You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@camel.apache.org by da...@apache.org on 2015/03/02 13:01:06 UTC
[1/7] camel git commit: CAMEL-8312: XML External Entity (XXE)
injection in XPath. Thanks to Stephan Siano for the patch.
Repository: camel
Updated Branches:
refs/heads/camel-2.13.x 3f0e22025 -> ae1dcaa8c
refs/heads/camel-2.14.x 39947ceaa -> d74a76364
CAMEL-8312: XML External Entity (XXE) injection in XPath. Thanks to Stephan Siano for the patch.
Project: http://git-wip-us.apache.org/repos/asf/camel/repo
Commit: http://git-wip-us.apache.org/repos/asf/camel/commit/b47b51a1
Tree: http://git-wip-us.apache.org/repos/asf/camel/tree/b47b51a1
Diff: http://git-wip-us.apache.org/repos/asf/camel/diff/b47b51a1
Branch: refs/heads/camel-2.14.x
Commit: b47b51a195b38e7ab7c099d19910af70a16638f6
Parents: 39947ce
Author: Claus Ibsen <da...@apache.org>
Authored: Sun Mar 1 11:51:49 2015 +0100
Committer: Claus Ibsen <da...@apache.org>
Committed: Mon Mar 2 11:20:48 2015 +0100
----------------------------------------------------------------------
.../apache/camel/builder/xml/XPathBuilder.java | 21 ----------
.../camel/builder/xml/XPathFeatureTest.java | 42 +++++++++++++++-----
.../camel/component/xslt/SaxonXsltDTDTest.java | 11 +++--
.../camel/language/xpath/XPathLanguageTest.xml | 2 +-
4 files changed, 40 insertions(+), 36 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/camel/blob/b47b51a1/camel-core/src/main/java/org/apache/camel/builder/xml/XPathBuilder.java
----------------------------------------------------------------------
diff --git a/camel-core/src/main/java/org/apache/camel/builder/xml/XPathBuilder.java b/camel-core/src/main/java/org/apache/camel/builder/xml/XPathBuilder.java
index d618705..741fec8 100644
--- a/camel-core/src/main/java/org/apache/camel/builder/xml/XPathBuilder.java
+++ b/camel-core/src/main/java/org/apache/camel/builder/xml/XPathBuilder.java
@@ -18,7 +18,6 @@ package org.apache.camel.builder.xml;
import java.io.File;
import java.io.InputStream;
-import java.io.StringReader;
import java.util.HashSet;
import java.util.LinkedHashMap;
import java.util.List;
@@ -51,7 +50,6 @@ import org.apache.camel.NoTypeConversionAvailableException;
import org.apache.camel.Predicate;
import org.apache.camel.RuntimeExpressionException;
import org.apache.camel.WrappedFile;
-import org.apache.camel.component.bean.BeanInvocation;
import org.apache.camel.impl.DefaultExchange;
import org.apache.camel.spi.Language;
import org.apache.camel.spi.NamespaceAware;
@@ -1113,25 +1111,6 @@ public class XPathBuilder extends ServiceSupport implements Expression, Predicat
}
}
- // okay we can try to remedy the failed conversion by some special types
- if (answer == null) {
- // let's try coercing some common types into something JAXP work with the best for special types
- if (body instanceof WrappedFile) {
- // special for files so we can work with them out of the box
- InputStream is = exchange.getContext().getTypeConverter().convertTo(InputStream.class, exchange, body);
- answer = new InputSource(is);
- } else if (body instanceof BeanInvocation) {
- // if its a null bean invocation then handle that specially
- BeanInvocation bi = exchange.getContext().getTypeConverter().convertTo(BeanInvocation.class, exchange, body);
- if (bi.getArgs() != null && bi.getArgs().length == 1 && bi.getArgs()[0] == null) {
- // its a null argument from the bean invocation so use null as answer
- answer = null;
- }
- } else if (body instanceof String) {
- answer = new InputSource(new StringReader((String) body));
- }
- }
-
if (type == null && answer == null) {
// fallback to get the body as is
answer = body;
http://git-wip-us.apache.org/repos/asf/camel/blob/b47b51a1/camel-core/src/test/java/org/apache/camel/builder/xml/XPathFeatureTest.java
----------------------------------------------------------------------
diff --git a/camel-core/src/test/java/org/apache/camel/builder/xml/XPathFeatureTest.java b/camel-core/src/test/java/org/apache/camel/builder/xml/XPathFeatureTest.java
index 0d90530..dfad770 100644
--- a/camel-core/src/test/java/org/apache/camel/builder/xml/XPathFeatureTest.java
+++ b/camel-core/src/test/java/org/apache/camel/builder/xml/XPathFeatureTest.java
@@ -19,11 +19,13 @@ package org.apache.camel.builder.xml;
import java.io.FileNotFoundException;
-import javax.xml.xpath.XPathExpressionException;
-
import org.apache.camel.ContextTestSupport;
import org.apache.camel.Exchange;
+import org.apache.camel.NoTypeConversionAvailableException;
+import org.apache.camel.RuntimeCamelException;
+import org.apache.camel.TypeConversionException;
import org.apache.camel.converter.jaxp.XmlConverter;
+import org.xml.sax.SAXParseException;
import static org.apache.camel.builder.xml.XPathBuilder.xpath;
@@ -32,18 +34,19 @@ public class XPathFeatureTest extends ContextTestSupport {
public static final String XML_DATA = " <!DOCTYPE foo [ "
+ " <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM \"file:///bin/test.sh\" >]> <test> &xxe; </test>";
