You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@camel.apache.org by da...@apache.org on 2022/12/25 13:41:47 UTC
[camel] branch main updated (628a1622666 -> 0bc10ee6139)
This is an automated email from the ASF dual-hosted git repository.
davsclaus pushed a change to branch main
in repository https://gitbox.apache.org/repos/asf/camel.git
from 628a1622666 CAMEL-18825: Make XML parser/transformers more secure out of the box.
new e59b22c3cb1 CAMEL-18825: Make XML parser/transformers more secure out of the box.
new 0a860de26ea CAMEL-18825: Make XML parser/transformers more secure out of the box.
new 0c9e8ff16d5 xstream upgrade to 1.4.20
new 0bc10ee6139 CAMEL-18825: Make XML parser/transformers more secure out of the box.
The 4 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
camel-dependencies/pom.xml | 2 +-
.../org/apache/camel/converter/jaxb/JaxbDataFormat.java | 14 ++++++++------
.../org/apache/camel/builder/xml/XPathFeatureTest.java | 14 ++++++++++----
.../java/org/apache/camel/converter/jaxp/XmlConverter.java | 7 +++++++
.../camel/support/builder/xml/XMLConverterHelper.java | 7 +++++++
.../modules/ROOT/pages/camel-3x-upgrade-guide-3_21.adoc | 4 ++++
parent/pom.xml | 2 +-
7 files changed, 38 insertions(+), 12 deletions(-)
[camel] 02/04: CAMEL-18825: Make XML parser/transformers more secure out of the box.
Posted by da...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
davsclaus pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel.git
commit 0a860de26eaeafc6ee28989e2896fc4b9cb0a605
Author: Claus Ibsen <cl...@gmail.com>
AuthorDate: Sun Dec 25 14:21:17 2022 +0100
CAMEL-18825: Make XML parser/transformers more secure out of the box.
---
.../main/java/org/apache/camel/converter/jaxb/JaxbDataFormat.java | 2 --
.../main/java/org/apache/camel/converter/jaxp/XmlConverter.java | 7 +++++++
.../org/apache/camel/support/builder/xml/XMLConverterHelper.java | 7 +++++++
3 files changed, 14 insertions(+), 2 deletions(-)
diff --git a/components/camel-jaxb/src/main/java/org/apache/camel/converter/jaxb/JaxbDataFormat.java b/components/camel-jaxb/src/main/java/org/apache/camel/converter/jaxb/JaxbDataFormat.java
index a8e06b51c74..fb974d3f056 100644
--- a/components/camel-jaxb/src/main/java/org/apache/camel/converter/jaxb/JaxbDataFormat.java
+++ b/components/camel-jaxb/src/main/java/org/apache/camel/converter/jaxb/JaxbDataFormat.java
@@ -66,8 +66,6 @@ import org.apache.camel.util.IOHelper;
import org.apache.camel.util.ObjectHelper;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-import org.xml.sax.SAXNotRecognizedException;
-import org.xml.sax.SAXNotSupportedException;
/**
* A <a href="http://camel.apache.org/data-format.html">data format</a> ({@link DataFormat}) using JAXB2 to marshal to
diff --git a/core/camel-xml-jaxp/src/main/java/org/apache/camel/converter/jaxp/XmlConverter.java b/core/camel-xml-jaxp/src/main/java/org/apache/camel/converter/jaxp/XmlConverter.java
index 21d5ace57ef..134ce223db9 100644
--- a/core/camel-xml-jaxp/src/main/java/org/apache/camel/converter/jaxp/XmlConverter.java
+++ b/core/camel-xml-jaxp/src/main/java/org/apache/camel/converter/jaxp/XmlConverter.java
@@ -977,6 +977,13 @@ public class XmlConverter {
LOG.warn("DocumentBuilderFactory doesn't support the feature {} with value {}, due to {}.",
XMLConstants.FEATURE_SECURE_PROCESSING, true, e.getMessage(), e);
}
+ try {
+ // disable DOCTYPE declaration
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", Boolean.TRUE);
+ } catch (ParserConfigurationException e) {
+ LOG.warn("DocumentBuilderFactory doesn't support the feature {} with value {}, due to {}.",
+ "http://apache.org/xml/features/disallow-doctype-decl", true, e.getMessage(), e);
+ }
try {
// Disable the external-general-entities by default
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
diff --git a/core/camel-xml-jaxp/src/main/java/org/apache/camel/support/builder/xml/XMLConverterHelper.java b/core/camel-xml-jaxp/src/main/java/org/apache/camel/support/builder/xml/XMLConverterHelper.java
index 266dff1c546..f8cdefd1a8e 100644
--- a/core/camel-xml-jaxp/src/main/java/org/apache/camel/support/builder/xml/XMLConverterHelper.java
+++ b/core/camel-xml-jaxp/src/main/java/org/apache/camel/support/builder/xml/XMLConverterHelper.java
@@ -135,6 +135,13 @@ public class XMLConverterHelper {
LOG.warn("DocumentBuilderFactory doesn't support the feature {} with value {}, due to {}.",
"http://apache.org/xml/features/disallow-doctype-decl", true, e.getMessage());
}
+ try {
+ // disable DOCTYPE declaration
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", Boolean.TRUE);
+ } catch (ParserConfigurationException e) {
+ LOG.warn("DocumentBuilderFactory doesn't support the feature {} with value {}, due to {}.",
+ "http://apache.org/xml/features/disallow-doctype-decl", true, e.getMessage(), e);
+ }
try {
// Disable the external-general-entities by default
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
[camel] 04/04: CAMEL-18825: Make XML parser/transformers more secure out of the box.
