Google Git
Sign in
gerrit/jgit/72d563cbcc5382843dc177042b88232aa37a1c57^1..72d563cbcc5382843dc177042b88232aa37a1c57/.
commit
72d563cbcc5382843dc177042b88232aa37a1c57
[log]
author
Matthias Sohn <matthias.sohn@sap.com>
Thu May 22 16:41:06 2025 +0200
committer
Matthias Sohn <matthias.sohn@sap.com>
Thu May 22 16:41:06 2025 +0200
tree
76418cedf85a6e21cad921514d73d218849fcaef
parent
9aff398ae8f695e6048065ad2bbb4fd88069c805 [diff]
parent
fc6fd56904b8ab577df8cc46a96b2d808909a4f8 [diff]
Merge branch 'stable-6.10' into stable-7.0

* stable-6.10:
  Prepare 6.10.2-SNAPSHOT builds
  JGit v6.10.1.202505221210-r
  AmazonS3: Do not accept DOCTYPE and entities
  ManifestParser: Do not accept DOCTYPE and entities

Change-Id: I699d57974d9ef2428355c59194c6becbc16828b7

diff --git a/org.eclipse.jgit.test/tst/org/eclipse/jgit/gitrepo/ManifestParserTest.java b/org.eclipse.jgit.test/tst/org/eclipse/jgit/gitrepo/ManifestParserTest.java
index fca27d3..0949d04 100644
--- a/org.eclipse.jgit.test/tst/org/eclipse/jgit/gitrepo/ManifestParserTest.java
+++ b/org.eclipse.jgit.test/tst/org/eclipse/jgit/gitrepo/ManifestParserTest.java

@@ -12,12 +12,16 @@
 import static java.nio.charset.StandardCharsets.UTF_8;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertThrows;
 import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.fail;
 
 import java.io.ByteArrayInputStream;
+import java.io.File;
 import java.io.IOException;
 import java.net.URI;
+import java.nio.file.Files;
+import java.nio.file.StandardOpenOption;
 import java.util.HashSet;
 import java.util.Map;
 import java.util.Set;
@@ -221,4 +225,33 @@ public void testNormalizeEmptyPath() {
 		testNormalize("", "");
 		testNormalize("a/b", "a/b");
 	}
+
+	@Test
+	public void testXXE() throws Exception {
+		File externalEntity = File.createTempFile("injected", "xml");
+		externalEntity.deleteOnExit();
+		Files.write(externalEntity.toPath(),
+				"<evil>injected xml</evil>"
+						.getBytes(UTF_8),
+				StandardOpenOption.WRITE);
+		String baseUrl = "https://git.google.com/";
+		StringBuilder xmlContent = new StringBuilder();
+		xmlContent.append("<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n")
+				.append("<!DOCTYPE booo [ <!ENTITY foobar SYSTEM \"")
+				.append(externalEntity.getPath()).append("\"> ]>\n")
+				.append("<manifest>")
+				.append("<remote name=\"remote1\" fetch=\".\" />")
+				.append("<default revision=\"master\" remote=\"remote1\" />")
+				.append("&foobar;")
+				.append("<project path=\"foo\" name=\"foo\" groups=\"a,test\" />")
+				.append("</manifest>");
+
+		IOException e = assertThrows(IOException.class,
+				() -> new ManifestParser(null, null, "master", baseUrl, null,
+						null)
+						.read(new ByteArrayInputStream(
+								xmlContent.toString().getBytes(UTF_8))));
+		assertTrue(e.getCause().getMessage().contains("DOCTYPE"));
+	}
+
 }

diff --git a/org.eclipse.jgit/src/org/eclipse/jgit/gitrepo/ManifestParser.java b/org.eclipse.jgit/src/org/eclipse/jgit/gitrepo/ManifestParser.java
index b033177..58b4d3d 100644
--- a/org.eclipse.jgit/src/org/eclipse/jgit/gitrepo/ManifestParser.java
+++ b/org.eclipse.jgit/src/org/eclipse/jgit/gitrepo/ManifestParser.java

@@ -142,7 +142,17 @@ public void read(InputStream inputStream) throws IOException {
 		xmlInRead++;
 		final XMLReader xr;
 		try {
-			xr = SAXParserFactory.newInstance().newSAXParser().getXMLReader();
+			SAXParserFactory spf = SAXParserFactory.newInstance();
+			spf.setFeature(
+					"http://xml.org/sax/features/external-general-entities", //$NON-NLS-1$
+					false);
+			spf.setFeature(
+					"http://xml.org/sax/features/external-parameter-entities", //$NON-NLS-1$
+					false);
+			spf.setFeature(
+					"http://apache.org/xml/features/disallow-doctype-decl", //$NON-NLS-1$
+					true);
+			xr = spf.newSAXParser().getXMLReader();
 		} catch (SAXException | ParserConfigurationException e) {
 			throw new IOException(JGitText.get().noXMLParserAvailable, e);
 		}

diff --git a/org.eclipse.jgit/src/org/eclipse/jgit/transport/AmazonS3.java b/org.eclipse.jgit/src/org/eclipse/jgit/transport/AmazonS3.java
index aaf9f8a..9d9f549 100644
--- a/org.eclipse.jgit/src/org/eclipse/jgit/transport/AmazonS3.java
+++ b/org.eclipse.jgit/src/org/eclipse/jgit/transport/AmazonS3.java

@@ -760,6 +760,15 @@ void list() throws IOException {
 						SAXParserFactory saxParserFactory = SAXParserFactory
 								.newInstance();
 						saxParserFactory.setNamespaceAware(true);
+						saxParserFactory.setFeature(
+								"http://xml.org/sax/features/external-general-entities", //$NON-NLS-1$
+								false);
+						saxParserFactory.setFeature(
+								"http://xml.org/sax/features/external-parameter-entities", //$NON-NLS-1$
+								false);
+						saxParserFactory.setFeature(
+								"http://apache.org/xml/features/disallow-doctype-decl", //$NON-NLS-1$
+								true);
 						xr = saxParserFactory.newSAXParser().getXMLReader();
 					} catch (SAXException | ParserConfigurationException e) {
 						throw new IOException(