-
-
+ public static final String XML_DATA_INVALID = " <!DOCTYPE foo [ "
+ + " <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM \"file:///bin/test.sh\" >]> <test> &xxe; </test><notwellformed>";
+
@Override
public boolean isUseRouteBuilder() {
return false;
}
-
+
public void testXPathResult() throws Exception {
String result = (String)xpath("/").stringResult().evaluate(createExchange(XML_DATA));
assertEquals("Get a wrong result", " ", result);
}
-
+
public void testXPath() throws Exception {
// Set this feature will enable the external general entities
@@ -52,16 +55,35 @@ public class XPathFeatureTest extends ContextTestSupport {
try {
xpath("/").stringResult().evaluate(createExchange(XML_DATA));
fail("Expect an Exception here");
- } catch (Exception ex) {
- assertTrue("Get a wrong exception cause.", ex instanceof InvalidXPathExpression);
- assertTrue("Get a wrong exception cause.", ex.getCause() instanceof XPathExpressionException);
+ } catch (TypeConversionException ex) {
+ assertTrue("Get a wrong exception cause.", ex.getCause() instanceof RuntimeCamelException);
assertTrue("Get a wrong exception cause.", ex.getCause().getCause() instanceof FileNotFoundException);
} finally {
System.clearProperty(DOM_BUILER_FACTORY_FEATRUE + ":"
+ "http://xml.org/sax/features/external-general-entities");
}
}
-
+
+ public void testXPathNoTypeConverter() throws Exception {
+ try {
+ // define a class without type converter as document type
+ xpath("/").documentType(Exchange.class).stringResult().evaluate(createExchange(XML_DATA));
+ fail("Expect an Exception here");
+ } catch (RuntimeCamelException ex) {
+ assertTrue("Get a wrong exception cause.", ex.getCause() instanceof NoTypeConversionAvailableException);
+ }
+ }
+
+ public void testXPathResultOnInvalidData() throws Exception {
+ try {
+ xpath("/").stringResult().evaluate(createExchange(XML_DATA_INVALID));
+ fail("Expect an Exception here");
+ } catch (TypeConversionException ex) {
+ assertTrue("Get a wrong exception cause.", ex.getCause() instanceof RuntimeCamelException);
+ assertTrue("Get a wrong exception cause.", ex.getCause().getCause() instanceof SAXParseException);
+ }
+ }
+
protected Exchange createExchange(Object xml) {
Exchange exchange = createExchangeWithBody(context, xml);
return exchange;
http://git-wip-us.apache.org/repos/asf/camel/blob/b47b51a1/components/camel-saxon/src/test/java/org/apache/camel/component/xslt/SaxonXsltDTDTest.java
----------------------------------------------------------------------
diff --git a/components/camel-saxon/src/test/java/org/apache/camel/component/xslt/SaxonXsltDTDTest.java b/components/camel-saxon/src/test/java/org/apache/camel/component/xslt/SaxonXsltDTDTest.java
index b826608..adef1d8 100644
--- a/components/camel-saxon/src/test/java/org/apache/camel/component/xslt/SaxonXsltDTDTest.java
+++ b/components/camel-saxon/src/test/java/org/apache/camel/component/xslt/SaxonXsltDTDTest.java
@@ -61,19 +61,22 @@ public class SaxonXsltDTDTest extends CamelTestSupport {
Exchange exchange = list.get(0);
String xml = exchange.getIn().getBody(String.class);
assertTrue("Get a wrong transformed message", xml.indexOf("<transformed subject=\"\">") > 0);
-
-
+
+ endpoint.reset();
+ endpoint.expectedMessageCount(1);
try {
template.sendBody("direct:start2", message);
- fail("Expect an exception here");
+ list = endpoint.getReceivedExchanges();
+ exchange = list.get(0);
+ xml = exchange.getIn().getBody(String.class);
+ assertTrue("Get a wrong transformed message", xml.indexOf("<transformed subject=\"\">") > 0);
} catch (Exception ex) {
// expect an exception here
assertTrue("Get a wrong exception", ex instanceof CamelExecutionException);
// the file could not be found
assertTrue("Get a wrong exception cause", ex.getCause() instanceof TransformerException);
}
-
}
http://git-wip-us.apache.org/repos/asf/camel/blob/b47b51a1/components/camel-saxon/src/test/resources/org/apache/camel/language/xpath/XPathLanguageTest.xml
----------------------------------------------------------------------
diff --git a/components/camel-saxon/src/test/resources/org/apache/camel/language/xpath/XPathLanguageTest.xml b/components/camel-saxon/src/test/resources/org/apache/camel/language/xpath/XPathLanguageTest.xml
index 23cd4ea..5526be0 100644
--- a/components/camel-saxon/src/test/resources/org/apache/camel/language/xpath/XPathLanguageTest.xml
+++ b/components/camel-saxon/src/test/resources/org/apache/camel/language/xpath/XPathLanguageTest.xml
@@ -42,7 +42,7 @@
<route>
<from uri="seda:testSaxonWithFactory"/>
<setBody>
- <xpath factoryRef="saxonFactory" documentType="org.xml.sax.InputSource" resultType="java.lang.String" logNamespaces="true">tokenize(a, '\|')</xpath>
+ <xpath factoryRef="saxonFactory" resultType="java.lang.String" logNamespaces="true">tokenize(a, '\|')</xpath>
</setBody>
<log message="Test Saxon with factory: ${body}"/>
<to uri="mock:testSaxonWithFactoryResult"/>
[7/7] camel git commit: Fixed test
Posted by da...@apache.org.