Posted by da...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
davsclaus pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel.git
commit 0bc10ee6139762053b2f696a05f5d0acf8341c93
Author: Claus Ibsen <cl...@gmail.com>
AuthorDate: Sun Dec 25 14:30:40 2022 +0100
CAMEL-18825: Make XML parser/transformers more secure out of the box.
---
.../org/apache/camel/builder/xml/XPathFeatureTest.java | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/core/camel-core/src/test/java/org/apache/camel/builder/xml/XPathFeatureTest.java b/core/camel-core/src/test/java/org/apache/camel/builder/xml/XPathFeatureTest.java
index 19d231cc88b..2cebddd263d 100644
--- a/core/camel-core/src/test/java/org/apache/camel/builder/xml/XPathFeatureTest.java
+++ b/core/camel-core/src/test/java/org/apache/camel/builder/xml/XPathFeatureTest.java
@@ -70,15 +70,20 @@ public class XPathFeatureTest extends ContextTestSupport {
}
@Test
- public void testXPathResult() throws Exception {
- String result = (String) xpath("/").stringResult().evaluate(createExchange(XML_DATA));
- assertEquals(" ", result, "Get a wrong result");
+ public void testXPathDocTypeDisallowed() throws Exception {
+ try {
+ xpath("/").stringResult().evaluate(createExchange(XML_DATA));
+ fail();
+ } catch (Exception e) {
+ assertIsInstanceOf(SAXParseException.class, e.getCause());
+ }
}
@Test
public void testXPath() throws Exception {
- // Set this feature will enable the external general entities
+ // Set these features will enable the external general entities
System.setProperty(DOM_BUILDER_FACTORY_FEATURE + ":" + "http://xml.org/sax/features/external-general-entities", "true");
+ System.setProperty(DOM_BUILDER_FACTORY_FEATURE + ":" + "http://apache.org/xml/features/disallow-doctype-decl", "false");
try {
xpath("/").stringResult().evaluate(createExchange(XML_DATA));
fail("Expect an Exception here");
@@ -88,6 +93,7 @@ public class XPathFeatureTest extends ContextTestSupport {
"Get a wrong exception cause: " + ex.getCause().getClass() + " instead of " + FileNotFoundException.class);
} finally {
System.clearProperty(DOM_BUILDER_FACTORY_FEATURE + ":" + "http://xml.org/sax/features/external-general-entities");
+ System.clearProperty(DOM_BUILDER_FACTORY_FEATURE + ":" + "http://apache.org/xml/features/disallow-doctype-decl");
}
}
[camel] 03/04: xstream upgrade to 1.4.20
Posted by da...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
davsclaus pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel.git
commit 0c9e8ff16d5e0760f41cc055de28eee21bc206d7
Author: Claus Ibsen <cl...@gmail.com>
AuthorDate: Sun Dec 25 14:22:11 2022 +0100
xstream upgrade to 1.4.20
---
camel-dependencies/pom.xml | 2 +-
parent/pom.xml | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/camel-dependencies/pom.xml b/camel-dependencies/pom.xml
index eb8b1e40502..95cfc98a3fb 100644
--- a/camel-dependencies/pom.xml
+++ b/camel-dependencies/pom.xml
@@ -567,7 +567,7 @@
<xmlsec-version>2.2.3</xmlsec-version>
<xmlunit-version>2.9.0</xmlunit-version>
<xpp3-version>1.1.4c</xpp3-version>
- <xstream-version>1.4.19</xstream-version>
+ <xstream-version>1.4.20</xstream-version>
<yetus-audience-annotations-version>0.13.0</yetus-audience-annotations-version>
<zendesk-client-version>0.19.0</zendesk-client-version>
<zipkin-reporter-version>2.16.3</zipkin-reporter-version>
diff --git a/parent/pom.xml b/parent/pom.xml
index 1ea100efd76..4ad78861bc1 100644
--- a/parent/pom.xml
+++ b/parent/pom.xml
@@ -555,7 +555,7 @@
<xmlsec-version>2.2.3</xmlsec-version>
<xmlunit-version>2.9.0</xmlunit-version>
<xpp3-version>1.1.4c</xpp3-version>
- <xstream-version>1.4.19</xstream-version>
+ <xstream-version>1.4.20</xstream-version>
<yetus-audience-annotations-version>0.13.0</yetus-audience-annotations-version>
<zendesk-client-version>0.19.0</zendesk-client-version>
<zipkin-reporter-version>2.16.3</zipkin-reporter-version>
[camel] 01/04: CAMEL-18825: Make XML parser/transformers more secure out of the box.
