dims 2002/10/30 14:56:19
Modified: java/src/org/apache/axis/utils XMLUtils.java
java/src/org/apache/axis/encoding
DeserializationContextImpl.java
java/test/utils TestXMLUtils.java
Added: java/src/org/apache/axis/utils DefaultEntityResolver.java
Log:
Fix and Test cases for Bug 14105 - axis is vulnerable to XXE
Revision Changes Path
1.72 +13 -3 xml-axis/java/src/org/apache/axis/utils/XMLUtils.java
Index: XMLUtils.java
===================================================================
RCS file: /home/cvs/xml-axis/java/src/org/apache/axis/utils/XMLUtils.java,v
retrieving revision 1.71
retrieving revision 1.72
diff -u -r1.71 -r1.72
--- XMLUtils.java 10 Oct 2002 19:56:45 -0000 1.71
+++ XMLUtils.java 30 Oct 2002 22:56:19 -0000 1.72
@@ -112,6 +112,10 @@
private static SAXParserFactory saxFactory;
private static Stack saxParsers = new Stack();
+ private static java.io.PrintStream os = System.out;
+ private static String empty = new String("");
+ private static ByteArrayInputStream bais = new
ByteArrayInputStream(empty.getBytes());
+
static {
// Initialize SAX Parser factory defaults
initSAXFactory(null, true, false);
@@ -248,9 +252,10 @@
try {
SAXParser parser = saxFactory.newSAXParser();
- parser.getXMLReader().
- setFeature("http://xml.org/sax/features/namespace-prefixes";,
- false);
+parser.getParser().setEntityResolver(new DefaultEntityResolver());
+ XMLReader reader = parser.getXMLReader();
+ reader.setEntityResolver(new DefaultEntityResolver());
+ reader.setFeature("http://xml.org/sax/features/namespace-prefixes";,
false);
return parser;
} catch (ParserConfigurationException e) {
log.error(Messages.getMessage("parserConfigurationException00"), e);
@@ -314,6 +319,7 @@
synchronized (dbf) {
db = dbf.newDocumentBuilder();
}
+ db.setEntityResolver(new DefaultEntityResolver());
db.setErrorHandler( new ParserErrorHandler() );
return( db.parse( inp ) );
}
@@ -708,5 +714,9 @@
public static final String base64encode(byte[] bytes) {
return new String(Base64.encode(bytes));
+ }
+
+ public static InputSource getEmptyInputSource() {
+ return new InputSource(bais);
}
}
1.1
xml-axis/java/src/org/apache/axis/utils/DefaultEntityResolver.java
Index: DefaultEntityResolver.java
===================================================================
/*
* The Apache Software License, Version 1.1
*
*
* Copyright (c) 2001 The Apache Software Foundation. All rights
* reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. The end-user documentation included with the redistribution,
* if any, must include the following acknowledgment:
* "This product includes software developed by the
* Apache Software Foundation (http://www.apache.org/)."
* Alternately, this acknowledgment may appear in the software itself,
* if and wherever such third-party acknowledgments normally appear.
*
* 4. The names "Axis" and "Apache Software Foundation" must
* not be used to endorse or promote products derived from this
* software without prior written permission. For written
* permission, please contact [EMAIL PROTECTED]
*
* 5. Products derived from this software may not be called "Apache",
* nor may "Apache" appear in their name, without prior written
* permission of the Apache Software Foundation.
*
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
* USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
* ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
* ====================================================================
*
* This software consists of voluntary contributions made by many
* individuals on behalf of the Apache Software Foundation. For more
* information on the Apache Software Foundation, please see
* <http://www.apache.org/>.
*/
package org.apache.axis.utils;
import org.xml.sax.InputSource;
import org.apache.commons.logging.Log;
import org.apache.axis.components.logger.LogFactory;
import java.io.OutputStream;
import java.io.ByteArrayInputStream;
public class DefaultEntityResolver implements org.xml.sax.EntityResolver {
protected static Log log =
LogFactory.getLog(XMLUtils.class.getName());
public DefaultEntityResolver() {
}
public InputSource resolveEntity(String publicId, String systemId) {
return XMLUtils.getEmptyInputSource();
}
}
1.68 +6 -0
xml-axis/java/src/org/apache/axis/encoding/DeserializationContextImpl.java
Index: DeserializationContextImpl.java
===================================================================
RCS file:
/home/cvs/xml-axis/java/src/org/apache/axis/encoding/DeserializationContextImpl.java,v
retrieving revision 1.67
retrieving revision 1.68
diff -u -r1.67 -r1.68
--- DeserializationContextImpl.java 24 Oct 2002 12:42:11 -0000 1.67
+++ DeserializationContextImpl.java 30 Oct 2002 22:56:19 -0000 1.68
@@ -90,6 +90,7 @@
import javax.xml.rpc.JAXRPCException;
import java.io.IOException;
+import java.io.ByteArrayInputStream;
import java.util.ArrayList;
import java.util.HashMap;
@@ -1058,6 +1059,11 @@
throws SAXException
{
recorder.comment(ch, start, length);
+ }
+
+ public InputSource resolveEntity(String publicId, String systemId)
+ {
+ return XMLUtils.getEmptyInputSource();
}
}
1.15 +71 -1 xml-axis/java/test/utils/TestXMLUtils.java
Index: TestXMLUtils.java
===================================================================
RCS file: /home/cvs/xml-axis/java/test/utils/TestXMLUtils.java,v
retrieving revision 1.14
retrieving revision 1.15
diff -u -r1.14 -r1.15
--- TestXMLUtils.java 10 Oct 2002 19:56:45 -0000 1.14
+++ TestXMLUtils.java 30 Oct 2002 22:56:19 -0000 1.15
@@ -4,12 +4,18 @@
import junit.framework.TestCase;
import junit.framework.TestSuite;
import org.apache.axis.utils.XMLUtils;
+import org.apache.axis.message.SOAPHandler;
+import org.apache.axis.encoding.DeserializationContextImpl;
+import org.apache.axis.encoding.DeserializationContext;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.NodeList;
import org.xml.sax.InputSource;
+import org.xml.sax.helpers.DefaultHandler;
import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.SAXParser;
+import javax.xml.soap.SOAPEnvelope;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
@@ -281,10 +287,74 @@
String output = org.apache.axis.utils.DOM2Writer.nodeToString(doc,false);
assertTrue(output.indexOf("http://www.w3.org/XML/1998/namespace";)==-1);
}
+
+ public void testDOMXXE() throws Exception
+ {
+ StringBuffer sb = new StringBuffer();
+ sb.append("<?xml version=\"1.0\" encoding=\"UTF-8\"?>");
+ sb.append("<!DOCTYPE project [");
+ sb.append("<!ENTITY buildxml SYSTEM \"file:build.xml\">");
+ sb.append("]>");
+ sb.append("<xsd:schema targetNamespace=\"http://tempuri.org\"";);
+ sb.append(" xmlns=\"http://tempuri.org\"";);
+ sb.append(" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\";>");
+ sb.append(" <xsd:annotation>");
+ sb.append(" <xsd:documentation xml:lang=\"en\">");
+ sb.append(" &buildxml;");
+ sb.append(" Purchase order schema for Example.com.");
+ sb.append(" Copyright 2000 Example.com. All rights reserved.");
+ sb.append(" </xsd:documentation>");
+ sb.append(" </xsd:annotation>");
+ sb.append("</xsd:schema>");
+
+ StringReader strReader = new StringReader(sb.toString());
+ InputSource inputsrc = new InputSource(strReader);
+ Document doc = XMLUtils.newDocument(inputsrc);
+ String output = org.apache.axis.utils.DOM2Writer.nodeToString(doc,false);
+ }
+
+ String msg = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" +
+ "<!DOCTYPE project [" +
+ "<!ENTITY buildxml SYSTEM \"file:build.xml\">" +
+ "]>" +
+ "<SOAP-ENV:Envelope " +
+ "xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\"; " +
+ "xmlns:soapenc=\"http://schemas.xmlsoap.org/soap/encoding/\"; > " +
+ "<SOAP-ENV:Body>\n" +
+ "&buildxml;" +
+ "<echo:Echo xmlns:echo=\"EchoService\">\n" +
+ "<symbol>IBM</symbol>\n" +
+ "</echo:Echo>\n" +
+ "</SOAP-ENV:Body></SOAP-ENV:Envelope>\n";
+
+ public void testSAXXXE1() throws Exception
+ {
+ StringReader strReader = new StringReader(msg);
+ InputSource inputsrc = new InputSource(strReader);
+ SAXParser parser = XMLUtils.getSAXParser();
+ parser.getParser().parse(inputsrc);
+ }
+
+ public void testSAXXXE2() throws Exception
+ {
+ StringReader strReader2 = new StringReader(msg);
+ InputSource inputsrc2 = new InputSource(strReader2);
+ SAXParser parser2 = XMLUtils.getSAXParser();
+ parser2.getXMLReader().parse(inputsrc2);
+ }
+
+ public void testSAXXXE3() throws Exception
+ {
+ StringReader strReader3 = new StringReader(msg);
+ DeserializationContext dser = new DeserializationContextImpl(
+ new InputSource(strReader3), null, org.apache.axis.Message.REQUEST);
+ dser.parse();
+ SOAPEnvelope env = dser.getEnvelope();
+ }
public static void main(String[] args) throws Exception
{
TestXMLUtils test = new TestXMLUtils("TestXMLUtils");
- test.testDOM2Writer();
+ test.testSAXXXE3();
}
}
