Permalink
Browse files

Fixed security bug in the XML extension that allows XML external enti…

…ty attacks. Reported by Fabio Mancinelli.
  • Loading branch information...
1 parent fc6bfe4 commit ef1836ebede58fce49a091d6b43bbb39aec53d1b Thierry Boileau committed May 23, 2012
Showing with 431 additions and 89 deletions.
  1. +3 −0 build/tmpl/text/changes.txt
  2. +1 −1 ...s/org.restlet.example/src/org/restlet/example/book/restlet/ch04/sec2/sub3/MailServerResource.java
  3. +1 −0 modules/org.restlet.ext.atom/src/org/restlet/ext/atom/Categories.java
  4. +3 −0 modules/org.restlet.ext.atom/src/org/restlet/ext/atom/Entry.java
  5. +3 −0 modules/org.restlet.ext.atom/src/org/restlet/ext/atom/Feed.java
  6. +2 −0 modules/org.restlet.ext.atom/src/org/restlet/ext/atom/Service.java
  7. +124 −5 modules/org.restlet.ext.jaxb/src/org/restlet/ext/jaxb/JaxbRepresentation.java
  8. +4 −35 modules/org.restlet.ext.jaxb/src/org/restlet/ext/jaxb/internal/Marshaller.java
  9. +40 −10 modules/org.restlet.ext.jaxb/src/org/restlet/ext/jaxb/internal/Unmarshaller.java
  10. +149 −9 modules/org.restlet.ext.jaxrs/src/org/restlet/ext/jaxrs/internal/provider/JaxbProvider.java
  11. +1 −0 modules/org.restlet.ext.lucene/src/org/restlet/ext/lucene/TikaRepresentation.java
  12. +3 −0 modules/org.restlet.ext.odata/src/org/restlet/ext/odata/Service.java
  13. +1 −0 modules/org.restlet.ext.odata/src/org/restlet/ext/odata/internal/edm/Metadata.java
  14. +4 −0 modules/org.restlet.ext.wadl/src/org/restlet/ext/wadl/WadlRepresentation.java
  15. +77 −15 modules/org.restlet.ext.xml/src/org/restlet/ext/xml/SaxRepresentation.java
  16. +1 −1 modules/org.restlet.ext.xml/src/org/restlet/ext/xml/XmlRepresentation.java
  17. +1 −1 modules/org.restlet.test/src/org/restlet/test/data/AuthenticationInfoTestCase.java
  18. +11 −11 modules/org.restlet/src/org/restlet/data/Status.java
  19. +2 −1 modules/org.restlet/src/org/restlet/resource/ResourceException.java
@@ -16,6 +16,9 @@ Changes log
JSON extension.
- Optimized conversions using the Jackson extension in order to reuse
configuration (issue #577).
+ - Fixed security bug in the XML extension that allows XML external
+ entity attacks.
+ Reported by Fabio Mancinelli.
- 2.0.13 (2012-04-18)
- Bug fixed
@@ -93,7 +93,7 @@ public void write(org.restlet.ext.xml.XmlWriter writer)
}
};
};
-
+ result.setNamespaceAware(true);
return result;
}
@@ -113,6 +113,7 @@ public Categories(Context context, String categoriesUri) throws IOException {
*/
public Categories(Representation categoriesFeed) throws IOException {
super(categoriesFeed);
+ setNamespaceAware(true);
parse(new CategoriesContentReader(this));
}
@@ -103,6 +103,7 @@
*/
public Entry() {
super(MediaType.APPLICATION_ATOM);
+ setNamespaceAware(true);
this.authors = null;
this.categories = null;
this.content = null;
@@ -155,6 +156,7 @@ public Entry(Context context, String entryUri) throws IOException {
*/
public Entry(Representation xmlEntry) throws IOException {
super(xmlEntry);
+ setNamespaceAware(true);
parse(new EntryContentReader(this));
}
@@ -170,6 +172,7 @@ public Entry(Representation xmlEntry) throws IOException {
public Entry(Representation xmlEntry, EntryReader entryReader)
throws IOException {
super(xmlEntry);
+ setNamespaceAware(true);
parse(new EntryContentReader(this, entryReader));
}
@@ -118,6 +118,7 @@
*/
public Feed() {
super(MediaType.APPLICATION_ATOM);
+ setNamespaceAware(true);
this.authors = null;
this.categories = null;
this.contributors = null;
@@ -171,6 +172,7 @@ public Feed(Context context, String feedUri) throws IOException {
*/
public Feed(Representation xmlFeed) throws IOException {
super(xmlFeed);
+ setNamespaceAware(true);
parse(new FeedContentReader(this));
}
@@ -186,6 +188,7 @@ public Feed(Representation xmlFeed) throws IOException {
public Feed(Representation xmlFeed, FeedReader feedReader)
throws IOException {
super(xmlFeed);
+ setNamespaceAware(true);
parse(new FeedContentReader(this, feedReader));
}
@@ -90,6 +90,7 @@
*/
public Service(Client clientDispatcher) {
super(new MediaType("***"));
+ setNamespaceAware(true);
this.clientDispatcher = clientDispatcher;
}
@@ -122,6 +123,7 @@ public Service(Client clientDispatcher, String serviceUri)
public Service(Client clientDispatcher, String serviceUri,
Representation xmlService) throws IOException {
super(xmlService);
+ setNamespaceAware(true);
this.clientDispatcher = clientDispatcher;
this.reference = (serviceUri == null) ? null
: new Reference(serviceUri);
@@ -43,6 +43,7 @@
import javax.xml.bind.JAXBException;
import javax.xml.bind.ValidationEventHandler;
import javax.xml.bind.util.JAXBSource;
+import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.transform.sax.SAXSource;
import org.restlet.Context;
@@ -92,15 +93,21 @@ public static synchronized JAXBContext getContext(String contextPath,
}
/**
+ * The classloader to use for JAXB annotated classes.
