Added a config option to turn xml doctype declarations on in AMF Xml payload. It is called: "allow-xml-doctype-declaration"
Project: http://git-wip-us.apache.org/repos/asf/flex-blazeds/repo Commit: http://git-wip-us.apache.org/repos/asf/flex-blazeds/commit/561d8401 Tree: http://git-wip-us.apache.org/repos/asf/flex-blazeds/tree/561d8401 Diff: http://git-wip-us.apache.org/repos/asf/flex-blazeds/diff/561d8401 Branch: refs/heads/master Commit: 561d840192afad20225bcedbd8766a624280be6b Parents: 6786dc0 Author: Christofer Dutz <[email protected]> Authored: Sat Oct 24 09:17:56 2015 +0200 Committer: Christofer Dutz <[email protected]> Committed: Sat Oct 24 09:17:56 2015 +0200 ---------------------------------------------------------------------- modules/common/pom.xml | 2 +- modules/core/pom.xml | 2 +- .../messaging/endpoints/AbstractEndpoint.java | 2 + .../flex/messaging/io/SerializationContext.java | 2 + .../flex/messaging/io/amf/AbstractAmfInput.java | 2 +- .../src/flex/messaging/io/amfx/AmfxInput.java | 2 +- .../core/src/flex/messaging/util/XMLUtil.java | 10 +- modules/opt/pom.xml | 2 +- modules/opt/poms/tomcat4/pom.xml | 2 +- modules/opt/poms/tomcat6/pom.xml | 2 +- modules/opt/poms/tomcat7/pom.xml | 2 +- modules/pom.xml | 2 +- modules/proxy/pom.xml | 2 +- modules/remoting/pom.xml | 2 +- modules/testsuite/pom.xml | 2 +- .../io/amfx/AllowDocumentTypeDeclaration.java | 151 +++++++++++++++++++ 16 files changed, 175 insertions(+), 14 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/flex-blazeds/blob/561d8401/modules/common/pom.xml ---------------------------------------------------------------------- diff --git a/modules/common/pom.xml b/modules/common/pom.xml index a518579..42e4d42 100755 --- a/modules/common/pom.xml +++ b/modules/common/pom.xml @@ -22,7 +22,7 @@ limitations under the License. <parent> <groupId>org.apache.flex.blazeds</groupId> <artifactId>blazeds</artifactId> - <version>4.8.0-SNAPSHOT</version> + <version>4.7.2-SNAPSHOT</version> <relativePath>../pom.xml</relativePath> </parent> http://git-wip-us.apache.org/repos/asf/flex-blazeds/blob/561d8401/modules/core/pom.xml ---------------------------------------------------------------------- diff --git a/modules/core/pom.xml b/modules/core/pom.xml index 1309282..8d6c8fb 100755 --- a/modules/core/pom.xml +++ b/modules/core/pom.xml @@ -22,7 +22,7 @@ limitations under the License. <parent> <groupId>org.apache.flex.blazeds</groupId> <artifactId>blazeds</artifactId> - <version>4.8.0-SNAPSHOT</version> + <version>4.7.2-SNAPSHOT</version> <relativePath>../pom.xml</relativePath> </parent> http://git-wip-us.apache.org/repos/asf/flex-blazeds/blob/561d8401/modules/core/src/flex/messaging/endpoints/AbstractEndpoint.java ---------------------------------------------------------------------- diff --git a/modules/core/src/flex/messaging/endpoints/AbstractEndpoint.java b/modules/core/src/flex/messaging/endpoints/AbstractEndpoint.java index ffa1d0f..c265ea9 100644 --- a/modules/core/src/flex/messaging/endpoints/AbstractEndpoint.java +++ b/modules/core/src/flex/messaging/endpoints/AbstractEndpoint.java @@ -109,6 +109,7 @@ public abstract class AbstractEndpoint extends ManageableComponent private static final String LEGACY_THROWABLE = "legacy-throwable"; private static final String LEGACY_BIG_NUMBERS = "legacy-big-numbers"; private static final String LEGACY_EXTERNALIZABLE = "legacy-externalizable"; + private static final String ALLOW_XML_DOCTYPE_DECLARATION = "allow-xml-doctype-declaration"; private