AmazonS3: Do not accept DOCTYPE and entities

msohn · msohn · commit 3e0eedc57c05 · 2025-05-22T13:55:56.000+02:00
This follows OWASP recommendations in https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html Change-Id: I3d47debf14d95c8189d51256b4eb2ba991279452
diff --git a/org.eclipse.jgit/src/org/eclipse/jgit/transport/AmazonS3.java b/org.eclipse.jgit/src/org/eclipse/jgit/transport/AmazonS3.java
@@ -760,6 +760,15 @@ void list() throws IOException {
 						SAXParserFactory saxParserFactory = SAXParserFactory
 								.newInstance();
 						saxParserFactory.setNamespaceAware(true);
+						saxParserFactory.setFeature(
+								"http://xml.org/sax/features/external-general-entities", //$NON-NLS-1$
+								false);
+						saxParserFactory.setFeature(
+								"http://xml.org/sax/features/external-parameter-entities", //$NON-NLS-1$
+								false);
+						saxParserFactory.setFeature(
+								"http://apache.org/xml/features/disallow-doctype-decl", //$NON-NLS-1$
+								true);
 						xr = saxParserFactory.newSAXParser().getXMLReader();
 					} catch (SAXException | ParserConfigurationException e) {
 						throw new IOException(
