XXE in eclipse IDE
Basic information
Project name: org.eclipse.pde org.eclipse.jdt org.eclipse.platform org.eclipse.osgi
Project id: {id}
What are the affected versions?
probably all
Details of the issue
SonarLint reports many possible XXE attacks in eclipse IDE's sourcecode. for example:
Steps to reproduce
Don't know. Probably manipulating development xml-files like "build.xml", "plugin.xml", "feature.xml", ".polyglot.feature.xml", ... which should be normally self contained and do not require access from external sources.
Do you know any mitigations of the issue?
https://rules.sonarsource.com/java/RSPEC-2755 recommends to replace "SAXParserFactory.newInstance();" with code that disables external access by properties see also https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html