Merge pull request from GHSA-q6xr-9x9x-g7w2

Co-authored-by: Jörg Kubitz <[email protected]>

org.eclipse.jdt.junit.core/src/org/eclipse/jdt/internal/junit/model/JUnitModel.java

@@ -33,7 +33,6 @@
 import javax.xml.transform.Transformer;
 import javax.xml.transform.TransformerConfigurationException;
 import javax.xml.transform.TransformerException;
-import javax.xml.transform.TransformerFactory;
 import javax.xml.transform.TransformerFactoryConfigurationError;
 import javax.xml.transform.sax.SAXSource;
 import javax.xml.transform.stream.StreamResult;
@@ -66,6 +65,7 @@
 import org.eclipse.jdt.internal.junit.Messages;
 import org.eclipse.jdt.internal.junit.launcher.JUnitLaunchConfigurationConstants;
 import org.eclipse.jdt.internal.junit.model.TestElement.Status;
+import org.eclipse.jdt.internal.junit.util.XmlProcessorFactoryJdtJunit;
 
 /**
  * Central registry for JUnit test runs.
@@ -385,7 +385,7 @@ public void addTestRunSession(TestRunSession testRunSession) {
 	 */
 	public static TestRunSession importTestRunSession(File file) throws CoreException {
 		try {
-			SAXParserFactory parserFactory= SAXParserFactory.newInstance();
+			SAXParserFactory parserFactory= XmlProcessorFactoryJdtJunit.createSAXFactoryWithErrorOnDOCTYPE();
 //			parserFactory.setValidating(true); // TODO: add DTD and debug flag
 			SAXParser parser= parserFactory.newSAXParser();
 			TestRunHandler handler= new TestRunHandler();
@@ -426,7 +426,7 @@ public static TestRunSession importTestRunSession(String url, IProgressMonitor m
 			@Override
 			public void run() {
 				try {
-					SAXParserFactory parserFactory= SAXParserFactory.newInstance();
+					SAXParserFactory parserFactory= XmlProcessorFactoryJdtJunit.createSAXFactoryWithErrorOnDOCTYPE();
 //					parserFactory.setValidating(true); // TODO: add DTD and debug flag
 					SAXParser parser= parserFactory.newSAXParser();
 					parser.parse(trimmedUrl, handler);
@@ -472,7 +472,7 @@ private void storeImportError(Exception e) {
 
 	public static void importIntoTestRunSession(File swapFile, TestRunSession testRunSession) throws CoreException {
 		try {
-			SAXParserFactory parserFactory= SAXParserFactory.newInstance();
+			SAXParserFactory parserFactory= XmlProcessorFactoryJdtJunit.createSAXFactoryWithErrorOnDOCTYPE();
 //			parserFactory.setValidating(true); // TODO: add DTD and debug flag
 			SAXParser parser= parserFactory.newSAXParser();
 			TestRunHandler handler= new TestRunHandler(testRunSession);
@@ -507,7 +507,7 @@ public static void exportTestRunSession(TestRunSession testRunSession, File file
 	public static void exportTestRunSession(TestRunSession testRunSession, OutputStream out)
 			throws TransformerFactoryConfigurationError, TransformerException {
 
-		Transformer transformer= TransformerFactory.newInstance().newTransformer();
+		Transformer transformer= XmlProcessorFactoryJdtJunit.createTransformerFactoryWithErrorOnDOCTYPE().newTransformer();
 		InputSource inputSource= new InputSource();
 		SAXSource source= new SAXSource(new TestRunSessionSerializer(testRunSession), inputSource);
 		StreamResult result= new StreamResult(out);

org.eclipse.jdt.junit.core/src/org/eclipse/jdt/internal/junit/util/XmlProcessorFactoryJdtJunit.java

