commit 2e5e334dd2ca7dc285b8c685f16a5ce3a66c46cc
author Shawn Pearce <sop@google.com> Tue Aug 22 19:47:48 2017 -0700
committer Shawn Pearce <sop@google.com> Tue Aug 22 19:55:56 2017 -0700
tree e7d646653ac301b991fe7054d52d132caa0bbcc5
parent 35aedb2bd8a0d5e5add64ae48e8619a09acc82b4

JiriManifest: disable entity external inclusion

It is not safe to permit inclusion of external entities automatically
when parsing XML.  Disable this feature of the XML parser.

Change-Id: I7b23d85b22b114bd2be08a7745d76ddb766caf5a

src/main/java/com/googlesource/gerrit/plugins/supermanifest/JiriManifestParser.java

diff --git a/src/main/java/com/googlesource/gerrit/plugins/supermanifest/JiriManifestParser.java b/src/main/java/com/googlesource/gerrit/plugins/supermanifest/JiriManifestParser.java
index 411e5b4..1080bf4 100644
--- a/src/main/java/com/googlesource/gerrit/plugins/supermanifest/JiriManifestParser.java
+++ b/src/main/java/com/googlesource/gerrit/plugins/supermanifest/JiriManifestParser.java
@@ -16,7 +16,6 @@
 
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
-import java.io.InputStream;
 import java.net.URI;
 import java.util.HashMap;
 import java.util.HashSet;
@@ -24,11 +23,14 @@
 import java.util.Queue;
 import javax.xml.bind.JAXBContext;
 import javax.xml.bind.JAXBException;
-import javax.xml.bind.Unmarshaller;
+import javax.xml.stream.XMLInputFactory;
+import javax.xml.stream.XMLStreamException;
+import javax.xml.stream.XMLStreamReader;
+import javax.xml.transform.stream.StreamSource;
 import org.eclipse.jgit.lib.Repository;
 
 class JiriManifestParser {
-  public static JiriProjects GetProjects(Repository repo, String ref, String manifest)
+  public static JiriProjects getProjects(Repository repo, String ref, String manifest)
       throws Exception {
     Queue<String> q = new LinkedList<>();
     q.add(manifest);
@@ -72,12 +74,15 @@
   }
 
   private static JiriManifest parseManifest(Repository repo, String ref, String file)
-      throws JAXBException, IOException {
-    byte b[] = Utils.readBlob(repo, ref + ":" + file);
+      throws JAXBException, IOException, XMLStreamException {
+    byte[] b = Utils.readBlob(repo, ref + ":" + file);
     JAXBContext jc = JAXBContext.newInstance(JiriManifest.class);
-    Unmarshaller unmarshaller = jc.createUnmarshaller();
-    InputStream is = new ByteArrayInputStream(b);
-    JiriManifest manifest = (JiriManifest) unmarshaller.unmarshal(is);
-    return manifest;
+
+    XMLInputFactory inf = XMLInputFactory.newFactory();
+    inf.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
+    inf.setProperty(XMLInputFactory.SUPPORT_DTD, false);
+    XMLStreamReader sr = inf.createXMLStreamReader(new StreamSource(new ByteArrayInputStream(b)));
+
+    return (JiriManifest) jc.createUnmarshaller().unmarshal(sr);
   }
 }

src/main/java/com/googlesource/gerrit/plugins/supermanifest/JiriProjects.java

diff --git a/src/main/java/com/googlesource/gerrit/plugins/supermanifest/JiriProjects.java b/src/main/java/com/googlesource/gerrit/plugins/supermanifest/JiriProjects.java
index 663a6af..271e52e 100644
--- a/src/main/java/com/googlesource/gerrit/plugins/supermanifest/JiriProjects.java
+++ b/src/main/java/com/googlesource/gerrit/plugins/supermanifest/JiriProjects.java
@@ -179,8 +179,8 @@
   static class SortbyPath implements Comparator<Project> {
     @Override
     public int compare(Project a, Project b) {
-      String p1 = StringUtil.stripAndaddCharsAtEnd(a.getPath(), "/");
-      String p2 = StringUtil.stripAndaddCharsAtEnd(b.getPath(), "/");
+      String p1 = StringUtil.stripAndAddCharsAtEnd(a.getPath(), "/");
+      String p2 = StringUtil.stripAndAddCharsAtEnd(b.getPath(), "/");
       return p1.compareTo(p2);
     }
   }