+ */
+ private volatile ClassLoader classLoader;
+
+ /**
* The list of Java package names that contain schema derived class and/or
* Java to schema (JAXB-annotated) mapped classes.
*/
private volatile String contextPath;
/**
- * The classloader to use for JAXB annotated classes.
+ * Specifies that the parser will expand entity reference nodes. By default
+ * the value of this is set to true.
*/
- private volatile ClassLoader classLoader;
+ private volatile boolean expandingEntityRefs;
/**
* Indicates if the resulting XML data should be formatted with line breaks
@@ -123,9 +130,30 @@ public static synchronized JAXBContext getContext(String contextPath,
/** The "xsi:schemaLocation" attribute in the generated XML data */
private volatile String schemaLocation;
+ /** Limits potential XML overflow attacks. */
+ private boolean secureProcessing;
+
+ /**
+ * Indicates the desire for validating this type of XML representations
+ * against a DTD. Note that for XML schema or Relax NG validation, use the
+ * "schema" property instead.
+ *
+ * @see DocumentBuilderFactory#setValidating(boolean)
+ */
+ private volatile boolean validatingDtd;
+
/** The JAXB validation event handler. */
private volatile ValidationEventHandler validationEventHandler;
+ /**
+ * Indicates the desire for processing <em>XInclude</em> if found in this
+ * type of XML representations. By default the value of this is set to
+ * false.
+ *
+ * @see DocumentBuilderFactory#setXIncludeAware(boolean)
+ */
+ private volatile boolean xIncludeAware;
+
/** The source XML representation. */
private volatile Representation xmlRepresentation;
@@ -161,6 +189,14 @@ private JaxbRepresentation(MediaType mediaType, T object,
this.object = object;
this.validationEventHandler = null;
this.xmlRepresentation = null;
+ this.expandingEntityRefs = false;
+ this.formattedOutput = false;
+ this.fragment = false;
+ this.noNamespaceSchemaLocation = null;
+ this.schemaLocation = null;
+ this.secureProcessing = true;
+ this.validatingDtd = false;
+ this.xIncludeAware = false;
}
/**
@@ -270,7 +306,6 @@ private JaxbRepresentation(Representation xmlRepresentation,
this.object = null;
this.validationEventHandler = validationHandler;
this.xmlRepresentation = xmlRepresentation;
-
}
/**
@@ -374,8 +409,8 @@ public T getObject() throws IOException {
}
try {
- this.object = (T) u.unmarshal(this.xmlRepresentation
- .getReader());
+ this.object = (T) u.unmarshal(this,
+ this.xmlRepresentation.getReader());
} catch (JAXBException e) {
Context.getCurrentLogger().log(Level.WARNING,
"Unable to unmarshal the XML representation", e);
@@ -417,6 +452,16 @@ public ValidationEventHandler getValidationEventHandler() {
}
/**
+ * Indicates if the parser will expand entity reference nodes. By default
+ * the value of this is set to true.
+ *
+ * @return True if the parser will expand entity reference nodes.
+ */
+ public boolean isExpandingEntityRefs() {
+ return expandingEntityRefs;
+ }
+
+ /**
* Indicates if the resulting XML data should be formatted with line breaks
* and indentation. Defaults to false.
*
@@ -438,6 +483,36 @@ public boolean isFragment() {
}
/**
+ * Indicates if it limits potential XML overflow attacks.
+ *
+ * @return True if it limits potential XML overflow attacks.
+ */
+ public boolean isSecureProcessing() {
+ return secureProcessing;
+ }
+
+ /**
+ * Indicates the desire for validating this type of XML representations
+ * against an XML schema if one is referenced within the contents.
