Skip to content

XXE in eclipse IDE

Basic information

Project name: org.eclipse.pde org.eclipse.jdt org.eclipse.platform org.eclipse.osgi

Project id: {id}

What are the affected versions?

probably all

Details of the issue

SonarLint reports many possible XXE attacks in eclipse IDE's sourcecode. for example: image

Steps to reproduce

Don't know. Probably manipulating development xml-files like "build.xml", "plugin.xml", "feature.xml", ".polyglot.feature.xml", ... which should be normally self contained and do not require access from external sources.

Do you know any mitigations of the issue?

https://rules.sonarsource.com/java/RSPEC-2755 recommends to replace "SAXParserFactory.newInstance();" with code that disables external access by properties see also https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

Copyright © Eclipse Foundation, Inc. All Rights Reserved.     Privacy Policy | Terms of Use | Copyright Agent