@@ -0,0 +1,166 @@
+/*******************************************************************************
+ *  Copyright (c) 2023 Joerg Kubitz and others.
+ *
+ *  This program and the accompanying materials
+ *  are made available under the terms of the Eclipse Public License 2.0
+ *  which accompanies this distribution, and is available at
+ *  https://www.eclipse.org/legal/epl-2.0/
+ *
+ *  SPDX-License-Identifier: EPL-2.0
+ *******************************************************************************/
+package org.eclipse.jdt.internal.junit.util;
+
+import javax.xml.XMLConstants;
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
+import javax.xml.parsers.SAXParser;
+import javax.xml.parsers.SAXParserFactory;
+import javax.xml.transform.TransformerFactory;
+
+import org.xml.sax.SAXException;
+import org.xml.sax.SAXNotRecognizedException;
+import org.xml.sax.SAXNotSupportedException;
+
+/**
+ * XML processing which prohibits external entities.
+ *
+ * @see <a href="https://rules.sonarsource.com/java/RSPEC-2755/">RSPEC-2755</a>
+ */
+public class XmlProcessorFactoryJdtJunit {
+	private XmlProcessorFactoryJdtJunit() {
+		// static Utility only
+	}
+
+	private static final DocumentBuilderFactory DOCUMENT_BUILDER_FACTORY_ERROR_ON_DOCTYPE = createDocumentBuilderFactoryWithErrorOnDOCTYPE();
+	private static final SAXParserFactory SAX_FACTORY_ERROR_ON_DOCTYPE = createSAXFactoryWithErrorOnDOCTYPE(false);
+	private static final SAXParserFactory SAX_FACTORY_ERROR_ON_DOCTYPE_NS = createSAXFactoryWithErrorOnDOCTYPE(true);
+	private static final SAXParserFactory SAX_FACTORY_IGNORING_DOCTYPE = createSAXFactoryIgnoringDOCTYPE();
+
+	/**
+	 * Creates TransformerFactory which throws TransformerException when
+	 * detecting external entities.
+	 *
+	 * @return javax.xml.transform.TransformerFactory
+	 */
+	public static TransformerFactory createTransformerFactoryWithErrorOnDOCTYPE() {
+		TransformerFactory factory = TransformerFactory.newInstance();
+		// prohibit the use of all protocols by external entities:
+		factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); //$NON-NLS-1$
+		factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); //$NON-NLS-1$
+		return factory;
+	}
+
+	/**
+	 * Creates DocumentBuilderFactory which throws SAXParseException when
+	 * detecting external entities. It's magnitudes faster to call
+	 * {@link #createDocumentBuilderWithErrorOnDOCTYPE()}.
+	 *
+	 * @return javax.xml.parsers.DocumentBuilderFactory
+	 */
+	public static synchronized DocumentBuilderFactory createDocumentBuilderFactoryWithErrorOnDOCTYPE() {
+		DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+		// completely disable DOCTYPE declaration:
+		try {
+			factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); //$NON-NLS-1$
+		} catch (ParserConfigurationException e) {
+			throw new RuntimeException(e.getMessage(), e);
+		}
+		return factory;
+	}
+
+	/**
+	 * Creates DocumentBuilder which throws SAXParseException when detecting
+	 * external entities. The builder is not thread safe.
+	 *
+	 * @return javax.xml.parsers.DocumentBuilder
+	 * @throws ParserConfigurationException
+	 */
+	public static DocumentBuilder createDocumentBuilderWithErrorOnDOCTYPE() throws ParserConfigurationException {
+		return DOCUMENT_BUILDER_FACTORY_ERROR_ON_DOCTYPE.newDocumentBuilder();
+	}
+
+	/**
+	 * Creates DocumentBuilderFactory which throws SAXParseException when
+	 * detecting external entities.
+	 *
+	 * @return javax.xml.parsers.DocumentBuilderFactory
+	 */
+	public static SAXParserFactory createSAXFactoryWithErrorOnDOCTYPE() {
+		SAXParserFactory f = SAXParserFactory.newInstance();
+		try {
+			// force org.xml.sax.SAXParseException for any DOCTYPE:
+			f.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); //$NON-NLS-1$
+		} catch (Exception e) {
+			throw new RuntimeException(e);
+		}
+		return f;
+	}
+
+	private static synchronized SAXParserFactory createSAXFactoryWithErrorOnDOCTYPE(boolean awareness) {
+		SAXParserFactory f = SAXParserFactory.newInstance();
+		f.setNamespaceAware(awareness);
+		try {
+			// force org.xml.sax.SAXParseException for any DOCTYPE:
+			f.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); //$NON-NLS-1$
+		} catch (Exception e) {
+			throw new RuntimeException(e);
+		}
+		return f;
+	}
+
+	private static synchronized SAXParserFactory createSAXFactoryIgnoringDOCTYPE() {
+		SAXParserFactory f = SAXParserFactory.newInstance();
+		try {
+			// ignore DOCTYPE:
+			f.setFeature("http://xml.org/sax/features/external-general-entities", false); //$NON-NLS-1$
+			f.setFeature("http://xml.org/sax/features/external-parameter-entities", false); //$NON-NLS-1$
+			f.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); //$NON-NLS-1$
+		} catch (Exception e) {
+			throw new RuntimeException(e);
+		}
+		return f;
+	}
+
+	/**
+	 * Creates SAXParser which throws SAXParseException when detecting external
+	 * entities.
+	 *
+	 * @return javax.xml.parsers.SAXParser
+	 */
+
+	public static SAXParser createSAXParserWithErrorOnDOCTYPE() throws ParserConfigurationException, SAXException {
+		return createSAXParserWithErrorOnDOCTYPE(false);
+	}
+
+	/**
+	 * Creates SAXParser which throws SAXParseException when detecting external
+	 * entities.
+	 *
+	 * @param namespaceAware
+	 *            parameter for SAXParserFactory
+	 *
+	 * @return javax.xml.parsers.SAXParser
+	 */
+	public static SAXParser createSAXParserWithErrorOnDOCTYPE(boolean namespaceAware)
+			throws ParserConfigurationException, SAXException {
+		if (namespaceAware) {
+			return SAX_FACTORY_ERROR_ON_DOCTYPE_NS.newSAXParser();
+		}
+		return SAX_FACTORY_ERROR_ON_DOCTYPE.newSAXParser();
+	}
+
+	/**
+	 * Creates SAXParser which does not throw Exception when detecting external
+	 * entities but ignores them.
+	 *
+	 * @return javax.xml.parsers.SAXParser
+	 */
+	public static SAXParser createSAXParserIgnoringDOCTYPE()
+			throws ParserConfigurationException, SAXNotRecognizedException, SAXNotSupportedException, SAXException {
+		SAXParser parser = SAX_FACTORY_IGNORING_DOCTYPE.newSAXParser();
+		parser.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, ""); //$NON-NLS-1$
+		parser.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); //$NON-NLS-1$
+		return parser;
+	}
+}