Posted by da...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
davsclaus pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel.git
commit e59b22c3cb1e82bc392df978aa73c1a3c08256ba
Author: Claus Ibsen <cl...@gmail.com>
AuthorDate: Sun Dec 25 14:15:44 2022 +0100
CAMEL-18825: Make XML parser/transformers more secure out of the box.
---
.../org/apache/camel/converter/jaxb/JaxbDataFormat.java | 16 ++++++++++------
.../modules/ROOT/pages/camel-3x-upgrade-guide-3_21.adoc | 4 ++++
2 files changed, 14 insertions(+), 6 deletions(-)
diff --git a/components/camel-jaxb/src/main/java/org/apache/camel/converter/jaxb/JaxbDataFormat.java b/components/camel-jaxb/src/main/java/org/apache/camel/converter/jaxb/JaxbDataFormat.java
index ef8d56a63f8..a8e06b51c74 100644
--- a/components/camel-jaxb/src/main/java/org/apache/camel/converter/jaxb/JaxbDataFormat.java
+++ b/components/camel-jaxb/src/main/java/org/apache/camel/converter/jaxb/JaxbDataFormat.java
@@ -66,6 +66,8 @@ import org.apache.camel.util.IOHelper;
import org.apache.camel.util.ObjectHelper;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import org.xml.sax.SAXNotRecognizedException;
+import org.xml.sax.SAXNotSupportedException;
/**
* A <a href="http://camel.apache.org/data-format.html">data format</a> ({@link DataFormat}) using JAXB2 to marshal to
@@ -361,7 +363,7 @@ public class JaxbDataFormat extends ServiceSupport
this.contextPathIsClassName = contextPathIsClassName;
}
- public SchemaFactory getSchemaFactory() {
+ public SchemaFactory getSchemaFactory() throws SAXException {
if (schemaFactory == null) {
return getOrCreateSchemaFactory();
}
@@ -602,7 +604,7 @@ public class JaxbDataFormat extends ServiceSupport
}
private Source[] getSources() throws FileNotFoundException, MalformedURLException {
- // we support multiple schema by delimiting they by ','
+ // we support multiple schema by delimiting by comma
String[] schemas = schema.split(",");
Source[] sources = new Source[schemas.length];
for (int i = 0; i < schemas.length; i++) {
@@ -612,7 +614,7 @@ public class JaxbDataFormat extends ServiceSupport
return sources;
}
- private SchemaFactory getOrCreateSchemaFactory() {
+ private SchemaFactory getOrCreateSchemaFactory() throws SAXException {
SchemaFactory factory = SCHEMA_FACTORY_POOL.poll();
if (factory == null) {
factory = createSchemaFactory();
@@ -620,15 +622,17 @@ public class JaxbDataFormat extends ServiceSupport
return factory;
}
- public static SchemaFactory createSchemaFactory() {
- return SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
+ public static SchemaFactory createSchemaFactory() throws SAXException {
+ SchemaFactory factory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+ return factory;
}
private void returnSchemaFactory(SchemaFactory factory) {
if (factory != schemaFactory) {
boolean result = SCHEMA_FACTORY_POOL.offer(factory);
if (!result) {
- LOG.error("offer() failed for SCHEMA_FACTORY_POOL");
+ LOG.debug("offer() failed for SCHEMA_FACTORY_POOL");
}
}
}
diff --git a/docs/user-manual/modules/ROOT/pages/camel-3x-upgrade-guide-3_21.adoc b/docs/user-manual/modules/ROOT/pages/camel-3x-upgrade-guide-3_21.adoc
index 219c0f8b4c0..8b0ef78dc85 100644
--- a/docs/user-manual/modules/ROOT/pages/camel-3x-upgrade-guide-3_21.adoc
+++ b/docs/user-manual/modules/ROOT/pages/camel-3x-upgrade-guide-3_21.adoc
@@ -10,6 +10,10 @@ from both 3.0 to 3.1 and 3.1 to 3.2.
XML parsers & XML transformers has been made more secure by disabling access to external DTD/Schema.
+=== camel-jaxb
+
+XML parser has been made more secure by disabling access to external DTD/Schema in the `jaxb` data format.
+
=== camel-stax
The `StAXJAXBIteratorExpression` has been made more secure by disabling XML parser to access external DTD/Schema.