Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

WTP - Ignore external URIs by default #369

Merged
merged 6 commits into from
Mar 10, 2019

Conversation

fvgh
Copy link
Member

@fvgh fvgh commented Mar 10, 2019

Eclipse WTP XML formatter resolves automatically external URIs. URIs that cannot be accessed are ignored. If the referenced external DTD/XSD contains formatting instructions, the formatter results differs depending whether the URI is reachable or not.
This is not appropriate behaviour for Spotless, since it is e.g. used for continuous integration testing.
Normally all external URIs shall be included in a XML catalog during build.
But many users may not be aware that the XML formatter uses the DTDs and XSDs specified in an XML in the first place.
To prevent an spotlessCheck error due failure accessing an external DTD/XSD, the Spotless default behaviour has been changed, to ignore external URIs per default.

@fvgh
Copy link
Member Author

fvgh commented Mar 10, 2019

@nedtwigg Let me know when you released the new version and I shall integrate it. Or feel ree to do the integration yourself.
@JLLeitschuh If you are still interested to do some investigation on #358, this PR might give you some ideas where to look.

@fvgh fvgh requested a review from nedtwigg March 10, 2019 19:30
@nedtwigg
Copy link
Member

This looks great! Release is on the way..

@nedtwigg nedtwigg merged commit e3f97f5 into master Mar 10, 2019
@nedtwigg nedtwigg deleted the eclipse-wtp-prevent-external-uri branch March 10, 2019 22:42
@nedtwigg
Copy link
Member

ext-eclipse-wtp 3.9.8 is now available on mavencentral

@nedtwigg
Copy link
Member

Released in 3.20.0 / 1.20.0

@JLLeitschuh
Copy link
Member

@fvgh Should I open an upstream issue with the Eclipse organization about this?

@fvgh
Copy link
Member Author

fvgh commented Mar 16, 2019

@JLLeitschuh As stated in this PR description, I don't see that the Eclipse behaviour is a problem for an IDE, but I admit that it is unexpected for Spotless users and a problem for a build tool.
The Eclipse resolveExternalEntities configuration is only applied on the Apache Xerces validator (for the security reasons you pointed out) and we discussed in #358. On the other hand, the configuration item is in the Eclipse XML preferences below the "Validation" node. So I do not see a need on Eclipse side to change anything until someone finds a vulnerability in the formatter.

nedtwigg added a commit that referenced this pull request Mar 17, 2019
Switch to Eclipse-WTP 3.10. Cleanup fix for #369. Add SLF4J support.
@JLLeitschuh
Copy link
Member

As stated in this PR description, I don't see that the Eclipse behaviour is a problem for an IDE

Actually, it is. Maliciously compromising was one of the major discoveries of the Checkpoint team in their ParseDroid Vulnerability.

This led us to find multiple vulnerable implementations of the XML parser within other projects. Moreover, we identified that the most popular IDEs that are used for building Android applications are affected – including Intellij, Eclipse, and Android Studio.

By simply loading the malicious “AndroidManifest.xml” file as part of any Android project, the IDEs starts spitting out any file configured by the attacker.

To demonstrate this vulnerability, we have uploaded a malicious project library to GitHub and cloned it to an Android Studio project.
- https://research.checkpoint.com/parsedroid-targeting-android-development-research-community/

@fvgh
Copy link
Member Author

fvgh commented Mar 26, 2019

Sorry @JLLeitschuh , as I stressed in #358:

I have no evidence and don't think that the Eclipse XMLSourceParser is vulnerable to the XXE scenario where a local file URI is used as external entity as described within this issue.

Its the question what you consider a security problem. If you consider the increase of an attack vector a security problem, yes allowing to process data obtained via HTTP is a problem.

Let's just agree to disagree 😉 ...

But don't get me wrong: I appreciate very much that you highlighted the topic that the user is probably not aware that DTD/XSDs are automatically downloaded. I am afraid I was already too used to this behaviour and catalogue usage...

@JLLeitschuh
Copy link
Member

@fvgh Thanks for your professional discourse about this and for fixing the issue. I'll take care of reaching out to the Eclipse security team and see what they have to say.

Again, thank you so much for your hard work on this!

# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants