Original Comment: #308 (comment)
12:48:55.013 [DEBUG] [sun.net.www.protocol.http.HttpURLConnection] Redirected from http://java.sun.com/xml/ns/javaee/javaee_5.xsd to http://www.oracle.com/webfolder/technetwork/jsc/xml/ns/javaee/javaee_5.xsd
If we are seeing HTTP get requests inside of the XML parser that means that the parser is vulnerable to XXE.
We need to fix this so that the spotless XML formatter is not making external entity requests.
We can't have our linting infrastructure making web requests. Especially web requests over HTTP as those can be maliciously intercepted by a MITM.
Here's an example where this has been a serious problem in the past.
https://research.checkpoint.com/parsedroid-targeting-android-development-research-community/
CC: @nedtwigg
This is a security vulnerability in spotless and should be treated as such.
Original Comment: #308 (comment)
If we are seeing HTTP get requests inside of the XML parser that means that the parser is vulnerable to XXE.
We need to fix this so that the spotless XML formatter is not making external entity requests.
We can't have our linting infrastructure making web requests. Especially web requests over HTTP as those can be maliciously intercepted by a MITM.
Here's an example where this has been a serious problem in the past.
https://research.checkpoint.com/parsedroid-targeting-android-development-research-community/
CC: @nedtwigg
This is a security vulnerability in spotless and should be treated as such.