Merge remote-tracking branch 'origin/support-3.6' into support-3.6

infra/common/src/main/java/com/evolveum/midpoint/common/validator/Validator.java

@@ -170,6 +170,11 @@ public void validate(InputStream inputStream, OperationResult validatorResult,
 			stream = xmlInputFactory.createXMLStreamReader(inputStream);
 
 			int eventType = stream.nextTag();
+			if (eventType == XMLStreamConstants.DTD || eventType == XMLStreamConstants.ENTITY_DECLARATION 
+					|| eventType == XMLStreamConstants.ENTITY_REFERENCE  || eventType == XMLStreamConstants.NOTATION_DECLARATION) {
+				// We do not want those, e.g. we want to void XXE vulnerabilities. Make this check explicit.
+				throw new SystemException("Use of "+eventType+" in XML is prohibited");
+			}
 			if (eventType == XMLStreamConstants.START_ELEMENT) {
 				if (!QNameUtil.match(stream.getName(), SchemaConstants.C_OBJECTS)) {
 					// This has to be an import file with a single objects. Try

infra/prism/src/main/java/com/evolveum/midpoint/prism/lex/dom/DomLexicalProcessor.java

@@ -100,7 +100,7 @@ public List<RootXNode> readObjects(ParserSource source, ParsingContext parsingCo
 			}
 		}
 	}
-
+	
 	private List<RootXNode> readObjects(Document document) throws SchemaException{
 		Element root = DOMUtil.getFirstChildElement(document);
 		// TODO: maybe some check if this is a collection of other objects???

infra/prism/src/main/java/com/evolveum/midpoint/prism/schema/SchemaToDomProcessor.java

@@ -598,6 +598,13 @@ private void init() throws ParserConfigurationException {
 		DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
 		dbf.setNamespaceAware(true);
 		dbf.setValidating(false);
+		// XXE
+		dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+		dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
+		dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+		dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+		dbf.setXIncludeAware(false);
+		dbf.setExpandEntityReferences(false);
 		DocumentBuilder db = dbf.newDocumentBuilder();
 
 		document = db.newDocument();

infra/prism/src/test/java/com/evolveum/midpoint/prism/TestPrismParsingXml.java

@@ -1,10 +1,18 @@
 package com.evolveum.midpoint.prism;
 
-import static com.evolveum.midpoint.prism.PrismInternalTestUtil.*;
+import static org.testng.AssertJUnit.assertTrue;
+import static com.evolveum.midpoint.prism.PrismInternalTestUtil.USER_JACK_ADHOC_BASENAME;
+import static com.evolveum.midpoint.prism.PrismInternalTestUtil.USER_JACK_FILE_BASENAME;
+import static com.evolveum.midpoint.prism.PrismInternalTestUtil.USER_JACK_OID;
+import static com.evolveum.midpoint.prism.PrismInternalTestUtil.assertPropertyValue;
+import static com.evolveum.midpoint.prism.PrismInternalTestUtil.assertUserJack;
+import static com.evolveum.midpoint.prism.PrismInternalTestUtil.constructInitializedPrismContext;
+import static org.testng.AssertJUnit.assertEquals;
 import static org.testng.AssertJUnit.assertNotNull;
 
 import java.io.IOException;
 
+import org.testng.AssertJUnit;
 import org.testng.annotations.Test;
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
@@ -15,6 +23,8 @@
 
 public class TestPrismParsingXml extends TestPrismParsing {
 
+	public static final String USER_JACK_XXE_BASENAME = "user-jack-xxe";
+
 	@Override
 	protected String getSubdirName() {
 		return "xml";
@@ -74,6 +84,44 @@ public void testPrismParseDomAdhoc() throws Exception {
 		assertUserAdhoc(user, true);
 	}
 
+	@Test
+	public void testPrismParseXxe() throws Exception {
+		final String TEST_NAME = "testPrismParseXxe";
+		PrismInternalTestUtil.displayTestTitle(TEST_NAME);
+
+		PrismContext prismContext = constructInitializedPrismContext();
+
+		try {
+			// WHEN
+			prismContext.parseObject(getFile(USER_JACK_XXE_BASENAME));
+
+			AssertJUnit.fail("Unexpected success");
+		} catch (IllegalStateException e) {
+			// THEN
+			System.out.println("Expected exception: "+e);
+			assertTrue("Unexpected exception message: "+e.getMessage(), e.getMessage().contains("DOCTYPE"));
+		}
+
+	}
+
+	@Test
+	public void testPrismParseDomXxe() throws Exception {
+		final String TEST_NAME = "testPrismParseDomXxe";
+		PrismInternalTestUtil.displayTestTitle(TEST_NAME);
+
+		try {
+			// WHEN
+			DOMUtil.parseFile(getFile(USER_JACK_XXE_BASENAME));
+
+			AssertJUnit.fail("Unexpected success");
+		} catch (IllegalStateException e) {
+			// THEN
+			System.out.println("Expected exception: "+e);
+			assertTrue("Unexpected exception message: "+e.getMessage(), e.getMessage().contains("DOCTYPE"));
+		}
+
+	}
+
 	@Override
 	protected void validateXml(String xmlString, PrismContext prismContext) throws SAXException, IOException {
 //		Document xmlDocument = DOMUtil.parseDocument(xmlString);

