-
Notifications
You must be signed in to change notification settings - Fork 91
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve DTD/XSD security with regard to remote resources #1183
Conversation
43c3a6e
to
50a9565
Compare
This PR fixes following problem with our DTD validator:
Here a demo with this draft PR: |
bf7ab90
to
1958b29
Compare
The PR provides now a new code action to download a given DTD/ entity when downloaded is forbidden: It requires redhat-developer/vscode-xml#673 |
64fd264
to
47f3d45
Compare
@fbricon you can start playing with the PR. All tests are working now. I need to check if XSD is working too (when you reference xsd with xs:import) |
2105e8a
to
3a15e47
Compare
It should work with XSD now with the code action too. |
c04a69a
to
da8c2bf
Compare
// 1. remove the referenced grammar in the XML file from the Xerces grammar pool | ||
// (used by the Xerces validation) and the content model documents cache (used | ||
// by the XML completion/hover based on the grammar) | ||
contentModelManager.evictCacheFor(document); | ||
// 2. trigger the validation for the given XML file | ||
validationService.validate(document); | ||
Map map = JSONUtility.toModel(validationArgs, Map.class); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what happens when validationArgs == null?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No force download url will be done when validation will occurs. The null arguments is managed at https://github.com/eclipse/lemminx/pull/1183/files#diff-07b75b69658ecc851282ac49a9a36f30a26fcb8e26004e6705d279dc094af2ebR91
* @return the content model document (XSD, DTD, etc) from the given resource | ||
* key and null otherwise. | ||
*/ | ||
CMDocument createCMDocument(String key, boolean resolveExternalEntities); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
resolveExternalEntities or downloadRemoteResources?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- resolveExternalEntities is used to configure the Xerces SAX parser when any XML, DTD, XSD is loaded. The resolveExternalEntities is a feature that Xerces supports.
- downloadRemoteResources is managed on CacheResourcesManager side when an URL must be downloaded. Its XMLCacheResolverExtension an implementation of Xerces XMLEntityResolver which provides the capability to returns the content of an URI.
In other words, we need here only resolveExternalEntities to configure Xerces SAX parser.
...inx/extensions/contentmodel/participants/codeactions/DownloadResourceDisabledCodeAction.java
Outdated
Show resolved
Hide resolved
...inx/extensions/contentmodel/participants/codeactions/DownloadResourceDisabledCodeAction.java
Outdated
Show resolved
Hide resolved
...n/java/org/eclipse/lemminx/extensions/dtd/participants/diagnostics/LSPXML11DTDProcessor.java
Outdated
Show resolved
Hide resolved
* | ||
* <p> | ||
* This class extends {@link XML11DTDProcessor} and customize the XML entity | ||
* manager with the {@link LSPXMLEntityManager} which takes care of download |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
which handles the "download external entities" setting.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My comment was wrong because it manages any error when download is processed. So I think
any remote resource download errors.
should be better, what do you think about that?
...ipse.lemminx/src/main/java/org/eclipse/lemminx/extensions/xerces/LSPSchemaParsingConfig.java
Outdated
Show resolved
Hide resolved
...ipse.lemminx/src/main/java/org/eclipse/lemminx/extensions/xerces/LSPSchemaParsingConfig.java
Outdated
Show resolved
Hide resolved
f4af924
to
acf6c04
Compare
f7713ff
to
0142632
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Everything using the Java server is working for me
Fixes redhat-developer/vscode-xml#671 Signed-off-by: azerr <azerr@redhat.com>
0142632
to
8674400
Compare
@rgrunber can you confirm please that it works with binary in Linux please. I tested with Windows and ot works good. |
As mentioned, this works for me and I can be merged. I found an odd issue around the code actions when the schema reference URL contains a query string, but the change itself still worked in restricting the download as needed. |
Thank a lot @fbricon @AlexXuChen @rgrunber for your review! |
Improve DTD/XSD security with regard to remote resources
Fixes #671
Signed-off-by: azerr azerr@redhat.com