org.eclipse.jdt.ui.tests/ui/org/eclipse/jdt/ui/tests/jarexport/FatJarExportTests.java

@@ -34,7 +34,6 @@
 import java.util.zip.ZipFile;
 
 import javax.xml.parsers.DocumentBuilder;
-import javax.xml.parsers.DocumentBuilderFactory;
 
 import org.junit.After;
 import org.junit.Before;
@@ -81,6 +80,7 @@
 import org.eclipse.jdt.core.JavaCore;
 
 import org.eclipse.jdt.internal.corext.util.JavaModelUtil;
+import org.eclipse.jdt.internal.junit.util.XmlProcessorFactoryJdtJunit;
 
 import org.eclipse.jdt.launching.IJavaLaunchConfigurationConstants;
 import org.eclipse.jdt.launching.IVMInstall;
@@ -673,7 +673,7 @@ private static void assertAntScriptExtract(String archiveName, IPath antScriptLo
 	 */
 	private static Element readXML(IPath xmlFilePath) throws Exception {
 		try (InputStream in = new FileInputStream(xmlFilePath.toFile())) {
-			DocumentBuilder parser= DocumentBuilderFactory.newInstance().newDocumentBuilder();
+			DocumentBuilder parser= XmlProcessorFactoryJdtJunit.createDocumentBuilderFactoryWithErrorOnDOCTYPE().newDocumentBuilder();
 			parser.setErrorHandler(new DefaultHandler());
 			Element root= parser.parse(new InputSource(in)).getDocumentElement();
 			in.close();

org.eclipse.jdt.ui/core extension/org/eclipse/jdt/internal/corext/template/java/TemplateSet.java

