CAMEL-8312: XML External Entity (XXE) injection in XPath. Thanks to Stephan
Siano for the patch.
Conflicts:
camel-core/src/main/java/org/apache/camel/builder/xml/XPathBuilder.java
Project: http://git-wip-us.apache.org/repos/asf/camel/repo
Commit: http://git-wip-us.apache.org/repos/asf/camel/commit/601ddda4
Tree: http://git-wip-us.apache.org/repos/asf/camel/tree/601ddda4
Diff: http://git-wip-us.apache.org/repos/asf/camel/diff/601ddda4
Branch: refs/heads/camel-2.12.x
Commit: 601ddda449ae9a350597ac73f88f470a6f6549be
Parents: b0ee3e0
Author: Claus Ibsen <[email protected]>
Authored: Sun Mar 1 11:51:49 2015 +0100
Committer: Christian Schneider <[email protected]>
Committed: Fri May 8 17:08:22 2015 +0200
----------------------------------------------------------------------
.../apache/camel/builder/xml/XPathBuilder.java | 20 ----------
.../camel/builder/xml/XPathFeatureTest.java | 42 +++++++++++++++-----
.../camel/component/xslt/SaxonXsltDTDTest.java | 11 +++--
3 files changed, 39 insertions(+), 34 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/camel/blob/601ddda4/camel-core/src/main/java/org/apache/camel/builder/xml/XPathBuilder.java
----------------------------------------------------------------------
diff --git
a/camel-core/src/main/java/org/apache/camel/builder/xml/XPathBuilder.java
b/camel-core/src/main/java/org/apache/camel/builder/xml/XPathBuilder.java
index 403a1fb..8bb1a0d 100644
--- a/camel-core/src/main/java/org/apache/camel/builder/xml/XPathBuilder.java
+++ b/camel-core/src/main/java/org/apache/camel/builder/xml/XPathBuilder.java
@@ -52,7 +52,6 @@ import org.apache.camel.NoTypeConversionAvailableException;
import org.apache.camel.Predicate;
import org.apache.camel.RuntimeExpressionException;
import org.apache.camel.WrappedFile;
-import org.apache.camel.component.bean.BeanInvocation;
import org.apache.camel.impl.DefaultExchange;
import org.apache.camel.spi.Language;
import org.apache.camel.spi.NamespaceAware;
@@ -1117,25 +1116,6 @@ public class XPathBuilder extends ServiceSupport
implements Expression, Predicat
}
}
- // okay we can try to remedy the failed conversion by some special
types
- if (answer == null) {
- // let's try coercing some common types into something JAXP work
with the best for special types
- if (body instanceof WrappedFile) {
- // special for files so we can work with them out of the box
- InputStream is =
exchange.getContext().getTypeConverter().convertTo(InputStream.class, exchange,
body);
- answer = new InputSource(is);
- } else if (body instanceof BeanInvocation) {
- // if its a null bean invocation then handle that specially
- BeanInvocation bi =
exchange.getContext().getTypeConverter().convertTo(BeanInvocation.class,
exchange, body);
- if (bi.getArgs() != null && bi.getArgs().length == 1 &&
bi.getArgs()[0] == null) {
- // its a null argument from the bean invocation so use
null as answer
- answer = null;
- }
- } else if (body instanceof String) {
- answer = new InputSource(new StringReader((String) body));
- }
- }
-
if (type == null && answer == null) {
// fallback to get the body as is
answer = body;
http://git-wip-us.apache.org/repos/asf/camel/blob/601ddda4/camel-core/src/test/java/org/apache/camel/builder/xml/XPathFeatureTest.java
----------------------------------------------------------------------
diff --git
a/camel-core/src/test/java/org/apache/camel/builder/xml/XPathFeatureTest.java
b/camel-core/src/test/java/org/apache/camel/builder/xml/XPathFeatureTest.java
index 0d90530..dfad770 100644
---
a/camel-core/src/test/java/org/apache/camel/builder/xml/XPathFeatureTest.java
+++
b/camel-core/src/test/java/org/apache/camel/builder/xml/XPathFeatureTest.java
@@ -19,11 +19,13 @@ package org.apache.camel.builder.xml;
import java.io.FileNotFoundException;
-import javax.xml.xpath.XPathExpressionException;
-
import org.apache.camel.ContextTestSupport;
import org.apache.camel.Exchange;
+import org.apache.camel.NoTypeConversionAvailableException;
+import org.apache.camel.RuntimeCamelException;
+import org.apache.camel.TypeConversionException;
import org.apache.camel.converter.jaxp.XmlConverter;
+import org.xml.sax.SAXParseException;