+ *
+ * @return True if the schema-based validation is enabled.
+ */
+ public boolean isValidatingDtd() {
+ return validatingDtd;
+ }
+
+ /**
+ * Indicates the desire for processing <em>XInclude</em> if found in this
+ * type of XML representations. By default the value of this is set to
+ * false.
+ *
+ * @return The current value of the xIncludeAware flag.
+ */
+ public boolean isXIncludeAware() {
+ return xIncludeAware;
+ }
+
+ /**
* Sets the list of Java package names that contain schema derived class
* and/or Java to schema (JAXB-annotated) mapped classes.
*
@@ -449,6 +524,17 @@ public void setContextPath(String contextPath) {
}
/**
+ * Indicates if the parser will expand entity reference nodes. By default
+ * the value of this is set to true.
+ *
+ * @param expandEntityRefs
+ * True if the parser will expand entity reference nodes.
+ */
+ public void setExpandingEntityRefs(boolean expandEntityRefs) {
+ this.expandingEntityRefs = expandEntityRefs;
+ }
+
+ /**
* Indicates if the resulting XML data should be formatted with line breaks
* and indentation.
*
@@ -505,6 +591,27 @@ public void setSchemaLocation(String schemaLocation) {
}
/**
+ * Indicates if it limits potential XML overflow attacks.
+ *
+ * @param secureProcessing
+ * True if it limits potential XML overflow attacks.
+ */
+ public void setSecureProcessing(boolean secureProcessing) {
+ this.secureProcessing = secureProcessing;
+ }
+
+ /**
+ * Indicates the desire for validating this type of XML representations
+ * against an XML schema if one is referenced within the contents.
+ *
+ * @param validating
+ * The new validation flag to set.
+ */
+ public void setValidatingDtd(boolean validating) {
+ this.validatingDtd = validating;
+ }
+
+ /**
* Sets the validation event handler.
*
* @param validationEventHandler
@@ -516,6 +623,18 @@ public void setValidationEventHandler(
}
/**
+ * Indicates the desire for processing <em>XInclude</em> if found in this
+ * type of XML representations. By default the value of this is set to
+ * false.
+ *
+ * @param includeAware
+ * The new value of the xIncludeAware flag.
+ */
+ public void setXIncludeAware(boolean includeAware) {
+ xIncludeAware = includeAware;
+ }
+
+ /**
* Writes the representation to a stream of characters.
*
* @param writer
@@ -34,16 +34,14 @@
package org.restlet.ext.jaxb.internal;
import java.io.OutputStream;
-import java.io.StringWriter;
+import java.io.OutputStreamWriter;
import java.io.Writer;
import java.util.logging.Level;
import javax.xml.bind.JAXBException;
-import javax.xml.bind.ValidationEventHandler;
import org.restlet.Context;
import org.restlet.ext.jaxb.JaxbRepresentation;
-import org.restlet.representation.StringRepresentation;
/**
* This is a utility class to assist in marshaling Java content trees into XML.
@@ -184,25 +182,7 @@ public ClassLoader getClassLoader() {
*/
public void marshal(Object jaxbElement, OutputStream stream)
throws JAXBException {
- getMarshaller().marshal(jaxbElement, stream);
- }
-
- /**
- * Marshal the content tree rooted at {@code jaxbElement} into a Restlet
- * String representation.
- *
- * @param jaxbElement
- * The root of the content tree to be marshaled.
- * @param rep
- * The target string representation write the XML to.
- * @throws JAXBException
- * If any unexpected problem occurs during marshaling.
- */
- public void marshal(Object jaxbElement, StringRepresentation rep)
- throws JAXBException {
- final StringWriter writer = new StringWriter();
- marshal(jaxbElement, writer);
- rep.setText(writer.toString());
+ marshal(jaxbElement, new OutputStreamWriter(stream));
}
/**
@@ -216,20 +196,9 @@ public void marshal(Object jaxbElement, StringRepresentation rep)
* If any unexpected problem occurs during marshaling.
*/
public void marshal(Object jaxbElement, Writer writer) throws JAXBException {
+ getMarshaller().setEventHandler(
+ getJaxbRepresentation().getValidationEventHandler());
getMarshaller().marshal(jaxbElement, writer);
}
- /**
- * Sets the validation handler for this marshaler.
- *
- * @param handler
- * A validation handler.
- * @throws JAXBException
- * If an error was encountered while setting the event handler.
- */
- public void setEventHandler(ValidationEventHandler handler)
- throws JAXBException {
- getMarshaller().setEventHandler(handler);
- }
-
}
Oops, something went wrong.

0 comments on commit ef1836e

Please sign in to comment.