Fixed test
Project: http://git-wip-us.apache.org/repos/asf/camel/repo
Commit: http://git-wip-us.apache.org/repos/asf/camel/commit/ae1dcaa8
Tree: http://git-wip-us.apache.org/repos/asf/camel/tree/ae1dcaa8
Diff: http://git-wip-us.apache.org/repos/asf/camel/diff/ae1dcaa8
Branch: refs/heads/camel-2.13.x
Commit: ae1dcaa8cd969cd8bd487916e3e5022c739a956b
Parents: a9686b7
Author: Claus Ibsen <da...@apache.org>
Authored: Mon Mar 2 12:57:14 2015 +0100
Committer: Claus Ibsen <da...@apache.org>
Committed: Mon Mar 2 12:57:14 2015 +0100
----------------------------------------------------------------------
.../spring/spi/bridgePropertyPlaceholderConfigurerUtilIssue.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/camel/blob/ae1dcaa8/components/camel-spring/src/test/resources/org/apache/camel/spring/spi/bridgePropertyPlaceholderConfigurerUtilIssue.xml
----------------------------------------------------------------------
diff --git a/components/camel-spring/src/test/resources/org/apache/camel/spring/spi/bridgePropertyPlaceholderConfigurerUtilIssue.xml b/components/camel-spring/src/test/resources/org/apache/camel/spring/spi/bridgePropertyPlaceholderConfigurerUtilIssue.xml
index ca503b7..1cca7f1 100644
--- a/components/camel-spring/src/test/resources/org/apache/camel/spring/spi/bridgePropertyPlaceholderConfigurerUtilIssue.xml
+++ b/components/camel-spring/src/test/resources/org/apache/camel/spring/spi/bridgePropertyPlaceholderConfigurerUtilIssue.xml
@@ -25,7 +25,7 @@
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd
">
- <util:constant id="test" static-field="org.apache.camel.spring.spi.BridgePropertyPlaceholderConfigurerTest.CONSTANT"/>
+ <util:constant id="test" static-field="org.apache.camel.spring.spi.BridgePropertyPlaceholderConfigurerUtilIssueTest.CONSTANT"/>
<bean id="bridgePropertyPlaceHolder" class="org.apache.camel.spring.spi.BridgePropertyPlaceholderConfigurer">
<property name="locations">
[3/7] camel git commit: Fixed CS
Posted by da...@apache.org.
