From 07d00f6dfcb27f9972e3fd0cdbaa6a5724e802c5 Mon Sep 17 00:00:00 2001
From: Ivan Frade <ifrade@google.com>
Date: Tue, 13 May 2025 11:21:42 -0700
Subject: ManifestParser: Do not accept DOCTYPE and entities

These open the door for XXE attacks [1] and manifest do not need them.

[1] https://en.wikipedia.org/wiki/XML_external_entity_attack

Change-Id: Ia79971e1c34afaf287584ae4a7f71baebcb48b6a
---
 .../src/org/eclipse/jgit/gitrepo/ManifestParser.java         | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

(limited to 'org.eclipse.jgit/src/org/eclipse/jgit/gitrepo/ManifestParser.java')

diff --git a/org.eclipse.jgit/src/org/eclipse/jgit/gitrepo/ManifestParser.java b/org.eclipse.jgit/src/org/eclipse/jgit/gitrepo/ManifestParser.java
index b033177e05..58b4d3dc56 100644
--- a/org.eclipse.jgit/src/org/eclipse/jgit/gitrepo/ManifestParser.java
+++ b/org.eclipse.jgit/src/org/eclipse/jgit/gitrepo/ManifestParser.java
@@ -142,7 +142,17 @@ public class ManifestParser extends DefaultHandler {
 		xmlInRead++;
 		final XMLReader xr;
 		try {
-			xr = SAXParserFactory.newInstance().newSAXParser().getXMLReader();
+			SAXParserFactory spf = SAXParserFactory.newInstance();
+			spf.setFeature(
+					"http://xml.org/sax/features/external-general-entities", //$NON-NLS-1$
+					false);
+			spf.setFeature(
+					"http://xml.org/sax/features/external-parameter-entities", //$NON-NLS-1$
+					false);
+			spf.setFeature(
+					"http://apache.org/xml/features/disallow-doctype-decl", //$NON-NLS-1$
+					true);
+			xr = spf.newSAXParser().getXMLReader();
 		} catch (SAXException | ParserConfigurationException e) {
 			throw new IOException(JGitText.get().noXMLParserAvailable, e);
 		}
-- 
cgit v1.2.3