform/eclipse.platform.ui/+/189275 (cherry picked from commit d31e90339b098c809d95037851b0066a014173cb) Reviewed-on: https://git.eclipse.org/r/c/platform/eclipse.platform.ui/+/189276 (cherry picked from commit fc45dd7946ae5adeb4bc613dd354b2aa21e5e5db) Reviewed-on: https://git.eclipse.org/r/c/platform/eclipse.platform.ui/+/189277 (cherry picked from commit 51cbd97d40cb8a95dd0f92186a75f131b125a382) Reviewed-on: https://git.eclipse.org/r/c/platform/eclipse.platform.ui/+/189278 (cherry picked from commit c5d33013a9f86762bfe07aea91e277e14bb4f996) Reviewed-on: https://git.eclipse.org/r/c/platform/eclipse.platform.ui/+/189279

commit: 2e7f1c9819bcb256a49edc48d205ddb7502a6a58 [log] [tgz]
author: Sarika Sinha <sarika.sinha@in.ibm.com> Mon Dec 13 23:52:27 2021 +0530
committer: Sarika Sinha <sarika.sinha@in.ibm.com> Wed Jan 05 13:18:25 2022 -0500
tree: c5e919e2ef14d5b93cd13fd2bceeb2c4b4241de5
parent: a85c3ee8362f0536427eb014eaa6f305839ad3f2 [diff]
diff --git a/bundles/org.eclipse.ui.workbench/Eclipse UI/org/eclipse/ui/XMLMemento.java b/bundles/org.eclipse.ui.workbench/Eclipse UI/org/eclipse/ui/XMLMemento.java
index a971f77..9373d3b 100644
--- a/bundles/org.eclipse.ui.workbench/Eclipse UI/org/eclipse/ui/XMLMemento.java
+++ b/bundles/org.eclipse.ui.workbench/Eclipse UI/org/eclipse/ui/XMLMemento.java

@@ -1,5 +1,5 @@
 /*******************************************************************************
- * Copyright (c) 2000, 2018 IBM Corporation and others.
+ * Copyright (c) 2000, 2021 IBM Corporation and others.
  * All rights reserved. This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License v1.0
  * which accompanies this distribution, and is available at
@@ -16,6 +16,7 @@
 import java.io.StringWriter;
 import java.io.Writer;
 import java.util.ArrayList;
+import java.util.Arrays;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
@@ -49,6 +50,8 @@
 
     private Element element;
 
+	private static String FILE_STRING = "file"; //$NON-NLS-1$
+
     /**
      * Creates a <code>Document</code> from the <code>Reader</code>
      * and returns a memento on the first <code>Element</code> for reading
@@ -65,26 +68,60 @@
         return createReadRoot(reader, null);
     }
 
-    /**
-     * Creates a <code>Document</code> from the <code>Reader</code>
-     * and returns a memento on the first <code>Element</code> for reading
-     * the document.
-     *
-     * @param reader the <code>Reader</code> used to create the memento's document
-     * @param baseDir the directory used to resolve relative file names
-     * 		in the XML document. This directory must exist and include the
-     * 		trailing separator. The directory format, including the separators,
-     * 		must be valid for the platform. Can be <code>null</code> if not
-     * 		needed.
-     * @return a memento on the first <code>Element</code> for reading the document
-     * @throws WorkbenchException if IO problems, invalid format, or no element.
-     */
+	/**
+	 * Clients who need to use the "file" protocol can override this method to
+	 * return the original attribute value
+	 *
+	 * @param attributeOldValue
+	 * @return return the new attribute value after concatenating the "file"
+	 *         protocol restriction if does not exist already
+	 */
+	private static String getAttributeNewValue(Object attributeOldValue) {
+		StringBuffer strNewValue = new StringBuffer(FILE_STRING);
+		if (attributeOldValue instanceof String && ((String) attributeOldValue).length() != 0) {
+			String strOldValue = (String) attributeOldValue;
+			boolean exists = Arrays.asList(strOldValue.split(",")).stream().anyMatch(x -> x.trim().equals(FILE_STRING)); //$NON-NLS-1$
+			if (!exists) {
+				strNewValue.append(", ").append(strOldValue); //$NON-NLS-1$
+			} else {
+				strNewValue = new StringBuffer(strOldValue);
+			}
+		}
+		return strNewValue.toString();
+	}
+
+	/**
+	 * Creates a <code>Document</code> from the <code>Reader</code> and returns a
+	 * memento on the first <code>Element</code> for reading the document.
+	 *
+	 * @param reader  the <code>Reader</code> used to create the memento's document
+	 * @param baseDir the directory used to resolve relative file names in the XML
+	 *                document. This directory must exist and include the trailing
+	 *                separator. The directory format, including the separators,
+	 *                must be valid for the platform. Can be <code>null</code> if
+	 *                not needed.
+	 * @return a memento on the first <code>Element</code> for reading the document
+	 * @throws WorkbenchException if IO problems, invalid format, or no element.
+	 */
 	public static XMLMemento createReadRoot(Reader reader, String baseDir) throws WorkbenchException {
         String errorMessage = null;
-        Exception exception = null;
+		Exception exception = null;
+		DocumentBuilderFactory factory = null;
+		Object attributeDTDOldValue = null;
+		Object attributeSchemaOldValue = null;
+		try {
+			factory = DocumentBuilderFactory.newInstance();
+			try {
+				attributeDTDOldValue = factory.getAttribute(javax.xml.XMLConstants.ACCESS_EXTERNAL_DTD);
+				attributeSchemaOldValue = factory.getAttribute(javax.xml.XMLConstants.ACCESS_EXTERNAL_SCHEMA);
+			} catch (NullPointerException | IllegalArgumentException e) {
+				// Attributes not defined
+			}
+			factory.setAttribute(javax.xml.XMLConstants.ACCESS_EXTERNAL_DTD,
+					getAttributeNewValue(attributeDTDOldValue));
+			factory.setAttribute(javax.xml.XMLConstants.ACCESS_EXTERNAL_SCHEMA,
+					getAttributeNewValue(attributeSchemaOldValue));
 
-        try {
-			DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
             DocumentBuilder parser = factory.newDocumentBuilder();
             InputSource source = new InputSource(reader);
             if (baseDir != null) {
@@ -131,7 +168,12 @@
         } catch (SAXException e) {
             exception = e;
             errorMessage = WorkbenchMessages.XMLMemento_formatError;
-        }
+		} finally {
+			if (factory != null) {
+				factory.setAttribute(javax.xml.XMLConstants.ACCESS_EXTERNAL_DTD, attributeDTDOldValue);
+				factory.setAttribute(javax.xml.XMLConstants.ACCESS_EXTERNAL_SCHEMA, attributeSchemaOldValue);
+			}
+		}
 
         String problemText = null;
         if (exception != null) {
commit	2e7f1c9819bcb256a49edc48d205ddb7502a6a58	[log] [tgz]
author	Sarika Sinha <sarika.sinha@in.ibm.com>	Mon Dec 13 23:52:27 2021 +0530
committer	Sarika Sinha <sarika.sinha@in.ibm.com>	Wed Jan 05 13:18:25 2022 -0500
tree	c5e919e2ef14d5b93cd13fd2bceeb2c4b4241de5
parent	a85c3ee8362f0536427eb014eaa6f305839ad3f2 [diff]