Fixed CS
Project: http://git-wip-us.apache.org/repos/asf/camel/repo
Commit: http://git-wip-us.apache.org/repos/asf/camel/commit/d74a7636
Tree: http://git-wip-us.apache.org/repos/asf/camel/tree/d74a7636
Diff: http://git-wip-us.apache.org/repos/asf/camel/diff/d74a7636
Branch: refs/heads/camel-2.14.x
Commit: d74a76364e36312f4bde0b10615f941bd299b192
Parents: 06db9e0
Author: Claus Ibsen <da...@apache.org>
Authored: Mon Mar 2 09:18:23 2015 +0100
Committer: Claus Ibsen <da...@apache.org>
Committed: Mon Mar 2 11:21:13 2015 +0100
----------------------------------------------------------------------
.../org/apache/camel/builder/xml/XPathFeatureTest.java | 12 +++++-------
1 file changed, 5 insertions(+), 7 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/camel/blob/d74a7636/camel-core/src/test/java/org/apache/camel/builder/xml/XPathFeatureTest.java
----------------------------------------------------------------------
diff --git a/camel-core/src/test/java/org/apache/camel/builder/xml/XPathFeatureTest.java b/camel-core/src/test/java/org/apache/camel/builder/xml/XPathFeatureTest.java
index dfad770..4b867c3 100644
--- a/camel-core/src/test/java/org/apache/camel/builder/xml/XPathFeatureTest.java
+++ b/camel-core/src/test/java/org/apache/camel/builder/xml/XPathFeatureTest.java
@@ -16,21 +16,21 @@
*/
package org.apache.camel.builder.xml;
-
import java.io.FileNotFoundException;
+import org.xml.sax.SAXParseException;
+
import org.apache.camel.ContextTestSupport;
import org.apache.camel.Exchange;
import org.apache.camel.NoTypeConversionAvailableException;
import org.apache.camel.RuntimeCamelException;
import org.apache.camel.TypeConversionException;
import org.apache.camel.converter.jaxp.XmlConverter;
-import org.xml.sax.SAXParseException;
import static org.apache.camel.builder.xml.XPathBuilder.xpath;
public class XPathFeatureTest extends ContextTestSupport {
- public static final String DOM_BUILER_FACTORY_FEATRUE = XmlConverter.DOCUMENT_BUILDER_FACTORY_FEATURE;
+ public static final String DOM_BUILDER_FACTORY_FEATURE = XmlConverter.DOCUMENT_BUILDER_FACTORY_FEATURE;
public static final String XML_DATA = " <!DOCTYPE foo [ "
+ " <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM \"file:///bin/test.sh\" >]> <test> &xxe; </test>";
@@ -48,9 +48,8 @@ public class XPathFeatureTest extends ContextTestSupport {
}
public void testXPath() throws Exception {
-
// Set this feature will enable the external general entities
- System.setProperty(DOM_BUILER_FACTORY_FEATRUE + ":"
+ System.setProperty(DOM_BUILDER_FACTORY_FEATURE + ":"
+ "http://xml.org/sax/features/external-general-entities", "true");
try {
xpath("/").stringResult().evaluate(createExchange(XML_DATA));
@@ -59,7 +58,7 @@ public class XPathFeatureTest extends ContextTestSupport {
assertTrue("Get a wrong exception cause.", ex.getCause() instanceof RuntimeCamelException);
assertTrue("Get a wrong exception cause.", ex.getCause().getCause() instanceof FileNotFoundException);
} finally {
- System.clearProperty(DOM_BUILER_FACTORY_FEATRUE + ":"
+ System.clearProperty(DOM_BUILDER_FACTORY_FEATURE + ":"
+ "http://xml.org/sax/features/external-general-entities");
}
}
@@ -89,5 +88,4 @@ public class XPathFeatureTest extends ContextTestSupport {
return exchange;
}
-
}
[6/7] camel git commit: Fixed CS
Posted by da...@apache.org.
Fixed CS
Project: http://git-wip-us.apache.org/repos/asf/camel/repo
Commit: http://git-wip-us.apache.org/repos/asf/camel/commit/a9686b73
Tree: http://git-wip-us.apache.org/repos/asf/camel/tree/a9686b73
Diff: http://git-wip-us.apache.org/repos/asf/camel/diff/a9686b73
Branch: refs/heads/camel-2.13.x
Commit: a9686b73603a031aef9303f96f0b9c2ac1dcba9a
Parents: 367d53e
Author: Claus Ibsen <da...@apache.org>
Authored: Mon Mar 2 09:18:23 2015 +0100
Committer: Claus Ibsen <da...@apache.org>
Committed: Mon Mar 2 11:48:29 2015 +0100
----------------------------------------------------------------------
.../org/apache/camel/builder/xml/XPathFeatureTest.java | 12 +++++-------
1 file changed, 5 insertions(+), 7 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/camel/blob/a9686b73/camel-core/src/test/java/org/apache/camel/builder/xml/XPathFeatureTest.java
----------------------------------------------------------------------