static final String ALLOW_XML_EXTERNAL_ENTITY_EXPANSION = "allow-xml-external-entity-expansion"; private static final String LOG_PROPERTY_ERRORS = "log-property-errors"; @@ -278,6 +279,7 @@ public abstract class AbstractEndpoint extends ManageableComponent serializationContext.legacyThrowable = serialization.getPropertyAsBoolean(LEGACY_THROWABLE, false); serializationContext.legacyBigNumbers = serialization.getPropertyAsBoolean(LEGACY_BIG_NUMBERS, false); serializationContext.legacyExternalizable = serialization.getPropertyAsBoolean(LEGACY_EXTERNALIZABLE, false); + serializationContext.allowXmlDoctypeDeclaration = serialization.getPropertyAsBoolean(ALLOW_XML_DOCTYPE_DECLARATION, false); serializationContext.allowXmlExternalEntityExpansion = serialization.getPropertyAsBoolean(ALLOW_XML_EXTERNAL_ENTITY_EXPANSION, false); serializationContext.maxObjectNestLevel = (int)serialization.getPropertyAsLong(MAX_OBJECT_NEST_LEVEL, 512); serializationContext.maxCollectionNestLevel = (int)serialization.getPropertyAsLong(MAX_COLLECTION_NEST_LEVEL, 15); http://git-wip-us.apache.org/repos/asf/flex-blazeds/blob/561d8401/modules/core/src/flex/messaging/io/SerializationContext.java ---------------------------------------------------------------------- diff --git a/modules/core/src/flex/messaging/io/SerializationContext.java b/modules/core/src/flex/messaging/io/SerializationContext.java index d4a9f41..9ffe17c 100644 --- a/modules/core/src/flex/messaging/io/SerializationContext.java +++ b/modules/core/src/flex/messaging/io/SerializationContext.java @@ -80,6 +80,7 @@ public class SerializationContext implements Serializable, Cloneable // Similarly like how many dimensional matrix that we support for serialization. public int maxCollectionNestLevel = 15; + public boolean allowXmlDoctypeDeclaration = false; public boolean allowXmlExternalEntityExpansion = false; /** @@ -227,6 +228,7 @@ public class SerializationContext implements Serializable, Cloneable context.deserializationValidator = deserializationValidator; context.maxObjectNestLevel = maxObjectNestLevel; context.maxCollectionNestLevel = maxCollectionNestLevel; + context.allowXmlDoctypeDeclaration = allowXmlDoctypeDeclaration; context.allowXmlExternalEntityExpansion = allowXmlExternalEntityExpansion; context.preferVectors = preferVectors; return context; http://git-wip-us.apache.org/repos/asf/flex-blazeds/blob/561d8401/modules/core/src/flex/messaging/io/amf/AbstractAmfInput.java ---------------------------------------------------------------------- diff --git a/modules/core/src/flex/messaging/io/amf/AbstractAmfInput.java b/modules/core/src/flex/messaging/io/amf/AbstractAmfInput.java index 5d985f6..a62a546 100644 --- a/modules/core/src/flex/messaging/io/amf/AbstractAmfInput.java +++ b/modules/core/src/flex/messaging/io/amf/AbstractAmfInput.java @@ -83,7 +83,7 @@ public abstract class AbstractAmfInput extends AmfIO implements ActionMessageInp // Validation performed in XMLUtil#stringToDocument. return XMLUtil.stringToDocument(xml, !(context.legacyXMLNamespaces), - context.allowXmlExternalEntityExpansion); + context.allowXmlDoctypeDeclaration, context.allowXmlExternalEntityExpansion); } /** http://git-wip-us.apache.org/repos/asf/flex-blazeds/blob/561d8401/modules/core/src/flex/messaging/io/amfx/AmfxInput.java ---------------------------------------------------------------------- diff --git a/modules/core/src/flex/messaging/io/amfx/AmfxInput.java b/modules/core/src/flex/messaging/io/amfx/AmfxInput.java index 8944049..83911ff 100644 --- a/modules/core/src/flex/messaging/io/amfx/AmfxInput.java +++ b/modules/core/src/flex/messaging/io/amfx/AmfxInput.java @@ -1050,7 +1050,7 @@ public class AmfxInput // Validation performed in XMLUtil#stringToDocument. Object value = XMLUtil.stringToDocument(xml, !