JiriManifest: disable entity external inclusion
It is not safe to permit inclusion of external entities automatically
when parsing XML. Disable this feature of the XML parser.
Change-Id: I7b23d85b22b114bd2be08a7745d76ddb766caf5a
diff --git a/src/main/java/com/googlesource/gerrit/plugins/supermanifest/JiriManifestParser.java b/src/main/java/com/googlesource/gerrit/plugins/supermanifest/JiriManifestParser.java
index 411e5b4..1080bf4 100644
--- a/src/main/java/com/googlesource/gerrit/plugins/supermanifest/JiriManifestParser.java
+++ b/src/main/java/com/googlesource/gerrit/plugins/supermanifest/JiriManifestParser.java
@@ -16,7 +16,6 @@
import java.io.ByteArrayInputStream;
import java.io.IOException;
-import java.io.InputStream;
import java.net.URI;
import java.util.HashMap;
import java.util.HashSet;
@@ -24,11 +23,14 @@
import java.util.Queue;
import javax.xml.bind.JAXBContext;
import javax.xml.bind.JAXBException;
-import javax.xml.bind.Unmarshaller;
+import javax.xml.stream.XMLInputFactory;
+import javax.xml.stream.XMLStreamException;
+import javax.xml.stream.XMLStreamReader;
+import javax.xml.transform.stream.StreamSource;
import org.eclipse.jgit.lib.Repository;
class JiriManifestParser {
- public static JiriProjects GetProjects(Repository repo, String ref, String manifest)
+ public static JiriProjects getProjects(Repository repo, String ref, String manifest)
throws Exception {
Queue<String> q = new LinkedList<>();
q.add(manifest);
@@ -72,12 +74,15 @@
}
private static JiriManifest parseManifest(Repository repo, String ref, String file)
- throws JAXBException, IOException {
- byte b[] = Utils.readBlob(repo, ref + ":" + file);
+ throws JAXBException, IOException, XMLStreamException {
+ byte[] b = Utils.readBlob(repo, ref + ":" + file);
JAXBContext jc = JAXBContext.newInstance(JiriManifest.class);
- Unmarshaller unmarshaller = jc.createUnmarshaller();
- InputStream is = new ByteArrayInputStream(b);
- JiriManifest manifest = (JiriManifest) unmarshaller.unmarshal(is);
- return manifest;
+
+ XMLInputFactory inf = XMLInputFactory.newFactory();
+ inf.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
+ inf.setProperty(XMLInputFactory.SUPPORT_DTD, false);
+ XMLStreamReader sr = inf.createXMLStreamReader(new StreamSource(new ByteArrayInputStream(b)));
+
+ return (JiriManifest) jc.createUnmarshaller().unmarshal(sr);
}
}
diff --git a/src/main/java/com/googlesource/gerrit/plugins/supermanifest/JiriProjects.java b/src/main/java/com/googlesource/gerrit/plugins/supermanifest/JiriProjects.java
index 663a6af..271e52e 100644
--- a/src/main/java/com/googlesource/gerrit/plugins/supermanifest/JiriProjects.java
+++ b/src/main/java/com/googlesource/gerrit/plugins/supermanifest/JiriProjects.java
@@ -179,8 +179,8 @@
static class SortbyPath implements Comparator<Project> {
@Override
public int compare(Project a, Project b) {
- String p1 = StringUtil.stripAndaddCharsAtEnd(a.getPath(), "/");
- String p2 = StringUtil.stripAndaddCharsAtEnd(b.getPath(), "/");
+ String p1 = StringUtil.stripAndAddCharsAtEnd(a.getPath(), "/");
+ String p2 = StringUtil.stripAndAddCharsAtEnd(b.getPath(), "/");
return p1.compareTo(p2);
}
}