diff --git a/camel-core/src/test/java/org/apache/camel/builder/xml/XPathFeatureTest.java b/camel-core/src/test/java/org/apache/camel/builder/xml/XPathFeatureTest.java
index dfad770..4b867c3 100644
--- a/camel-core/src/test/java/org/apache/camel/builder/xml/XPathFeatureTest.java
+++ b/camel-core/src/test/java/org/apache/camel/builder/xml/XPathFeatureTest.java
@@ -16,21 +16,21 @@
*/
package org.apache.camel.builder.xml;
-
import java.io.FileNotFoundException;
+import org.xml.sax.SAXParseException;
+
import org.apache.camel.ContextTestSupport;
import org.apache.camel.Exchange;
import org.apache.camel.NoTypeConversionAvailableException;
import org.apache.camel.RuntimeCamelException;
import org.apache.camel.TypeConversionException;
import org.apache.camel.converter.jaxp.XmlConverter;
-import org.xml.sax.SAXParseException;
import static org.apache.camel.builder.xml.XPathBuilder.xpath;
public class XPathFeatureTest extends ContextTestSupport {
- public static final String DOM_BUILER_FACTORY_FEATRUE = XmlConverter.DOCUMENT_BUILDER_FACTORY_FEATURE;
+ public static final String DOM_BUILDER_FACTORY_FEATURE = XmlConverter.DOCUMENT_BUILDER_FACTORY_FEATURE;
public static final String XML_DATA = " <!DOCTYPE foo [ "
+ " <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM \"file:///bin/test.sh\" >]> <test> &xxe; </test>";
@@ -48,9 +48,8 @@ public class XPathFeatureTest extends ContextTestSupport {
}
public void testXPath() throws Exception {
-
// Set this feature will enable the external general entities
- System.setProperty(DOM_BUILER_FACTORY_FEATRUE + ":"
+ System.setProperty(DOM_BUILDER_FACTORY_FEATURE + ":"
+ "http://xml.org/sax/features/external-general-entities", "true");
try {
xpath("/").stringResult().evaluate(createExchange(XML_DATA));
@@ -59,7 +58,7 @@ public class XPathFeatureTest extends ContextTestSupport {
assertTrue("Get a wrong exception cause.", ex.getCause() instanceof RuntimeCamelException);
assertTrue("Get a wrong exception cause.", ex.getCause().getCause() instanceof FileNotFoundException);
} finally {
- System.clearProperty(DOM_BUILER_FACTORY_FEATRUE + ":"
+ System.clearProperty(DOM_BUILDER_FACTORY_FEATURE + ":"
+ "http://xml.org/sax/features/external-general-entities");
}
}
@@ -89,5 +88,4 @@ public class XPathFeatureTest extends ContextTestSupport {
return exchange;
}
-
}
[5/7] camel git commit: XML External Entity (XXE) injection in
XmlConverter. Thanks to Stephan Siano for the patch.
Posted by da...@apache.org.
XML External Entity (XXE) injection in XmlConverter. Thanks to Stephan Siano for the patch.
Conflicts:
camel-core/src/main/java/org/apache/camel/converter/jaxp/XmlConverter.java
Project: http://git-wip-us.apache.org/repos/asf/camel/repo
Commit: http://git-wip-us.apache.org/repos/asf/camel/commit/367d53e7
Tree: http://git-wip-us.apache.org/repos/asf/camel/tree/367d53e7
Diff: http://git-wip-us.apache.org/repos/asf/camel/diff/367d53e7
Branch: refs/heads/camel-2.13.x
Commit: 367d53e73c8b5a1e73c24423e631709f9a96e08d
Parents: 7360aad
Author: Claus Ibsen <da...@apache.org>
Authored: Sun Mar 1 11:52:57 2015 +0100
Committer: Claus Ibsen <da...@apache.org>
Committed: Mon Mar 2 11:48:18 2015 +0100
----------------------------------------------------------------------
.../apache/camel/converter/jaxp/XmlConverter.java | 6 ++++++
.../apache/camel/component/xslt/XsltDTDTest.java | 16 +++++++++++-----
2 files changed, 17 insertions(+), 5 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/camel/blob/367d53e7/camel-core/src/main/java/org/apache/camel/converter/jaxp/XmlConverter.java
----------------------------------------------------------------------
diff --git a/camel-core/src/main/java/org/apache/camel/converter/jaxp/XmlConverter.java b/camel-core/src/main/java/org/apache/camel/converter/jaxp/XmlConverter.java
index a3f4a29..5fd8920 100644
--- a/camel-core/src/main/java/org/apache/camel/converter/jaxp/XmlConverter.java
+++ b/camel-core/src/main/java/org/apache/camel/converter/jaxp/XmlConverter.java
@@ -579,6 +579,12 @@ public class XmlConverter {
} catch (Exception e) {
LOG.warn("SAXParser doesn't support the feature {} with value {}, due to {}.", new Object[]{javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, "true", e});
}
+ try {
+ sfactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+ } catch (SAXException e) {
+ LOG.warn("SAXParser doesn't support the feature {} with value {}, due to {}."