@@ -28,7 +28,6 @@
 import javax.xml.transform.OutputKeys;
 import javax.xml.transform.Transformer;
 import javax.xml.transform.TransformerException;
-import javax.xml.transform.TransformerFactory;
 import javax.xml.transform.dom.DOMSource;
 import javax.xml.transform.stream.StreamResult;
 
@@ -52,6 +51,8 @@
 import org.eclipse.jface.text.templates.TemplateContextType;
 import org.eclipse.jface.text.templates.TemplateException;
 
+import org.eclipse.jdt.internal.ui.util.XmlProcessorFactoryJdtUi;
+
 /**
  * <code>TemplateSet</code> manages a collection of templates and makes them
  * persistent.
@@ -108,7 +109,7 @@ public String getTemplateTag() {
 	 */
 	public void addFromStream(InputStream stream, boolean allowDuplicates) throws CoreException {
 		try {
-			DocumentBuilderFactory factory= DocumentBuilderFactory.newInstance();
+			DocumentBuilderFactory factory= XmlProcessorFactoryJdtUi.createDocumentBuilderFactoryWithErrorOnDOCTYPE();
 			DocumentBuilder parser= factory.newDocumentBuilder();
 			parser.setErrorHandler(new DefaultHandler());
 			Document document= parser.parse(new InputSource(stream));
@@ -205,7 +206,7 @@ public void saveToFile(File file) throws CoreException {
 	 */
 	public void saveToStream(OutputStream stream) throws CoreException {
 		try {
-			DocumentBuilderFactory factory= DocumentBuilderFactory.newInstance();
+			DocumentBuilderFactory factory= XmlProcessorFactoryJdtUi.createDocumentBuilderFactoryWithErrorOnDOCTYPE();
 			DocumentBuilder builder= factory.newDocumentBuilder();
 			Document document= builder.newDocument();
 
@@ -235,7 +236,7 @@ public void saveToStream(OutputStream stream) throws CoreException {
 			}
 
 
-			Transformer transformer=TransformerFactory.newInstance().newTransformer();
+			Transformer transformer= XmlProcessorFactoryJdtUi.createTransformerFactoryWithErrorOnDOCTYPE().newTransformer();
 			transformer.setOutputProperty(OutputKeys.METHOD, "xml"); //$NON-NLS-1$
 			transformer.setOutputProperty(OutputKeys.ENCODING, "UTF-8"); //$NON-NLS-1$
 			DOMSource source = new DOMSource(document);

org.eclipse.jdt.ui/core extension/org/eclipse/jdt/internal/corext/util/History.java

@@ -32,7 +32,6 @@
 import javax.xml.transform.OutputKeys;
 import javax.xml.transform.Transformer;
 import javax.xml.transform.TransformerException;
-import javax.xml.transform.TransformerFactory;
 import javax.xml.transform.TransformerFactoryConfigurationError;
 import javax.xml.transform.dom.DOMSource;
 import javax.xml.transform.stream.StreamResult;
@@ -56,6 +55,7 @@
 import org.eclipse.jdt.internal.ui.JavaPlugin;
 import org.eclipse.jdt.internal.ui.JavaUIException;
 import org.eclipse.jdt.internal.ui.JavaUIStatus;
+import org.eclipse.jdt.internal.ui.util.XmlProcessorFactoryJdtUi;
 
 /**
  * History stores a list of key, object pairs. The list is bounded at size
@@ -232,7 +232,7 @@ private void rebuildPositions() {
 	private void load(InputSource inputSource) throws CoreException {
 		Element root;
 		try {
-			DocumentBuilder parser = DocumentBuilderFactory.newInstance().newDocumentBuilder();
+			DocumentBuilder parser = XmlProcessorFactoryJdtUi.createDocumentBuilderFactoryWithErrorOnDOCTYPE().newDocumentBuilder();
 			parser.setErrorHandler(new DefaultHandler());
 			root = parser.parse(inputSource).getDocumentElement();
 		} catch (SAXException | ParserConfigurationException | IOException e) {
@@ -262,7 +262,7 @@ private void load(InputSource inputSource) throws CoreException {
 
 	private void save(OutputStream stream) throws CoreException {
 		try {
-			DocumentBuilderFactory factory= DocumentBuilderFactory.newInstance();
+			DocumentBuilderFactory factory= XmlProcessorFactoryJdtUi.createDocumentBuilderFactoryWithErrorOnDOCTYPE();
 			DocumentBuilder builder= factory.newDocumentBuilder();
 			Document document= builder.newDocument();
 