infra/prism/src/test/resources/common/xml/user-jack-xxe.xml

@@ -0,0 +1,35 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE ANY[ <!ENTITY file SYSTEM "file:///etc/hostname"> ]>
+<!--
+  ~ Copyright (c) 2010-2019 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+<user oid="c0c010c0-d34d-b33f-f00d-111111111111" version="42"
+		xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
+		xmlns:xsd='http://www.w3.org/2001/XMLSchema'
+		xmlns='http://midpoint.evolveum.com/xml/ns/test/foo-1.xsd'
+		xmlns:ds="http://www.w3.org/2000/09/xmldsig#"  
+        xmlns:enc="http://www.w3.org/2001/04/xmlenc#"
+		xmlns:a="http://prism.evolveum.com/xml/ns/public/annotation-3"
+		xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
+		xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
+		xmlns:adhoc="http://midpoint.evolveum.com/xml/ns/test/adhoc-1.xsd"
+		xmlns:ext="http://midpoint.evolveum.com/xml/ns/test/extension">
+    <name>jack</name>
+    <description>&file;</description>
+    <fullName>cpt. Jack Sparrow</fullName>
+    <givenName>Jack</givenName>
+    <familyName>Sparrow</familyName>
+
+</user>

infra/schema/src/main/java/com/evolveum/midpoint/schema/SearchResultList.java

@@ -1,5 +1,5 @@
 /**
- * Copyright (c) 2014-2017 Evolveum
+ * Copyright (c) 2014-2018 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,6 +16,7 @@
 package com.evolveum.midpoint.schema;
 
 import com.evolveum.midpoint.prism.util.CloneUtil;
+import com.evolveum.midpoint.util.ShortDumpable;
 
 import java.io.Serializable;
 import java.util.ArrayList;
@@ -28,7 +29,7 @@
  * @author semancik
  *
  */
-public class SearchResultList<T> implements List<T>, Cloneable, Serializable {
+public class SearchResultList<T> implements List<T>, Cloneable, Serializable, ShortDumpable {
 
 	private List<T> list = null;
 	private SearchResultMetadata metadata = null;
@@ -224,4 +225,24 @@ private List<T> getInitializedList() {
 		return list;
 	}
 
+	@Override
+	public void shortDump(StringBuilder sb) {
+		if (metadata == null) {
+			if (list == null) {
+				sb.append("null");
+			} else {
+				sb.append(list.size()).append(" results");
+			}
+		} else {
+			if (list == null) {
+				sb.append("null, metadata=(");
+			} else {
+				sb.append(list.size()).append(" results, metadata=(");
+			}
+			metadata.shortDump(sb);
+			sb.append(")");
+		}
+
+	}
+
 }

infra/schema/src/main/java/com/evolveum/midpoint/schema/SearchResultMetadata.java

@@ -1,5 +1,5 @@
 /**
- * Copyright (c) 2014-2016 Evolveum
+ * Copyright (c) 2014-2018 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -17,12 +17,14 @@
 
 import java.io.Serializable;
 
+import com.evolveum.midpoint.util.ShortDumpable;
+
 /**
  * Objects of this type are considered READ ONLY.
  *
  * @author semancik
  */
-public class SearchResultMetadata implements Serializable {
+public class SearchResultMetadata implements Serializable, ShortDumpable {
 
 	private String pagingCookie;
 	private Integer approxNumberOfAllResults;
@@ -118,8 +120,26 @@ public boolean equals(Object obj) {
 
 	@Override
 	public String toString() {
-		return "SearchResultMetadata(pagingCookie=" + pagingCookie + ", approxNumberOfAllResults="
-				+ approxNumberOfAllResults + ", partialResults=" + partialResults + ")";
+		StringBuilder sb = new StringBuilder("SearchResultMetadata(");
+		shortDump(sb);
+		sb.append(")");
+		return sb.toString();
+	}
+
+	@Override
+	public void shortDump(StringBuilder sb) {
+		if (pagingCookie != null) {
+			sb.append("pagingCookie=").append(pagingCookie).append(",");
+		}
+		if (approxNumberOfAllResults != null) {
+			sb.append("approxNumberOfAllResults=").append(approxNumberOfAllResults).append(",");
+		}
+		if (partialResults) {
+			sb.append("partialResults=true,");
+		}
+		if (pagingCookie != null || approxNumberOfAllResults != null || partialResults) {
+			sb.setLength(sb.length() - 1);
+		}
 	}
 