+ , new Object[]{"http://xml.org/sax/features/external-general-entities", false, e});
+ }
sfactory.setNamespaceAware(true);
SAXParser parser = sfactory.newSAXParser();
xmlReader = parser.getXMLReader();
http://git-wip-us.apache.org/repos/asf/camel/blob/367d53e7/camel-core/src/test/java/org/apache/camel/component/xslt/XsltDTDTest.java
----------------------------------------------------------------------
diff --git a/camel-core/src/test/java/org/apache/camel/component/xslt/XsltDTDTest.java b/camel-core/src/test/java/org/apache/camel/component/xslt/XsltDTDTest.java
index db5d63c..c0d2723 100644
--- a/camel-core/src/test/java/org/apache/camel/component/xslt/XsltDTDTest.java
+++ b/camel-core/src/test/java/org/apache/camel/component/xslt/XsltDTDTest.java
@@ -57,19 +57,25 @@ public class XsltDTDTest extends ContextTestSupport {
Exchange exchange = list.get(0);
String xml = exchange.getIn().getBody(String.class);
assertTrue("Get a wrong transformed message", xml.indexOf("<transformed subject=\"\">") > 0);
-
-
-
+
try {
+ endpoint.reset();
+ endpoint.expectedMessageCount(1);
+
template.sendBody("direct:start2", message);
- fail("Expect an exception here");
+
+ assertMockEndpointsSatisfied();
+
+ list = endpoint.getReceivedExchanges();
+ exchange = list.get(0);
+ xml = exchange.getIn().getBody(String.class);
+ assertTrue("Get a wrong transformed message", xml.indexOf("<transformed subject=\"\">") > 0);
} catch (Exception ex) {
// expect an exception here
assertTrue("Get a wrong exception", ex instanceof CamelExecutionException);
// the file could not be found
assertTrue("Get a wrong exception cause", ex.getCause() instanceof TransformerException);
}
-
}
[2/7] camel git commit: XML External Entity (XXE) injection in
XmlConverter. Thanks to Stephan Siano for the patch.
Posted by da...@apache.org.
XML External Entity (XXE) injection in XmlConverter. Thanks to Stephan Siano for the patch.
Project: http://git-wip-us.apache.org/repos/asf/camel/repo
Commit: http://git-wip-us.apache.org/repos/asf/camel/commit/06db9e07
Tree: http://git-wip-us.apache.org/repos/asf/camel/tree/06db9e07
Diff: http://git-wip-us.apache.org/repos/asf/camel/diff/06db9e07
Branch: refs/heads/camel-2.14.x
Commit: 06db9e0744f2bb9f6e3bf16c0dfe7099a3481558
Parents: b47b51a
Author: Claus Ibsen <da...@apache.org>
Authored: Sun Mar 1 11:52:57 2015 +0100
Committer: Claus Ibsen <da...@apache.org>
Committed: Mon Mar 2 11:20:57 2015 +0100
----------------------------------------------------------------------
.../apache/camel/converter/jaxp/XmlConverter.java | 6 ++++++
.../apache/camel/component/xslt/XsltDTDTest.java | 16 +++++++++++-----
2 files changed, 17 insertions(+), 5 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/camel/blob/06db9e07/camel-core/src/main/java/org/apache/camel/converter/jaxp/XmlConverter.java
----------------------------------------------------------------------
diff --git a/camel-core/src/main/java/org/apache/camel/converter/jaxp/XmlConverter.java b/camel-core/src/main/java/org/apache/camel/converter/jaxp/XmlConverter.java
index 7a6d61d..b2ad022 100644
--- a/camel-core/src/main/java/org/apache/camel/converter/jaxp/XmlConverter.java
+++ b/camel-core/src/main/java/org/apache/camel/converter/jaxp/XmlConverter.java
@@ -602,6 +602,12 @@ public class XmlConverter {
} catch (Exception e) {
LOG.warn("SAXParser doesn't support the feature {} with value {}, due to {}.", new Object[]{javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, "true", e});
}
+ try {
+ sfactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+ } catch (SAXException e) {
+ LOG.warn("SAXParser doesn't support the feature {} with value {}, due to {}."
+ , new Object[]{"http://xml.org/sax/features/external-general-entities", false, e});
+ }
}
sfactory.setNamespaceAware(true);
SAXParser parser = sfactory.newSAXParser();
http://git-wip-us.apache.org/repos/asf/camel/blob/06db9e07/camel-core/src/test/java/org/apache/camel/component/xslt/XsltDTDTest.java
----------------------------------------------------------------------
diff --git a/camel-core/src/test/java/org/apache/camel/component/xslt/XsltDTDTest.java b/camel-core/src/test/java/org/apache/camel/component/xslt/XsltDTDTest.java
index db5d63c..c0d2723 100644
--- a/camel-core/src/test/java/org/apache/camel/component/xslt/XsltDTDTest.java
+++ b/camel-core/src/test/java/org/apache/camel/component/xslt/XsltDTDTest.java
@@ -57,19 +57,25 @@ public class XsltDTDTest extends ContextTestSupport {
Exchange exchange = list.get(0);
String xml = exchange.getIn().getBody(String.class);
assertTrue("Get a wrong transformed message", xml.indexOf("<transformed subject=\"\">") > 0);
-
-
-
+
try {
+ endpoint.reset();
+ endpoint.expectedMessageCount(1);
+
template.sendBody("direct:start2", message);
- fail("Expect an exception here");
+
+ assertMockEndpointsSatisfied();
+
+ list = endpoint.getReceivedExchanges();
+ exchange = list.get(0);
+ xml = exchange.getIn().getBody(String.class);
+ assertTrue("Get a wrong transformed message", xml.indexOf("<transformed subject=\"\">") > 0);
} catch (Exception ex) {
// expect an exception here
assertTrue("Get a wrong exception", ex instanceof CamelExecutionException);
// the file could not be found
assertTrue("Get a wrong exception cause", ex.getCause() instanceof TransformerException);
}
-
}
[4/7] camel git commit: CAMEL-8312: XML External Entity (XXE)
injection in XPath. Thanks to Stephan Siano for the patch.