(context.legacyXMLNamespaces), - context.allowXmlExternalEntityExpansion); + context.allowXmlDoctypeDeclaration, context.allowXmlExternalEntityExpansion); setValue(value); } http://git-wip-us.apache.org/repos/asf/flex-blazeds/blob/561d8401/modules/core/src/flex/messaging/util/XMLUtil.java ---------------------------------------------------------------------- diff --git a/modules/core/src/flex/messaging/util/XMLUtil.java b/modules/core/src/flex/messaging/util/XMLUtil.java index abc224d..e27149c 100644 --- a/modules/core/src/flex/messaging/util/XMLUtil.java +++ b/modules/core/src/flex/messaging/util/XMLUtil.java @@ -97,7 +97,7 @@ public class XMLUtil */ public static Document stringToDocument(String xml) { - return stringToDocument(xml, true, false); + return stringToDocument(xml, true, false, false); } /** @@ -109,7 +109,8 @@ public class XMLUtil * is name-space aware * @return Document */ - public static Document stringToDocument(String xml, boolean nameSpaceAware, boolean allowXmlExternalEntityExpansion) + public static Document stringToDocument(String xml, boolean nameSpaceAware, boolean allowXmlDoctypeDeclaration, + boolean allowXmlExternalEntityExpansion) { ClassUtil.validateCreation(Document.class); @@ -122,6 +123,11 @@ public class XMLUtil InputSource input = new InputSource(reader); DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + if(!allowXmlDoctypeDeclaration) + { + factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl";, true); + } + if(!allowXmlExternalEntityExpansion) { // Disable local resolution of entities due to security issues http://git-wip-us.apache.org/repos/asf/flex-blazeds/blob/561d8401/modules/opt/pom.xml ---------------------------------------------------------------------- diff --git a/modules/opt/pom.xml b/modules/opt/pom.xml index d77fcf4..051ed24 100755 --- a/modules/opt/pom.xml +++ b/modules/opt/pom.xml @@ -22,7 +22,7 @@ limitations under the License. <parent> <groupId>org.apache.flex.blazeds</groupId> <artifactId>blazeds</artifactId> - <version>4.8.0-SNAPSHOT</version> + <version>4.7.2-SNAPSHOT</version> <relativePath>../pom.xml</relativePath> </parent> http://git-wip-us.apache.org/repos/asf/flex-blazeds/blob/561d8401/modules/opt/poms/tomcat4/pom.xml ---------------------------------------------------------------------- diff --git a/modules/opt/poms/tomcat4/pom.xml b/modules/opt/poms/tomcat4/pom.xml index d7d5f5b..2d742ee 100755 --- a/modules/opt/poms/tomcat4/pom.xml +++ b/modules/opt/poms/tomcat4/pom.xml @@ -22,7 +22,7 @@ limitations under the License. <parent> <groupId>org.apache.flex.blazeds</groupId> <artifactId>flex-messaging-opt</artifactId> - <version>4.8.0-SNAPSHOT</version> + <version>4.7.2-SNAPSHOT</version> <relativePath>../../pom.xml</relativePath> </parent> http://git-wip-us.apache.org/repos/asf/flex-blazeds/blob/561d8401/modules/opt/poms/tomcat6/pom.xml ---------------------------------------------------------------------- diff --git a/modules/opt/poms/tomcat6/pom.xml b/modules/opt/poms/tomcat6/pom.xml index d609a99..364d017 100755 --- a/modules/opt/poms/tomcat6/pom.xml +++ b/modules/opt/poms/tomcat6/pom.xml @@ -22,7 +22,7 @@ limitations under the