 }

infra/schema/src/main/java/com/evolveum/midpoint/schema/util/ObjectQueryUtil.java

@@ -174,6 +174,12 @@ public static <T extends ObjectType> ObjectQuery createNameQuery(Class<T> clazz,
 				.build();
 	}
 
+	public static ObjectQuery createOrgSubtreeQuery(PrismContext prismContext, String orgOid) throws SchemaException {
+		return QueryBuilder.queryFor(ObjectType.class, prismContext)
+				.isChildOf(orgOid)
+				.build();
+	}
+
 	public static ObjectQuery createRootOrgQuery(PrismContext prismContext) throws SchemaException {
 		return QueryBuilder.queryFor(ObjectType.class, prismContext).isRoot().build();
 	}

infra/util/src/main/java/com/evolveum/midpoint/util/DOMUtil.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2013 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -169,6 +169,13 @@ public class DOMUtil {
 		try {
 			DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
 			factory.setNamespaceAware(true);
+			// XXE
+			factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+			factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+			factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+			factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+			factory.setXIncludeAware(false);
+			factory.setExpandEntityReferences(false);
 			loader = factory.newDocumentBuilder();
 		} catch (ParserConfigurationException ex) {
 			throw new IllegalStateException("Error creating XML document " + ex.getMessage());
@@ -209,6 +216,13 @@ public static DocumentBuilder createDocumentBuilder() {
         DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
         factory.setNamespaceAware(true);
         try {
+            // XXE
+    		factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+    		factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+    		factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+    		factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+    		factory.setXIncludeAware(false);
+    		factory.setExpandEntityReferences(false);
             return factory.newDocumentBuilder();
         } catch (ParserConfigurationException e) {
             throw new IllegalStateException("Error creating document builder " + e.getMessage(), e);
@@ -232,6 +246,13 @@ public static Document parseFile(File file) {
 		try {
 			DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
 			factory.setNamespaceAware(true);
+			// XXE
+			factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+			factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+			factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+			factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+			factory.setXIncludeAware(false);
+			factory.setExpandEntityReferences(false);
 			DocumentBuilder loader = factory.newDocumentBuilder();
 			return loader.parse(file);
 		} catch (SAXException | IOException | ParserConfigurationException ex) {
@@ -249,6 +270,13 @@ public static Document parse(InputStream inputStream) throws IOException {
 			factory.setFeature("http://xml.org/sax/features/validation", false);
 			factory.setFeature("http://apache.org/xml/features/nonvalidating/load-dtd-grammar", false);
 			factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+			// XXE
+			factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+			factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+			factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+			factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+			factory.setXIncludeAware(false);
+			factory.setExpandEntityReferences(false);
 			DocumentBuilder loader = factory.newDocumentBuilder();
 			return loader.parse(inputStream);
 		} catch (SAXException | ParserConfigurationException ex) {

model/model-api/src/main/java/com/evolveum/midpoint/model/api/ModelService.java

@@ -112,6 +112,8 @@ public interface ModelService {
 
 	static final String AUTZ_NAMESPACE = AuthorizationConstants.NS_AUTHORIZATION_MODEL;
 
+	static final String OPERATION_LOGGGER_NAME = "com.evolveum.midpoint.model.api.op";
+
 	/**
 	 * <p>
 	 * Returns object for provided OID. It retrieves the object from an appropriate source

model/model-client/src/main/java/com/evolveum/midpoint/model/client/ModelClientUtil.java

@@ -510,9 +510,17 @@ public static String toString(PolyStringType poly) {
 
 	static {
 		try {
-			DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
-			factory.setNamespaceAware(true);
-			domDocumentBuilder = factory.newDocumentBuilder();
+			DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
+			documentBuilderFactory.setNamespaceAware(true);
+			// XXE
+			documentBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+			documentBuilderFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+			documentBuilderFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+			documentBuilderFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+			documentBuilderFactory.setXIncludeAware(false);
+			documentBuilderFactory.setExpandEntityReferences(false);
+			domDocumentBuilder = documentBuilderFactory.newDocumentBuilder();
+
 		} catch (ParserConfigurationException e) {
 			throw new IllegalStateException("Error creating XML document " + e.getMessage());
 		}