@@ -277,7 +277,7 @@ private void save(OutputStream stream) throws CoreException {
 				rootElement.appendChild(element);
 			}
 
-			Transformer transformer=TransformerFactory.newInstance().newTransformer();
+			Transformer transformer= XmlProcessorFactoryJdtUi.createTransformerFactoryWithErrorOnDOCTYPE().newTransformer();
 			transformer.setOutputProperty(OutputKeys.METHOD, "xml"); //$NON-NLS-1$
 			transformer.setOutputProperty(OutputKeys.ENCODING, "UTF-8"); //$NON-NLS-1$
 			transformer.setOutputProperty(OutputKeys.INDENT, "yes"); //$NON-NLS-1$

org.eclipse.jdt.ui/ui/org/eclipse/jdt/internal/ui/jarpackager/JarPackageReader.java

@@ -69,6 +69,7 @@
 
 import org.eclipse.jdt.internal.ui.IJavaStatusConstants;
 import org.eclipse.jdt.internal.ui.JavaPlugin;
+import org.eclipse.jdt.internal.ui.util.XmlProcessorFactoryJdtUi;
 
 /**
  * Reads data from an InputStream and returns a JarPackage
@@ -120,7 +121,7 @@ public void close() throws CoreException {
 	}
 
 	public JarPackageData readXML(JarPackageData jarPackage) throws IOException, SAXException {
-	  	DocumentBuilderFactory factory= DocumentBuilderFactory.newInstance();
+	  	DocumentBuilderFactory factory= XmlProcessorFactoryJdtUi.createDocumentBuilderFactoryWithErrorOnDOCTYPE();
     	factory.setValidating(false);
 		DocumentBuilder parser= null;
 

org.eclipse.jdt.ui/ui/org/eclipse/jdt/internal/ui/jarpackager/JarPackageWriter.java

@@ -27,7 +27,6 @@
 import javax.xml.transform.OutputKeys;
 import javax.xml.transform.Transformer;
 import javax.xml.transform.TransformerException;
-import javax.xml.transform.TransformerFactory;
 import javax.xml.transform.dom.DOMSource;
 import javax.xml.transform.stream.StreamResult;
 
@@ -56,6 +55,7 @@
 
 import org.eclipse.jdt.internal.ui.IJavaStatusConstants;
 import org.eclipse.jdt.internal.ui.JavaPlugin;
+import org.eclipse.jdt.internal.ui.util.XmlProcessorFactoryJdtUi;
 
 /**
  * Writes a JarPackage to an underlying OutputStream
@@ -97,7 +97,7 @@ public void write(JarPackageData jarPackage) throws CoreException {
 	public void writeXML(JarPackageData jarPackage) throws IOException {
 		Assert.isNotNull(jarPackage);
 		DocumentBuilder docBuilder= null;
-		DocumentBuilderFactory factory= DocumentBuilderFactory.newInstance();
+		DocumentBuilderFactory factory= XmlProcessorFactoryJdtUi.createDocumentBuilderFactoryWithErrorOnDOCTYPE();
 		factory.setValidating(false);
 		try {
 	    	docBuilder= factory.newDocumentBuilder();
@@ -119,7 +119,7 @@ public void writeXML(JarPackageData jarPackage) throws IOException {
 
 		try {
 			// Write the document to the stream
-			Transformer transformer=TransformerFactory.newInstance().newTransformer();
+			Transformer transformer= XmlProcessorFactoryJdtUi.createTransformerFactoryWithErrorOnDOCTYPE().newTransformer();
 			transformer.setOutputProperty(OutputKeys.METHOD, "xml"); //$NON-NLS-1$
 			transformer.setOutputProperty(OutputKeys.ENCODING, fEncoding);
 			transformer.setOutputProperty(OutputKeys.INDENT, "yes"); //$NON-NLS-1$