diff --git a/src/main/java/com/googlesource/gerrit/plugins/supermanifest/JiriUpdater.java b/src/main/java/com/googlesource/gerrit/plugins/supermanifest/JiriUpdater.java
index 21fcbef..981e867 100644
--- a/src/main/java/com/googlesource/gerrit/plugins/supermanifest/JiriUpdater.java
+++ b/src/main/java/com/googlesource/gerrit/plugins/supermanifest/JiriUpdater.java
@@ -1,13 +1,10 @@
package com.googlesource.gerrit.plugins.supermanifest;
import static com.google.gerrit.reviewdb.client.RefNames.REFS_HEADS;
-import static com.google.gerrit.reviewdb.client.RefNames.REFS_TAGS;
import com.googlesource.gerrit.plugins.supermanifest.SuperManifestRefUpdatedListener.GerritRemoteReader;
import java.net.URI;
import java.text.MessageFormat;
-import java.util.Map;
-import org.eclipse.jgit.api.LsRemoteCommand;
import org.eclipse.jgit.api.errors.ConcurrentRefUpdateException;
import org.eclipse.jgit.api.errors.JGitInternalException;
import org.eclipse.jgit.dircache.DirCache;
@@ -22,7 +19,6 @@
import org.eclipse.jgit.lib.ObjectId;
import org.eclipse.jgit.lib.ObjectInserter;
import org.eclipse.jgit.lib.PersonIdent;
-import org.eclipse.jgit.lib.Ref;
import org.eclipse.jgit.lib.RefUpdate;
import org.eclipse.jgit.lib.RefUpdate.Result;
import org.eclipse.jgit.lib.Repository;
@@ -62,8 +58,8 @@
String path = proj.getPath();
String nameUri = proj.getRemote();
if (parent != null) {
- String p1 = StringUtil.stripAndaddCharsAtEnd(path, "/");
- String p2 = StringUtil.stripAndaddCharsAtEnd(parent, "/");
+ String p1 = StringUtil.stripAndAddCharsAtEnd(path, "/");
+ String p2 = StringUtil.stripAndAddCharsAtEnd(parent, "/");
if (p1.startsWith(p2)) {
warn(
"Skipping project %s(%s) as git doesn't support nested submodules",
@@ -161,7 +157,7 @@
public void update(GerritRemoteReader reader, ConfigEntry c, String srcRef) throws Exception {
Repository srcRepo = reader.openRepository(c.getSrcRepoKey().toString());
Repository destRepo = reader.openRepository(c.getDestRepoKey().toString());
- JiriProjects projects = JiriManifestParser.GetProjects(srcRepo, srcRef, c.getXmlPath());
+ JiriProjects projects = JiriManifestParser.getProjects(srcRepo, srcRef, c.getXmlPath());
String targetRef = c.getDestBranch().equals("*") ? srcRef : REFS_HEADS + c.getDestBranch();
updateSubmodules(destRepo, targetRef, projects, reader);
}
diff --git a/src/main/java/com/googlesource/gerrit/plugins/supermanifest/StringUtil.java b/src/main/java/com/googlesource/gerrit/plugins/supermanifest/StringUtil.java
index 278a2b1..3472942 100644
--- a/src/main/java/com/googlesource/gerrit/plugins/supermanifest/StringUtil.java
+++ b/src/main/java/com/googlesource/gerrit/plugins/supermanifest/StringUtil.java
@@ -19,8 +19,7 @@
class StringUtil {
public static String addTab(String str) {
StringBuffer buf = new StringBuffer("");
- String arr[] = str.split("\n");
- for (String s : arr) {
+ for (String s : str.split("\n")) {
if (!s.trim().isEmpty()) {
buf.append("\t" + s + " \n");
}
@@ -28,8 +27,9 @@
return buf.toString();
}
- public static String stripAndaddCharsAtEnd(String str, String chs) {
- StringUtils.stripEnd(str, chs);
- return str + chs;
+ public static String stripAndAddCharsAtEnd(String str, String chs) {
+ return StringUtils.stripEnd(str, chs) + chs;
}
+
+ private StringUtil() {}
}