You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@santuario.apache.org by co...@apache.org on 2021/09/02 08:20:21 UTC
[santuario-xml-security-java] branch SANTUARIO-577 created (now
dd16c0a)
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a change to branch SANTUARIO-577
in repository https://gitbox.apache.org/repos/asf/santuario-xml-security-java.git.
at dd16c0a SANTUARIO-577 - Introduce a system property to control if file/http references are allowed from an unsigned context
This branch includes the following new commits:
new dd16c0a SANTUARIO-577 - Introduce a system property to control if file/http references are allowed from an unsigned context
The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
[santuario-xml-security-java] 01/01: SANTUARIO-577 - Introduce a
system property to control if file/http references are allowed from an
unsigned context
Posted by co...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch SANTUARIO-577
in repository https://gitbox.apache.org/repos/asf/santuario-xml-security-java.git
commit dd16c0a9ace2051dfc45f2375d56db5c08fb0310
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Thu Sep 2 09:19:56 2021 +0100
SANTUARIO-577 - Introduce a system property to control if file/http references are allowed from an unsigned context
---
.../xml/security/encryption/XMLCipherInput.java | 9 ++++-
.../implementations/KeyInfoReferenceResolver.java | 9 ++++-
.../implementations/RetrievalMethodResolver.java | 17 +++++++---
.../utils/resolver/ResourceResolverContext.java | 14 ++++++++
.../security/test/dom/interop/BaltimoreTest.java | 2 ++
.../dom/utils/resolver/ResourceResolverTest.java | 38 ++++++++++++++++++++++
6 files changed, 82 insertions(+), 7 deletions(-)
diff --git a/src/main/java/org/apache/xml/security/encryption/XMLCipherInput.java b/src/main/java/org/apache/xml/security/encryption/XMLCipherInput.java
index 68598f7..28f5c26 100644
--- a/src/main/java/org/apache/xml/security/encryption/XMLCipherInput.java
+++ b/src/main/java/org/apache/xml/security/encryption/XMLCipherInput.java
@@ -115,7 +115,14 @@ public class XMLCipherInput {
try {
ResourceResolverContext resolverContext =
new ResourceResolverContext(uriAttr, null, secureValidation);
- input = ResourceResolver.resolve(resolverContext);
+ if (resolverContext.isSafeURIToResolve()) {
+ input = ResourceResolver.resolve(resolverContext);
+ } else {
+ String uriToResolve = uriAttr != null ? uriAttr.getValue() : null;
+ Object[] exArgs = {uriToResolve != null ? uriToResolve : "null", null};
+
+ throw new ResourceResolverException("utils.resolver.noClass", exArgs, uriToResolve, null);
+ }
} catch (ResourceResolverException ex) {
throw new XMLEncryptionException(ex);
}
diff --git a/src/main/java/org/apache/xml/security/keys/keyresolver/implementations/KeyInfoReferenceResolver.java b/src/main/java/org/apache/xml/security/keys/keyresolver/implementations/KeyInfoReferenceResolver.java
index 9641632..ae56256 100644
--- a/src/main/java/org/apache/xml/security/keys/keyresolver/implementations/KeyInfoReferenceResolver.java
+++ b/src/main/java/org/apache/xml/security/keys/keyresolver/implementations/KeyInfoReferenceResolver.java
@@ -39,6 +39,7 @@ import org.apache.xml.security.utils.Constants;
import org.apache.xml.security.utils.XMLUtils;
import org.apache.xml.security.utils.resolver.ResourceResolver;
import org.apache.xml.security.utils.resolver.ResourceResolverContext;
+import org.apache.xml.security.utils.resolver.ResourceResolverException;
import org.w3c.dom.Attr;
import org.w3c.dom.Element;
import org.xml.sax.SAXException;
@@ -203,7 +204,13 @@ public class KeyInfoReferenceResolver extends KeyResolverSpi {
private XMLSignatureInput resolveInput(Attr uri, String baseURI, boolean secureValidation)
throws XMLSecurityException {
ResourceResolverContext resContext = new ResourceResolverContext(uri, baseURI, secureValidation);
- return ResourceResolver.resolve(resContext);
+ if (resContext.isSafeURIToResolve()) {
+ return ResourceResolver.resolve(resContext);
+ }
+ String uriToResolve = uri != null ? uri.getValue() : null;
+ Object[] exArgs = { uriToResolve != null ? uriToResolve : "null", baseURI };
+
+ throw new ResourceResolverException("utils.resolver.noClass", exArgs, uriToResolve, baseURI);
}
/**
diff --git a/src/main/java/org/apache/xml/security/keys/keyresolver/implementations/RetrievalMethodResolver.java b/src/main/java/org/apache/xml/security/keys/keyresolver/implementations/RetrievalMethodResolver.java
index aba90e1..d7c951a 100644
--- a/src/main/java/org/apache/xml/security/keys/keyresolver/implementations/RetrievalMethodResolver.java
+++ b/src/main/java/org/apache/xml/security/keys/keyresolver/implementations/RetrievalMethodResolver.java
@@ -47,6 +47,7 @@ import org.apache.xml.security.utils.Constants;
import org.apache.xml.security.utils.XMLUtils;
import org.apache.xml.security.utils.resolver.ResourceResolver;
import org.apache.xml.security.utils.resolver.ResourceResolverContext;
+import org.apache.xml.security.utils.resolver.ResourceResolverException;
import org.w3c.dom.Attr;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
@@ -254,12 +255,18 @@ public class RetrievalMethodResolver extends KeyResolverSpi {
