Oomph fails due to recent XML parser vulnerability changes

[Bananeweizen]

When trying to edit an Dynamic Working Set configuration via Preferences > Oomph > Working Sets > Edit, I see this error in some of my IDEs, but not in all. The error message reminds me of the recent XML parser vulnerability changes from https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/8 where one of the mitigations was to disallow unknown protocols, if I understood it right.

java.net.MalformedURLException: unknown protocol: index
    at java.base/java.net.URL.<init>(URL.java:779)
    at java.base/java.net.URL.<init>(URL.java:654)
    at java.base/java.net.URL.<init>(URL.java:590)
    at org.eclipse.emf.ecore.resource.impl.URIHandlerImpl.createInputStream(URIHandlerImpl.java:199)
    at org.eclipse.emf.ecore.resource.impl.ExtensibleURIConverterImpl.createInputStream(ExtensibleURIConverterImpl.java:358)
    at org.eclipse.emf.ecore.resource.impl.ResourceImpl.load(ResourceImpl.java:1314)
    at org.eclipse.emf.ecore.resource.impl.ResourceSetImpl.demandLoad(ResourceSetImpl.java:259)
    at org.eclipse.emf.ecore.resource.impl.ResourceSetImpl.demandLoadHelper(ResourceSetImpl.java:274)
    at org.eclipse.emf.ecore.resource.impl.ResourceSetImpl.getResource(ResourceSetImpl.java:406)
    at org.eclipse.emf.ecore.resource.impl.ResourceSetImpl.getEObject(ResourceSetImpl.java:220)
    at org.eclipse.emf.ecore.util.EcoreUtil.resolve(EcoreUtil.java:209)
    at org.eclipse.emf.ecore.util.EcoreUtil.resolve(EcoreUtil.java:269)
    at org.eclipse.emf.ecore.impl.BasicEObjectImpl.eResolveProxy(BasicEObjectImpl.java:1516)
    at org.eclipse.emf.ecore.util.EcoreEList.resolveProxy(EcoreEList.java:206)
    at org.eclipse.emf.ecore.util.EcoreEList.resolve(EcoreEList.java:161)
    at org.eclipse.emf.ecore.util.EObjectResolvingEList.resolve(EObjectResolvingEList.java:60)
    at org.eclipse.emf.common.util.BasicEList.get(BasicEList.java:348)
    at org.eclipse.emf.ecore.util.EContentsEList$FeatureIteratorImpl.hasNext(EContentsEList.java:514)
    at org.eclipse.emf.ecore.util.EContentsEList$FeatureIteratorImpl.next(EContentsEList.java:595)
    at org.eclipse.emf.edit.ui.provider.DiagnosticDecorator$LiveValidator$2.run(DiagnosticDecorator.java:521)
    at org.eclipse.core.internal.jobs.Worker.run(Worker.java:63)

Unfortunately I have not yet been able to reproduce this with a platform IDE or similar, but only with IDEs for a custom setup in our company. Therefore I'm not sure if the issue is valid, or if we have to eventually edit something in our company Oomph setup instead.

I guess the offending part in the setup file is the container here, which has been unchanged since years.

  <logicalProjectContainer
      xsi:type="setup:ProjectCatalog"
      href="index:/org.eclipse.setup#//@projectCatalogs[name='ETAS%20Projects']"/>

[merks]

The index: only works when there are redirections. The constant defined here:

https://github.com/eclipse-oomph/oomph/blob/c981e3ed3694841c61f4a1dccb496b0e5435ce3d/plugins/org.eclipse.oomph.setup.core/src/org/eclipse/oomph/setup/internal/core/SetupContext.java#L137

It is generally redirected to this by default:

https://github.com/eclipse-oomph/oomph/blob/c981e3ed3694841c61f4a1dccb496b0e5435ce3d/plugins/org.eclipse.oomph.setup.core/src/org/eclipse/oomph/setup/internal/core/SetupContext.java#L141

E.g.,

https://github.com/eclipse-oomph/oomph/blob/c981e3ed3694841c61f4a1dccb496b0e5435ce3d/plugins/org.eclipse.oomph.setup.core/src/org/eclipse/oomph/setup/internal/core/SetupContext.java#L141

So if you're seeing such an exception, then some appropriate redirection has not kicked it for the resource set in which the load is happening...

[Bananeweizen]

Thanks Ed for that explanation. So we can definitely close the issue and I will investigate locally why the redirection doesn't kick in (I know where it's configured). Sorry for raising a false alert with the CVE.

[merks]

No problem. Better to report a problem that turns out not to be a problem than to ignore what could be a serious problem!