Improve DTD/XSD security with regard to remote resources #1183

angelozerr · 2022-03-04T13:57:22Z

Improve DTD/XSD security with regard to remote resources

Fixes #671

Signed-off-by: azerr azerr@redhat.com

angelozerr · 2022-03-04T18:13:43Z

This PR fixes following problem with our DTD validator:

higlight the SYSTEM url which have problem
use xml.validation.resolveExternalEntities used to enable/disable the resolved of external entities.
use xml.downloadExternalResources.enabled to allow/forbid download of SYSTEM url inside DTD.

Here a demo with this draft PR:

angelozerr · 2022-03-07T08:54:58Z

The PR provides now a new code action to download a given DTD/ entity when downloaded is forbidden:

It requires redhat-developer/vscode-xml#673

angelozerr · 2022-03-25T22:01:34Z

@fbricon you can start playing with the PR. All tests are working now.

I need to check if XSD is working too (when you reference xsd with xs:import)

angelozerr · 2022-03-27T09:09:50Z

I need to check if XSD is working too (when you reference xsd with xs:import)

It should work with XSD now with the code action too.

fbricon · 2022-03-28T07:17:12Z

...main/java/org/eclipse/lemminx/extensions/contentmodel/commands/XMLValidationFileCommand.java

 		// 1. remove the referenced grammar in the XML file from the Xerces grammar pool
 		// (used by the Xerces validation) and the content model documents cache (used
 		// by the XML completion/hover based on the grammar)
 		contentModelManager.evictCacheFor(document);
 		// 2. trigger the validation for the given XML file
-		validationService.validate(document);
+		Map map = JSONUtility.toModel(validationArgs, Map.class);


what happens when validationArgs == null?

No force download url will be done when validation will occurs. The null arguments is managed at https://github.com/eclipse/lemminx/pull/1183/files#diff-07b75b69658ecc851282ac49a9a36f30a26fcb8e26004e6705d279dc094af2ebR91

fbricon · 2022-03-28T07:18:29Z

...nx/src/main/java/org/eclipse/lemminx/extensions/contentmodel/model/ContentModelProvider.java

+	 * @return the content model document (XSD, DTD, etc) from the given resource
+	 *         key and null otherwise.
+	 */
+	CMDocument createCMDocument(String key, boolean resolveExternalEntities);


resolveExternalEntities or downloadRemoteResources?

resolveExternalEntities is used to configure the Xerces SAX parser when any XML, DTD, XSD is loaded. The resolveExternalEntities is a feature that Xerces supports.

downloadRemoteResources is managed on CacheResourcesManager side when an URL must be downloaded. Its XMLCacheResolverExtension an implementation of Xerces XMLEntityResolver which provides the capability to returns the content of an URI.

In other words, we need here only resolveExternalEntities to configure Xerces SAX parser.

...inx/extensions/contentmodel/participants/codeactions/DownloadResourceDisabledCodeAction.java

...n/java/org/eclipse/lemminx/extensions/dtd/participants/diagnostics/LSPXML11DTDProcessor.java

fbricon · 2022-03-28T07:26:58Z

...n/java/org/eclipse/lemminx/extensions/dtd/participants/diagnostics/LSPXML11DTDProcessor.java

+ * 
+ * <p>
+ * This class extends {@link XML11DTDProcessor} and customize the XML entity
+ * manager with the {@link LSPXMLEntityManager} which takes care of download


which handles the "download external entities" setting.

My comment was wrong because it manages any error when download is processed. So I think

any remote resource download errors.

should be better, what do you think about that?

...ipse.lemminx/src/main/java/org/eclipse/lemminx/extensions/xerces/LSPSchemaParsingConfig.java

AlexXuChen

It seems that no validation appears when xml.server.preferBinary is enabled:
xml.server.preferBinary is false

xml.server.preferBinary is true

AlexXuChen

Everything using the Java server is working for me

Fixes redhat-developer/vscode-xml#671 Signed-off-by: azerr <azerr@redhat.com>

angelozerr · 2022-03-28T20:21:35Z

It seems that no validation appears when xml.server.preferBinary is enabled:

@rgrunber can you confirm please that it works with binary in Linux please. I tested with Windows and ot works good.

rgrunber · 2022-03-29T04:27:53Z

As mentioned, this works for me and I can be merged. I found an odd issue around the code actions when the schema reference URL contains a query string, but the change itself still worked in restricting the download as needed.

angelozerr · 2022-03-29T07:47:19Z

Thank a lot @fbricon @AlexXuChen @rgrunber for your review!

angelozerr marked this pull request as draft March 4, 2022 13:57

angelozerr force-pushed the dtd-security branch 7 times, most recently from 43c3a6e to 50a9565 Compare March 4, 2022 17:51

angelozerr mentioned this pull request Mar 4, 2022

Improve DTD/XSD security with regard to remote resources redhat-developer/vscode-xml#671

Closed

angelozerr force-pushed the dtd-security branch 2 times, most recently from bf7ab90 to 1958b29 Compare March 7, 2022 08:48

angelozerr force-pushed the dtd-security branch from 1958b29 to 64fd264 Compare March 7, 2022 13:38

angelozerr force-pushed the dtd-security branch from 64fd264 to 47f3d45 Compare March 25, 2022 21:52

angelozerr force-pushed the dtd-security branch 8 times, most recently from 2105e8a to 3a15e47 Compare March 27, 2022 08:45

angelozerr marked this pull request as ready for review March 27, 2022 09:03

angelozerr force-pushed the dtd-security branch 4 times, most recently from c04a69a to da8c2bf Compare March 27, 2022 15:29