src/main/java/com/googlesource/gerrit/plugins/supermanifest/JiriUpdater.java

diff --git a/src/main/java/com/googlesource/gerrit/plugins/supermanifest/JiriUpdater.java b/src/main/java/com/googlesource/gerrit/plugins/supermanifest/JiriUpdater.java
index 21fcbef..981e867 100644
--- a/src/main/java/com/googlesource/gerrit/plugins/supermanifest/JiriUpdater.java
+++ b/src/main/java/com/googlesource/gerrit/plugins/supermanifest/JiriUpdater.java
@@ -1,13 +1,10 @@
 package com.googlesource.gerrit.plugins.supermanifest;
 
 import static com.google.gerrit.reviewdb.client.RefNames.REFS_HEADS;
-import static com.google.gerrit.reviewdb.client.RefNames.REFS_TAGS;
 
 import com.googlesource.gerrit.plugins.supermanifest.SuperManifestRefUpdatedListener.GerritRemoteReader;
 import java.net.URI;
 import java.text.MessageFormat;
-import java.util.Map;
-import org.eclipse.jgit.api.LsRemoteCommand;
 import org.eclipse.jgit.api.errors.ConcurrentRefUpdateException;
 import org.eclipse.jgit.api.errors.JGitInternalException;
 import org.eclipse.jgit.dircache.DirCache;
@@ -22,7 +19,6 @@
 import org.eclipse.jgit.lib.ObjectId;
 import org.eclipse.jgit.lib.ObjectInserter;
 import org.eclipse.jgit.lib.PersonIdent;
-import org.eclipse.jgit.lib.Ref;
 import org.eclipse.jgit.lib.RefUpdate;
 import org.eclipse.jgit.lib.RefUpdate.Result;
 import org.eclipse.jgit.lib.Repository;
@@ -62,8 +58,8 @@
         String path = proj.getPath();
         String nameUri = proj.getRemote();
         if (parent != null) {
-          String p1 = StringUtil.stripAndaddCharsAtEnd(path, "/");
-          String p2 = StringUtil.stripAndaddCharsAtEnd(parent, "/");
+          String p1 = StringUtil.stripAndAddCharsAtEnd(path, "/");
+          String p2 = StringUtil.stripAndAddCharsAtEnd(parent, "/");
           if (p1.startsWith(p2)) {
             warn(
                 "Skipping project %s(%s) as git doesn't support nested submodules",
@@ -161,7 +157,7 @@
   public void update(GerritRemoteReader reader, ConfigEntry c, String srcRef) throws Exception {
     Repository srcRepo = reader.openRepository(c.getSrcRepoKey().toString());
     Repository destRepo = reader.openRepository(c.getDestRepoKey().toString());
-    JiriProjects projects = JiriManifestParser.GetProjects(srcRepo, srcRef, c.getXmlPath());
+    JiriProjects projects = JiriManifestParser.getProjects(srcRepo, srcRef, c.getXmlPath());
     String targetRef = c.getDestBranch().equals("*") ? srcRef : REFS_HEADS + c.getDestBranch();
     updateSubmodules(destRepo, targetRef, projects, reader);
   }

src/main/java/com/googlesource/gerrit/plugins/supermanifest/StringUtil.java

diff --git a/src/main/java/com/googlesource/gerrit/plugins/supermanifest/StringUtil.java b/src/main/java/com/googlesource/gerrit/plugins/supermanifest/StringUtil.java
index 278a2b1..3472942 100644
--- a/src/main/java/com/googlesource/gerrit/plugins/supermanifest/StringUtil.java
+++ b/src/main/java/com/googlesource/gerrit/plugins/supermanifest/StringUtil.java
@@ -19,8 +19,7 @@
 class StringUtil {
   public static String addTab(String str) {
     StringBuffer buf = new StringBuffer("");
-    String arr[] = str.split("\n");
-    for (String s : arr) {
+    for (String s : str.split("\n")) {
       if (!s.trim().isEmpty()) {
         buf.append("\t" + s + " \n");
       }
@@ -28,8 +27,9 @@
     return buf.toString();
   }
 
-  public static String stripAndaddCharsAtEnd(String str, String chs) {
-    StringUtils.stripEnd(str, chs);
-    return str + chs;
+  public static String stripAndAddCharsAtEnd(String str, String chs) {
+    return StringUtils.stripEnd(str, chs) + chs;
   }
+
+  private StringUtil() {}
 }