License. <parent> <groupId>org.apache.flex.blazeds</groupId> <artifactId>flex-messaging-opt</artifactId> - <version>4.8.0-SNAPSHOT</version> + <version>4.7.2-SNAPSHOT</version> <relativePath>../../pom.xml</relativePath> </parent> http://git-wip-us.apache.org/repos/asf/flex-blazeds/blob/561d8401/modules/opt/poms/tomcat7/pom.xml ---------------------------------------------------------------------- diff --git a/modules/opt/poms/tomcat7/pom.xml b/modules/opt/poms/tomcat7/pom.xml index e80781e..6b73f3b 100755 --- a/modules/opt/poms/tomcat7/pom.xml +++ b/modules/opt/poms/tomcat7/pom.xml @@ -22,7 +22,7 @@ limitations under the License. <parent> <groupId>org.apache.flex.blazeds</groupId> <artifactId>flex-messaging-opt</artifactId> - <version>4.8.0-SNAPSHOT</version> + <version>4.7.2-SNAPSHOT</version> <relativePath>../../pom.xml</relativePath> </parent> http://git-wip-us.apache.org/repos/asf/flex-blazeds/blob/561d8401/modules/pom.xml ---------------------------------------------------------------------- diff --git a/modules/pom.xml b/modules/pom.xml index 33da3bb..6045b34 100755 --- a/modules/pom.xml +++ b/modules/pom.xml @@ -29,7 +29,7 @@ <groupId>org.apache.flex.blazeds</groupId> <artifactId>blazeds</artifactId> - <version>4.8.0-SNAPSHOT</version> + <version>4.7.2-SNAPSHOT</version> <packaging>pom</packaging> <name>Apache Flex: BlazeDS</name> http://git-wip-us.apache.org/repos/asf/flex-blazeds/blob/561d8401/modules/proxy/pom.xml ---------------------------------------------------------------------- diff --git a/modules/proxy/pom.xml b/modules/proxy/pom.xml index 296d351..b1d9102 100755 --- a/modules/proxy/pom.xml +++ b/modules/proxy/pom.xml @@ -22,7 +22,7 @@ limitations under the License. <parent> <groupId>org.apache.flex.blazeds</groupId> <artifactId>blazeds</artifactId> - <version>4.8.0-SNAPSHOT</version> + <version>4.7.2-SNAPSHOT</version> <relativePath>../pom.xml</relativePath> </parent> http://git-wip-us.apache.org/repos/asf/flex-blazeds/blob/561d8401/modules/remoting/pom.xml ---------------------------------------------------------------------- diff --git a/modules/remoting/pom.xml b/modules/remoting/pom.xml index 4ac1c74..93a6bfb 100755 --- a/modules/remoting/pom.xml +++ b/modules/remoting/pom.xml @@ -22,7 +22,7 @@ limitations under the License. <parent> <groupId>org.apache.flex.blazeds</groupId> <artifactId>blazeds</artifactId> - <version>4.8.0-SNAPSHOT</version> + <version>4.7.2-SNAPSHOT</version> <relativePath>../pom.xml</relativePath> </parent> http://git-wip-us.apache.org/repos/asf/flex-blazeds/blob/561d8401/modules/testsuite/pom.xml ---------------------------------------------------------------------- diff --git a/modules/testsuite/pom.xml b/modules/testsuite/pom.xml index 8206cc5..1428f30 100644 --- a/modules/testsuite/pom.xml +++ b/modules/testsuite/pom.xml @@ -22,7 +22,7 @@ limitations under the License. <parent> <groupId>org.apache.flex.blazeds</groupId> <artifactId>blazeds</artifactId> - <version>4.8.0-SNAPSHOT</version> + <version>4.7.2-SNAPSHOT</version> <relativePath>../pom.xml</relativePath> </parent> http://git-wip-us.apache.org/repos/asf/flex-blazeds/blob/561d8401/modules/testsuite/src/test/java/flex/messaging/io/amfx/AllowDocumentTypeDeclaration.java ---------------------------------------------------------------------- diff --git a/modules/testsuite/src/test/java/flex/messaging/io/amfx/AllowDocumentTypeDeclaration.java b/modules/testsuite/src/test/java/flex/messaging/io/amfx/AllowDocumentTypeDeclaration.java new file mode 100644 index 0000000..c4427e7 --- /dev/null +++ b/modules/testsuite/src/test/java/flex/messaging/io/amfx/AllowDocumentTypeDeclaration.java @@ -0,0 +1,151 @@ +/* + * + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ +package flex.messaging.io.amfx; + +import flex.messaging.MessageException; +import flex.messaging.util.XMLUtil; +import junit.framework.Assert; +import junit.framework.TestCase; + +import java.io.BufferedReader; +import java.io.IOException; +import java.io.InputStreamReader; +import java.io.OutputStream; +import java.net.ServerSocket; +import java.net.Socket; + +/** + * Created by christoferdutz on 23.07.15. + */ + +public class AllowDocumentTypeDeclaration extends TestCase { + + public void testDoctypeEnabled() throws Exception { + // Start a simple server socket. + TinyServer server = new TinyServer(); + server.start(); + + // Sleep for half a second. + Thread.sleep(500); + + try { + StringBuffer xml = new StringBuffer(512); + xml.append("<?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\n"); + xml.append("<!DOCTYPE foo PUBLIC \"-//VSR//PENTEST//EN\" \"http://localhost:"; + server.getPort() + + "/service?ssrf\">"); + xml.append("<foo>Some content</foo>"); + XMLUtil.stringToDocument(xml.toString(), true, true, false); + + // The server should have been contacted. + Assert.assertTrue(server.connected); + } finally { + server.kill(); + } + } + + public void testDoctypeDisabled() throws Exception { + // Start a simple server socket. + TinyServer server = new TinyServer(); + server.start(); + + // Sleep for half a second. + Thread.sleep(500); + + try { + StringBuffer xml = new StringBuffer(512); + xml.append("<?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\n"); + xml.append("<!DOCTYPE foo PUBLIC \"-//VSR//PENTEST//EN\" \"http://localhost:"; + server.getPort() + + "/service?ssrf\">"); + xml.append("<foo>Some content</foo>"); + try { + XMLUtil.stringToDocument(xml.toString(), true, false, false); + Assert.fail("This should have failed."); + } catch (MessageException me) { + Assert.assertTrue(me.getMessage().contains("DOCTYPE")); + } + + // The server should not have been contacted. + Assert.assertFalse(server.connected); + } finally { + server.kill(); + } + } + + private class TinyServer extends Thread { + + private int port; + private boolean connected = false; + + private ServerSocket serverSocket; + private Socket clientSocket; + + @Override + public void run() { + try { + serverSocket = new ServerSocket(0); + port = serverSocket.getLocalPort(); + clientSocket = serverSocket.accept(); + connected = true; + BufferedReader reader = new BufferedReader(new InputStreamReader(clientSocket.getInputStream())); + while(reader.ready()) { + String line = reader.readLine(); + System.out.println(line); + } + OutputStream out = clientSocket.getOutputStream(); + out.write("HTTP/1.0 200 OK".getBytes()); + out.write("Content-Type: text/plain".getBytes()); + out.write("Content-Length: 1354".getBytes()); + out.write(("<!DOCTYPE foo [" + + "<!ELEMENT foo>" + + "]>").getBytes()); + out.flush(); + } catch (Exception e) { + // Ignore. + } finally { + try { + clientSocket.getOutputStream().close(); + } catch(Exception e) { + // Ignore ... + } + try { + clientSocket.getOutputStream().close(); + } catch(Exception e) { + // Ignore ... + } + } + } + + public void kill() { + try { + serverSocket.close(); + } catch (IOException e) { + // Ignore. + } + } + + public int getPort() { + return port; + } + + public boolean isConnected() { + return connected; + } + } + +}