Posted by da...@apache.org.
CAMEL-8312: XML External Entity (XXE) injection in XPath. Thanks to Stephan Siano for the patch.
Project: http://git-wip-us.apache.org/repos/asf/camel/repo
Commit: http://git-wip-us.apache.org/repos/asf/camel/commit/7360aada
Tree: http://git-wip-us.apache.org/repos/asf/camel/tree/7360aada
Diff: http://git-wip-us.apache.org/repos/asf/camel/diff/7360aada
Branch: refs/heads/camel-2.13.x
Commit: 7360aada5154434c68774aa30e0f21ddc5f27b9f
Parents: 3f0e220
Author: Claus Ibsen <da...@apache.org>
Authored: Sun Mar 1 11:51:49 2015 +0100
Committer: Claus Ibsen <da...@apache.org>
Committed: Mon Mar 2 11:45:58 2015 +0100
----------------------------------------------------------------------
.../apache/camel/builder/xml/XPathBuilder.java | 21 ----------
.../camel/builder/xml/XPathFeatureTest.java | 42 +++++++++++++++-----
.../camel/component/xslt/SaxonXsltDTDTest.java | 11 +++--
3 files changed, 39 insertions(+), 35 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/camel/blob/7360aada/camel-core/src/main/java/org/apache/camel/builder/xml/XPathBuilder.java
----------------------------------------------------------------------
diff --git a/camel-core/src/main/java/org/apache/camel/builder/xml/XPathBuilder.java b/camel-core/src/main/java/org/apache/camel/builder/xml/XPathBuilder.java
index 47406fa..2941faf 100644
--- a/camel-core/src/main/java/org/apache/camel/builder/xml/XPathBuilder.java
+++ b/camel-core/src/main/java/org/apache/camel/builder/xml/XPathBuilder.java
@@ -18,7 +18,6 @@ package org.apache.camel.builder.xml;
import java.io.File;
import java.io.InputStream;
-import java.io.StringReader;
import java.util.HashSet;
import java.util.LinkedHashMap;
import java.util.List;
@@ -51,7 +50,6 @@ import org.apache.camel.NoTypeConversionAvailableException;
import org.apache.camel.Predicate;
import org.apache.camel.RuntimeExpressionException;
import org.apache.camel.WrappedFile;
-import org.apache.camel.component.bean.BeanInvocation;
import org.apache.camel.impl.DefaultExchange;
import org.apache.camel.spi.Language;
import org.apache.camel.spi.NamespaceAware;
@@ -1116,25 +1114,6 @@ public class XPathBuilder extends ServiceSupport implements Expression, Predicat
}
}
- // okay we can try to remedy the failed conversion by some special types
- if (answer == null) {
- // let's try coercing some common types into something JAXP work with the best for special types
- if (body instanceof WrappedFile) {
- // special for files so we can work with them out of the box
- InputStream is = exchange.getContext().getTypeConverter().convertTo(InputStream.class, exchange, body);
- answer = new InputSource(is);
- } else if (body instanceof BeanInvocation) {
- // if its a null bean invocation then handle that specially
- BeanInvocation bi = exchange.getContext().getTypeConverter().convertTo(BeanInvocation.class, exchange, body);
- if (bi.getArgs() != null && bi.getArgs().length == 1 && bi.getArgs()[0] == null) {
- // its a null argument from the bean invocation so use null as answer
- answer = null;
- }
- } else if (body instanceof String) {
- answer = new InputSource(new StringReader((String) body));
- }
- }
-
if (type == null && answer == null) {
// fallback to get the body as is
answer = body;
http://git-wip-us.apache.org/repos/asf/camel/blob/7360aada/camel-core/src/test/java/org/apache/camel/builder/xml/XPathFeatureTest.java
----------------------------------------------------------------------
diff --git a/camel-core/src/test/java/org/apache/camel/builder/xml/XPathFeatureTest.java b/camel-core/src/test/java/org/apache/camel/builder/xml/XPathFeatureTest.java
index 0d90530..dfad770 100644
--- a/camel-core/src/test/java/org/apache/camel/builder/xml/XPathFeatureTest.java
+++ b/camel-core/src/test/java/org/apache/camel/builder/xml/XPathFeatureTest.java
@@ -19,11 +19,13 @@ package org.apache.camel.builder.xml;
import java.io.FileNotFoundException;
-import javax.xml.xpath.XPathExpressionException;
-
import org.apache.camel.ContextTestSupport;
import org.apache.camel.Exchange;
+import org.apache.camel.NoTypeConversionAvailableException;
+import org.apache.camel.RuntimeCamelException;
+import org.apache.camel.TypeConversionException;
