This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/camel.git
The following commit(s) were added to refs/heads/master by this push:
new 67589ec Disallow doctypes in a few more places
67589ec is described below
commit 67589ec0aafb643424c8dcd2d1cc448fc50c01fd
Author: Colm O hEigeartaigh <[email protected]>
AuthorDate: Wed Jul 3 18:20:51 2019 +0100
Disallow doctypes in a few more places
---
.../apache/camel/catalog/DefaultCamelCatalog.java | 1 +
.../api/LinkedInExceptionResponseFilter.java | 24 ++++++++++++++++---
.../internal/client/DefaultBulkApiClient.java | 27 ++++++++++++++++++----
3 files changed, 45 insertions(+), 7 deletions(-)
diff --git
a/catalog/camel-catalog/src/main/java/org/apache/camel/catalog/DefaultCamelCatalog.java
b/catalog/camel-catalog/src/main/java/org/apache/camel/catalog/DefaultCamelCatalog.java
index 67f155b..52d68ca 100644
---
a/catalog/camel-catalog/src/main/java/org/apache/camel/catalog/DefaultCamelCatalog.java
+++
b/catalog/camel-catalog/src/main/java/org/apache/camel/catalog/DefaultCamelCatalog.java
@@ -1384,6 +1384,7 @@ public class DefaultCamelCatalog extends
AbstractCamelCatalog implements CamelCa
DocumentBuilderFactory dbf =
DocumentBuilderFactory.newInstance();
dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING,
Boolean.TRUE);
+
dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl";,
Boolean.TRUE);
Document dom = dbf.newDocumentBuilder().parse(new
ByteArrayInputStream(xml.getBytes()));
Object val =
XPathFactory.newInstance().newXPath().evaluate("count(/archetype-catalog/archetypes/archetype)",
dom, XPathConstants.NUMBER);
double num = (double) val;
diff --git
a/components/camel-linkedin/camel-linkedin-api/src/main/java/org/apache/camel/component/linkedin/api/LinkedInExceptionResponseFilter.java
b/components/camel-linkedin/camel-linkedin-api/src/main/java/org/apache/camel/component/linkedin/api/LinkedInExceptionResponseFilter.java
index 5e22d8f..49cc116 100644
---
a/components/camel-linkedin/camel-linkedin-api/src/main/java/org/apache/camel/component/linkedin/api/LinkedInExceptionResponseFilter.java
+++
b/components/camel-linkedin/camel-linkedin-api/src/main/java/org/apache/camel/component/linkedin/api/LinkedInExceptionResponseFilter.java
@@ -30,7 +30,12 @@ import javax.ws.rs.ext.Provider;
import javax.xml.bind.JAXBContext;
import javax.xml.bind.JAXBException;
import javax.xml.bind.Unmarshaller;
-
+import javax.xml.parsers.ParserConfigurationException;
+import javax.xml.parsers.SAXParserFactory;
+import javax.xml.transform.Source;
+import javax.xml.transform.sax.SAXSource;
+import org.xml.sax.InputSource;
+import org.xml.sax.SAXException;
import org.apache.camel.component.linkedin.api.model.Error;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -59,7 +64,20 @@ public class LinkedInExceptionResponseFilter implements
ClientResponseFilter {
if (responseContext.getStatus() != Response.Status.OK.getStatusCode()
&& responseContext.hasEntity()) {
try {
final Unmarshaller unmarshaller =
jaxbContext.createUnmarshaller();
- final Error error = (Error)
unmarshaller.unmarshal(responseContext.getEntityStream());
+
+ // Disable XXE
+ SAXParserFactory spf = SAXParserFactory.newInstance();
+ try {
+
spf.setFeature(javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
+
spf.setFeature("http://xml.org/sax/features/external-general-entities";, false);
+
spf.setFeature("http://xml.org/sax/features/external-parameter-entities";,
false);
+
spf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd";,
false);
+ } catch (ParserConfigurationException | SAXException ex) {
+ LOG.debug("Error setting feature on parser: " +
ex.getMessage());
+ }
+ Source xmlSource =
+ new SAXSource(spf.newSAXParser().getXMLReader(), new
InputSource(responseContext.getEntityStream()));
+ final Error error = (Error) unmarshaller.unmarshal(xmlSource);