import static org.apache.camel.builder.xml.XPathBuilder.xpath;
@@ -32,18 +34,19 @@ public class XPathFeatureTest extends ContextTestSupport {
public static final String XML_DATA = " <!DOCTYPE foo [ "
+ " <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM \"file:///bin/test.sh\"
>]> <test> &xxe; </test>";
-
-
+ public static final String XML_DATA_INVALID = " <!DOCTYPE foo [ "
+ + " <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM
\"file:///bin/test.sh\" >]> <test> &xxe; </test><notwellformed>";
+
@Override
public boolean isUseRouteBuilder() {
return false;
}
-
+
public void testXPathResult() throws Exception {
String result =
(String)xpath("/").stringResult().evaluate(createExchange(XML_DATA));
assertEquals("Get a wrong result", " ", result);
}
-
+
public void testXPath() throws Exception {
// Set this feature will enable the external general entities
@@ -52,16 +55,35 @@ public class XPathFeatureTest extends ContextTestSupport {
try {
xpath("/").stringResult().evaluate(createExchange(XML_DATA));
fail("Expect an Exception here");
- } catch (Exception ex) {
- assertTrue("Get a wrong exception cause.", ex instanceof
InvalidXPathExpression);
- assertTrue("Get a wrong exception cause.", ex.getCause()
instanceof XPathExpressionException);
+ } catch (TypeConversionException ex) {
+ assertTrue("Get a wrong exception cause.", ex.getCause()
instanceof RuntimeCamelException);
assertTrue("Get a wrong exception cause.",
ex.getCause().getCause() instanceof FileNotFoundException);
} finally {
System.clearProperty(DOM_BUILER_FACTORY_FEATRUE + ":"
+ "http://xml.org/sax/features/external-general-entities";);
}
}
-
+
+ public void testXPathNoTypeConverter() throws Exception {
+ try {
+ // define a class without type converter as document type
+
xpath("/").documentType(Exchange.class).stringResult().evaluate(createExchange(XML_DATA));
+ fail("Expect an Exception here");
+ } catch (RuntimeCamelException ex) {
+ assertTrue("Get a wrong exception cause.", ex.getCause()
instanceof NoTypeConversionAvailableException);
+ }
+ }
+
+ public void testXPathResultOnInvalidData() throws Exception {
+ try {
+
xpath("/").stringResult().evaluate(createExchange(XML_DATA_INVALID));
+ fail("Expect an Exception here");
+ } catch (TypeConversionException ex) {
+ assertTrue("Get a wrong exception cause.", ex.getCause()
instanceof RuntimeCamelException);
+ assertTrue("Get a wrong exception cause.",
ex.getCause().getCause() instanceof SAXParseException);
+ }
+ }
+
protected Exchange createExchange(Object xml) {
Exchange exchange = createExchangeWithBody(context, xml);
return exchange;
http://git-wip-us.apache.org/repos/asf/camel/blob/601ddda4/components/camel-saxon/src/test/java/org/apache/camel/component/xslt/SaxonXsltDTDTest.java
----------------------------------------------------------------------
diff --git
a/components/camel-saxon/src/test/java/org/apache/camel/component/xslt/SaxonXsltDTDTest.java
b/components/camel-saxon/src/test/java/org/apache/camel/component/xslt/SaxonXsltDTDTest.java
index b826608..adef1d8 100644
---
a/components/camel-saxon/src/test/java/org/apache/camel/component/xslt/SaxonXsltDTDTest.java
+++
b/components/camel-saxon/src/test/java/org/apache/camel/component/xslt/SaxonXsltDTDTest.java
@@ -61,19 +61,22 @@ public class SaxonXsltDTDTest extends CamelTestSupport {
Exchange exchange = list.get(0);
String xml = exchange.getIn().getBody(String.class);
assertTrue("Get a wrong transformed message",
xml.indexOf("<transformed subject=\"\">") > 0);
-
-
+
+ endpoint.reset();
+ endpoint.expectedMessageCount(1);
try {
template.sendBody("direct:start2", message);
- fail("Expect an exception here");
+ list = endpoint.getReceivedExchanges();
+ exchange = list.get(0);
+ xml = exchange.getIn().getBody(String.class);
+ assertTrue("Get a wrong transformed message",
xml.indexOf("<transformed subject=\"\">") > 0);
} catch (Exception ex) {
// expect an exception here
assertTrue("Get a wrong exception", ex instanceof
CamelExecutionException);
// the file could not be found
assertTrue("Get a wrong exception cause", ex.getCause() instanceof
TransformerException);
}
-
}