import org.apache.camel.converter.jaxp.XmlConverter;
+import org.xml.sax.SAXParseException;
import static org.apache.camel.builder.xml.XPathBuilder.xpath;
@@ -32,18 +34,19 @@ public class XPathFeatureTest extends ContextTestSupport {
public static final String XML_DATA = " <!DOCTYPE foo [ "
+ " <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM \"file:///bin/test.sh\" >]> <test> &xxe; </test>";
-
-
+ public static final String XML_DATA_INVALID = " <!DOCTYPE foo [ "
+ + " <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM \"file:///bin/test.sh\" >]> <test> &xxe; </test><notwellformed>";
+
@Override
public boolean isUseRouteBuilder() {
return false;
}
-
+
public void testXPathResult() throws Exception {
String result = (String)xpath("/").stringResult().evaluate(createExchange(XML_DATA));
assertEquals("Get a wrong result", " ", result);
}
-
+
public void testXPath() throws Exception {
// Set this feature will enable the external general entities
@@ -52,16 +55,35 @@ public class XPathFeatureTest extends ContextTestSupport {
try {
xpath("/").stringResult().evaluate(createExchange(XML_DATA));
fail("Expect an Exception here");
- } catch (Exception ex) {
- assertTrue("Get a wrong exception cause.", ex instanceof InvalidXPathExpression);
- assertTrue("Get a wrong exception cause.", ex.getCause() instanceof XPathExpressionException);
+ } catch (TypeConversionException ex) {
+ assertTrue("Get a wrong exception cause.", ex.getCause() instanceof RuntimeCamelException);
assertTrue("Get a wrong exception cause.", ex.getCause().getCause() instanceof FileNotFoundException);
} finally {
System.clearProperty(DOM_BUILER_FACTORY_FEATRUE + ":"
+ "http://xml.org/sax/features/external-general-entities");
}
}
-
+
+ public void testXPathNoTypeConverter() throws Exception {
+ try {
+ // define a class without type converter as document type
+ xpath("/").documentType(Exchange.class).stringResult().evaluate(createExchange(XML_DATA));
+ fail("Expect an Exception here");
+ } catch (RuntimeCamelException ex) {
+ assertTrue("Get a wrong exception cause.", ex.getCause() instanceof NoTypeConversionAvailableException);
+ }
+ }
+
+ public void testXPathResultOnInvalidData() throws Exception {
+ try {
+ xpath("/").stringResult().evaluate(createExchange(XML_DATA_INVALID));
+ fail("Expect an Exception here");
+ } catch (TypeConversionException ex) {
+ assertTrue("Get a wrong exception cause.", ex.getCause() instanceof RuntimeCamelException);
+ assertTrue("Get a wrong exception cause.", ex.getCause().getCause() instanceof SAXParseException);
+ }
+ }
+
protected Exchange createExchange(Object xml) {
Exchange exchange = createExchangeWithBody(context, xml);
return exchange;
http://git-wip-us.apache.org/repos/asf/camel/blob/7360aada/components/camel-saxon/src/test/java/org/apache/camel/component/xslt/SaxonXsltDTDTest.java
----------------------------------------------------------------------
diff --git a/components/camel-saxon/src/test/java/org/apache/camel/component/xslt/SaxonXsltDTDTest.java b/components/camel-saxon/src/test/java/org/apache/camel/component/xslt/SaxonXsltDTDTest.java
index b826608..adef1d8 100644
--- a/components/camel-saxon/src/test/java/org/apache/camel/component/xslt/SaxonXsltDTDTest.java
+++ b/components/camel-saxon/src/test/java/org/apache/camel/component/xslt/SaxonXsltDTDTest.java
@@ -61,19 +61,22 @@ public class SaxonXsltDTDTest extends CamelTestSupport {
Exchange exchange = list.get(0);
String xml = exchange.getIn().getBody(String.class);
assertTrue("Get a wrong transformed message", xml.indexOf("<transformed subject=\"\">") > 0);
-
-
+
+ endpoint.reset();
+ endpoint.expectedMessageCount(1);
try {
template.sendBody("direct:start2", message);
- fail("Expect an exception here");
+ list = endpoint.getReceivedExchanges();
+ exchange = list.get(0);
+ xml = exchange.getIn().getBody(String.class);
+ assertTrue("Get a wrong transformed message", xml.indexOf("<transformed subject=\"\">") > 0);
} catch (Exception ex) {
// expect an exception here
assertTrue("Get a wrong exception", ex instanceof CamelExecutionException);
// the file could not be found
assertTrue("Get a wrong exception cause", ex.getCause() instanceof TransformerException);
}
-
}