final Response.ResponseBuilder builder =
Response.status(responseContext.getStatusInfo());
builder.entity(error);
@@ -69,7 +87,7 @@ public class LinkedInExceptionResponseFilter implements
ClientResponseFilter {
}
throw new LinkedInException(error, builder.build());
- } catch (JAXBException e) {
+ } catch (JAXBException | ParserConfigurationException |
SAXException e) {
// log and ignore
LOG.warn("Unable to parse LinkedIn error: {}", e.getMessage(),
e);
}
diff --git
a/components/camel-salesforce/camel-salesforce-component/src/main/java/org/apache/camel/component/salesforce/internal/client/DefaultBulkApiClient.java
b/components/camel-salesforce/camel-salesforce-component/src/main/java/org/apache/camel/component/salesforce/internal/client/DefaultBulkApiClient.java
index 55bdb05..da64180 100644
---
a/components/camel-salesforce/camel-salesforce-component/src/main/java/org/apache/camel/component/salesforce/internal/client/DefaultBulkApiClient.java
+++
b/components/camel-salesforce/camel-salesforce-component/src/main/java/org/apache/camel/component/salesforce/internal/client/DefaultBulkApiClient.java
@@ -29,7 +29,10 @@ import javax.xml.bind.JAXBElement;
import javax.xml.bind.JAXBException;
import javax.xml.bind.Marshaller;
import javax.xml.bind.Unmarshaller;
-import javax.xml.transform.stream.StreamSource;
+import javax.xml.parsers.ParserConfigurationException;
+import javax.xml.parsers.SAXParserFactory;
+import javax.xml.transform.Source;
+import javax.xml.transform.sax.SAXSource;
import org.apache.camel.component.salesforce.SalesforceHttpClient;
import org.apache.camel.component.salesforce.api.SalesforceException;
@@ -50,6 +53,8 @@ import
org.eclipse.jetty.client.util.InputStreamContentProvider;
import org.eclipse.jetty.http.HttpHeader;
import org.eclipse.jetty.http.HttpMethod;
import org.eclipse.jetty.util.StringUtil;
+import org.xml.sax.InputSource;
+import org.xml.sax.SAXException;
public class DefaultBulkApiClient extends AbstractClientBase implements
BulkApiClient {
@@ -201,7 +206,7 @@ public class DefaultBulkApiClient extends
AbstractClientBase implements BulkApiC
}
@Override
- public void createBatch(InputStream batchStream, String jobId, ContentType
contentTypeEnum,
+ public void createBatch(InputStream batchStream, String jobId, ContentType
contentTypeEnum,
Map<String, List<String>> headers, final BatchInfoResponseCallback
callback) {
final Request post = getRequest(HttpMethod.POST, batchUrl(jobId,
null), headers);
post.content(new InputStreamContentProvider(batchStream));
@@ -419,9 +424,23 @@ public class DefaultBulkApiClient extends
AbstractClientBase implements BulkApiC
throws SalesforceException {
try {
Unmarshaller unmarshaller = context.createUnmarshaller();
- JAXBElement<T> result = unmarshaller.unmarshal(new
StreamSource(response), resultClass);
+
+ // Disable XXE
+ SAXParserFactory spf = SAXParserFactory.newInstance();
+ try {
+
spf.setFeature(javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
+
spf.setFeature("http://xml.org/sax/features/external-general-entities";, false);
+
spf.setFeature("http://xml.org/sax/features/external-parameter-entities";,
false);
+
spf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd";,
false);
+ } catch (ParserConfigurationException | SAXException ex) {
+ // LOG.debug("Error setting feature on parser: " +
ex.getMessage());
+ }
+ Source xmlSource =
+ new SAXSource(spf.newSAXParser().getXMLReader(), new
InputSource(response));
+
+ JAXBElement<T> result = unmarshaller.unmarshal(xmlSource,
resultClass);
return result.getValue();
- } catch (JAXBException e) {
+ } catch (JAXBException | SAXException | ParserConfigurationException
e) {
throw new SalesforceException(
String.format("Error unmarshaling response {%s:%s} : %s",
request.getMethod(), request.getURI(),
e.getMessage()),
