diff options
| author | Matthias Sohn <matthias.sohn@sap.com> | 2025-05-14 10:19:15 +0200 |
|---|---|---|
| committer | Matthias Sohn <matthias.sohn@sap.com> | 2025-07-20 12:43:28 +0200 |
| commit | 896d073706c64be616a05412edd86f1e25c587aa (patch) | |
| tree | 195252162e651956c92c0b7b3e7241c323a2fb13 | |
| parent | 8d30b5a75fcbcb81bbe621ed634fb6f8a515da9a (diff) | |
| download | jgit-stable-5.13.tar.gz jgit-stable-5.13.zip | |
AmazonS3: Do not accept DOCTYPE and entitiesstable-5.13
This follows OWASP recommendations in
https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
Change-Id: I3d47debf14d95c8189d51256b4eb2ba991279452
| -rw-r--r-- | org.eclipse.jgit/src/org/eclipse/jgit/transport/AmazonS3.java | 19 |
1 files changed, 16 insertions, 3 deletions
diff --git a/org.eclipse.jgit/src/org/eclipse/jgit/transport/AmazonS3.java b/org.eclipse.jgit/src/org/eclipse/jgit/transport/AmazonS3.java index 3e5af76f89..768b9984af 100644 --- a/org.eclipse.jgit/src/org/eclipse/jgit/transport/AmazonS3.java +++ b/org.eclipse.jgit/src/org/eclipse/jgit/transport/AmazonS3.java @@ -50,6 +50,8 @@ import java.util.stream.Collectors; import javax.crypto.Mac; import javax.crypto.spec.SecretKeySpec; +import javax.xml.parsers.ParserConfigurationException; +import javax.xml.parsers.SAXParserFactory; import org.eclipse.jgit.internal.JGitText; import org.eclipse.jgit.lib.Constants; @@ -64,7 +66,6 @@ import org.xml.sax.InputSource; import org.xml.sax.SAXException; import org.xml.sax.XMLReader; import org.xml.sax.helpers.DefaultHandler; -import org.xml.sax.helpers.XMLReaderFactory; /** * A simple HTTP REST client for the Amazon S3 service. @@ -749,8 +750,20 @@ public class AmazonS3 { final XMLReader xr; try { - xr = XMLReaderFactory.createXMLReader(); - } catch (SAXException e) { + SAXParserFactory saxParserFactory = SAXParserFactory + .newInstance(); + saxParserFactory.setNamespaceAware(true); + saxParserFactory.setFeature( + "http://xml.org/sax/features/external-general-entities", //$NON-NLS-1$ + false); + saxParserFactory.setFeature( + "http://xml.org/sax/features/external-parameter-entities", //$NON-NLS-1$ + false); + saxParserFactory.setFeature( + "http://apache.org/xml/features/disallow-doctype-decl", //$NON-NLS-1$ + true); + xr = saxParserFactory.newSAXParser().getXMLReader(); + } catch (SAXException | ParserConfigurationException e) { throw new IOException( JGitText.get().noXMLParserAvailable, e); } |