// Apply the transforms
Transforms transforms = rm.getTransforms();
ResourceResolverContext resContext = new ResourceResolverContext(uri, baseURI, secureValidation);
- XMLSignatureInput resource = ResourceResolver.resolve(resContext);
- if (transforms != null) {
- LOG.debug("We have Transforms");
- resource = transforms.performTransforms(resource);
+ if (resContext.isSafeURIToResolve()) {
+ XMLSignatureInput resource = ResourceResolver.resolve(resContext);
+ if (transforms != null) {
+ LOG.debug("We have Transforms");
+ resource = transforms.performTransforms(resource);
+ }
+ return resource;
}
- return resource;
+ String uriToResolve = uri != null ? uri.getValue() : null;
+ Object[] exArgs = { uriToResolve != null ? uriToResolve : "null", baseURI };
+
+ throw new ResourceResolverException("utils.resolver.noClass", exArgs, uriToResolve, baseURI);
}
/** {@inheritDoc} */
diff --git a/src/main/java/org/apache/xml/security/utils/resolver/ResourceResolverContext.java b/src/main/java/org/apache/xml/security/utils/resolver/ResourceResolverContext.java
index f584401..5e76ded 100644
--- a/src/main/java/org/apache/xml/security/utils/resolver/ResourceResolverContext.java
+++ b/src/main/java/org/apache/xml/security/utils/resolver/ResourceResolverContext.java
@@ -18,6 +18,8 @@
*/
package org.apache.xml.security.utils.resolver;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
import java.util.Collections;
import java.util.Map;
@@ -25,6 +27,10 @@ import org.w3c.dom.Attr;
public class ResourceResolverContext {
+ private static boolean allowUnsafeResourceResolving =
+ AccessController.doPrivileged(
+ (PrivilegedAction<Boolean>) () -> Boolean.getBoolean("org.apache.xml.security.allowUnsafeResourceResolving"));
+
private final Map<String, String> properties;
public final String uriToResolve;
@@ -51,4 +57,12 @@ public class ResourceResolverContext {
return properties;
}
+ public boolean isSafeURIToResolve() {
+ if (allowUnsafeResourceResolving) {
+ return true;
+ }
+ boolean forbiddenURI = (uriToResolve != null && (uriToResolve.startsWith("file:") || uriToResolve.startsWith("http:")))
+ || (baseUri != null && (baseUri.startsWith("file:") || baseUri.startsWith("http:")));
+ return !forbiddenURI;
+ }
}
diff --git a/src/test/java/org/apache/xml/security/test/dom/interop/BaltimoreTest.java b/src/test/java/org/apache/xml/security/test/dom/interop/BaltimoreTest.java
index 833ad72..555f041 100644
--- a/src/test/java/org/apache/xml/security/test/dom/interop/BaltimoreTest.java
+++ b/src/test/java/org/apache/xml/security/test/dom/interop/BaltimoreTest.java
@@ -52,6 +52,8 @@ public class BaltimoreTest extends InteropTestBase {
"src/test/resources/ie/baltimore/merlin-examples/merlin-xmldsig-twenty-three/";
static {
+ System.setProperty("org.apache.xml.security.allowUnsafeResourceResolving", "true");
+
String basedir = System.getProperty("basedir");
if(basedir != null && basedir.length() != 0) {
merlinsDir15 = basedir + "/" + merlinsDir15;
diff --git a/src/test/java/org/apache/xml/security/test/dom/utils/resolver/ResourceResolverTest.java b/src/test/java/org/apache/xml/security/test/dom/utils/resolver/ResourceResolverTest.java
index 0a37b59..d07155f 100644
--- a/src/test/java/org/apache/xml/security/test/dom/utils/resolver/ResourceResolverTest.java
+++ b/src/test/java/org/apache/xml/security/test/dom/utils/resolver/ResourceResolverTest.java
@@ -28,7 +28,9 @@ import org.apache.xml.security.utils.resolver.implementations.ResolverLocalFiles
import org.w3c.dom.Attr;
import org.w3c.dom.Document;
+import static org.junit.jupiter.api.Assertions.assertFalse;
import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertTrue;
import static org.junit.jupiter.api.Assertions.fail;
/**
@@ -96,4 +98,40 @@ public class ResourceResolverTest {
}
}
+ @org.junit.jupiter.api.Test
+ public void testIsSafeURIToResolveFile() throws Exception {
+ Document doc = TestUtils.newDocument();
+ Attr uriAttr = doc.createAttribute("URI");
+ String basedir = System.getProperty("basedir");
+ String file = new File(basedir, "pom.xml").toURI().toString();
+ uriAttr.setValue(file);
+
+ ResourceResolverContext resolverContext =
+ new ResourceResolverContext(uriAttr, null, false);
+ assertFalse(resolverContext.isSafeURIToResolve());
+ }
+
+ @org.junit.jupiter.api.Test
+ public void testIsSafeURIToResolveHTTP() throws Exception {
+ Document doc = TestUtils.newDocument();
+ Attr uriAttr = doc.createAttribute("URI");
+ String basedir = System.getProperty("basedir");
+ uriAttr.setValue("http://www.apache.org");
+
+ ResourceResolverContext resolverContext =
+ new ResourceResolverContext(uriAttr, null, false);
+ assertFalse(resolverContext.isSafeURIToResolve());
+ }
+
+ @org.junit.jupiter.api.Test
+ public void testIsSafeURIToResolveLocalReference() throws Exception {
+ Document doc = TestUtils.newDocument();
+ Attr uriAttr = doc.createAttribute("URI");
+ String basedir = System.getProperty("basedir");
+ uriAttr.setValue("#1234");
+
+ ResourceResolverContext resolverContext =
+ new ResourceResolverContext(uriAttr, null, false);
+ assertTrue(resolverContext.isSafeURIToResolve());
+ }
}
\ No newline at end of file