577471 – XXE in DTD Parser/Validator

Bug 577471 - XXE in DTD Parser/Validator

Summary: XXE in DTD Parser/Validator

Status:	NEW

Alias:	None

Product:	WTP Source Editing
Classification:	WebTools
Component:	wst.dtd (show other bugs)
Version:	3.23 (2021-09)
Hardware:	All Windows All

Importance:	P3 critical (vote)
Target Milestone:	---
Assignee:	wst.dtd
QA Contact:	Nitin Dahyabhai

URL:
Whiteboard:
Keywords:	security

Depends on:
Blocks:

Reported:	2021-11-25 10:49 EST by Mauricio Arroqui
Modified:	2021-11-26 14:01 EST (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Mauricio Arroqui

2021-11-25 10:49:45 EST

When we open xml file for edit, XXE vulnerability executed.

This commit:
https://git.eclipse.org/c/sourceediting/webtools.sourceediting.git/commit/xml/bundles/org.eclipse.wst.dtd.core/saxparser/org/eclipse/wst/dtd/core/internal/saxparser/DTDParser.java?id=4a559f69a942c764530a1f342b6ddd1e672ee4e7
brokes what it was fixed in this one:
https://git.eclipse.org/c/sourceediting/webtools.sourceediting.git/commit/?id=9644d4217cd6e3be367d654a8320104d88ddfd6b 
Because expandEntityReferences is always set to "true":
https://git.eclipse.org/c/sourceediting/webtools.sourceediting.git/tree/xml/bundles/org.eclipse.wst.dtd.core/contentmodel/org/eclipse/wst/dtd/core/internal/contentmodel/DTDImpl.java#n91

We workaround this issue by creating our CMDocumentFactory Factory and overriding the build methods.