Fixed security bug in the XML extension that allows XML external enti…

…ty attacks. Reported by Fabio Mancinelli.

build/tmpl/text/changes.txt

@@ -16,6 +16,9 @@ Changes log
          JSON extension.
        - Optimized conversions using the Jackson extension in order to reuse
          configuration (issue #577).
+       - Fixed security bug in the XML extension that allows XML external 
+         entity attacks.
+         Reported by Fabio Mancinelli.
 
 - 2.0.13 (2012-04-18)
     - Bug fixed

modules/org.restlet.example/src/org/restlet/example/book/restlet/ch04/sec2/sub3/MailServerResource.java

@@ -93,7 +93,7 @@ public void write(org.restlet.ext.xml.XmlWriter writer)
                 }
             };
         };
-
+        result.setNamespaceAware(true);
         return result;
     }
 

modules/org.restlet.ext.atom/src/org/restlet/ext/atom/Categories.java

@@ -113,6 +113,7 @@ public Categories(Context context, String categoriesUri) throws IOException {
      */
     public Categories(Representation categoriesFeed) throws IOException {
         super(categoriesFeed);
+        setNamespaceAware(true);
         parse(new CategoriesContentReader(this));
     }
 

modules/org.restlet.ext.atom/src/org/restlet/ext/atom/Entry.java

@@ -103,6 +103,7 @@ public class Entry extends SaxRepresentation {
      */
     public Entry() {
         super(MediaType.APPLICATION_ATOM);
+        setNamespaceAware(true);
         this.authors = null;
         this.categories = null;
         this.content = null;
@@ -155,6 +156,7 @@ public Entry(Context context, String entryUri) throws IOException {
      */
     public Entry(Representation xmlEntry) throws IOException {
         super(xmlEntry);
+        setNamespaceAware(true);
         parse(new EntryContentReader(this));
     }
 
@@ -170,6 +172,7 @@ public Entry(Representation xmlEntry) throws IOException {
     public Entry(Representation xmlEntry, EntryReader entryReader)
             throws IOException {
         super(xmlEntry);
+        setNamespaceAware(true);
         parse(new EntryContentReader(this, entryReader));
     }
 

modules/org.restlet.ext.atom/src/org/restlet/ext/atom/Feed.java

@@ -118,6 +118,7 @@ public class Feed extends SaxRepresentation {
      */
     public Feed() {
         super(MediaType.APPLICATION_ATOM);
+        setNamespaceAware(true);
         this.authors = null;
         this.categories = null;
         this.contributors = null;
@@ -171,6 +172,7 @@ public Feed(Context context, String feedUri) throws IOException {
      */
     public Feed(Representation xmlFeed) throws IOException {
         super(xmlFeed);
+        setNamespaceAware(true);
         parse(new FeedContentReader(this));
     }
 
@@ -186,6 +188,7 @@ public Feed(Representation xmlFeed) throws IOException {
     public Feed(Representation xmlFeed, FeedReader feedReader)
             throws IOException {
         super(xmlFeed);
+        setNamespaceAware(true);
         parse(new FeedContentReader(this, feedReader));
     }
 

modules/org.restlet.ext.atom/src/org/restlet/ext/atom/Service.java

@@ -90,6 +90,7 @@ public class Service extends SaxRepresentation {
      */
     public Service(Client clientDispatcher) {
         super(new MediaType("***"));
+        setNamespaceAware(true);
         this.clientDispatcher = clientDispatcher;
     }
 
@@ -122,6 +123,7 @@ public Service(Client clientDispatcher, String serviceUri)
     public Service(Client clientDispatcher, String serviceUri,
             Representation xmlService) throws IOException {
         super(xmlService);
+        setNamespaceAware(true);
         this.clientDispatcher = clientDispatcher;
         this.reference = (serviceUri == null) ? null
                 : new Reference(serviceUri);

modules/org.restlet.ext.jaxb/src/org/restlet/ext/jaxb/JaxbRepresentation.java

@@ -43,6 +43,7 @@
 import javax.xml.bind.JAXBException;
 import javax.xml.bind.ValidationEventHandler;
 import javax.xml.bind.util.JAXBSource;
+import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.transform.sax.SAXSource;
 
 import org.restlet.Context;
@@ -91,16 +92,22 @@ public static synchronized JAXBContext getContext(String contextPath,
         return result;
     }
 
+    /**
+     * The classloader to use for JAXB annotated classes.
+     */
+    private volatile ClassLoader classLoader;
+
     /**
      * The list of Java package names that contain schema derived class and/or
      * Java to schema (JAXB-annotated) mapped classes.
      */
     private volatile String contextPath;
 
     /**
-     * The classloader to use for JAXB annotated classes.
+     * Specifies that the parser will expand entity reference nodes. By default
+     * the value of this is set to true.
      */
-    private volatile ClassLoader classLoader;
+    private volatile boolean expandingEntityRefs;
 
     /**
      * Indicates if the resulting XML data should be formatted with line breaks
@@ -123,9 +130,30 @@ public static synchronized JAXBContext getContext(String contextPath,
     /** The "xsi:schemaLocation" attribute in the generated XML data */
     private volatile String schemaLocation;
 
+    /** Limits potential XML overflow attacks. */
+    private boolean secureProcessing;
+
+    /**
+     * Indicates the desire for validating this type of XML representations
+     * against a DTD. Note that for XML schema or Relax NG validation, use the
+     * "schema" property instead.
+     * 
+     * @see DocumentBuilderFactory#setValidating(boolean)
+     */
+    private volatile boolean validatingDtd;
+
     /** The JAXB validation event handler. */
     private volatile ValidationEventHandler validationEventHandler;
 
+    /**
+     * Indicates the desire for processing <em>XInclude</em> if found in this
+     * type of XML representations. By default the value of this is set to
+     * false.
+     * 
+     * @see DocumentBuilderFactory#setXIncludeAware(boolean)
+     */
+    private volatile boolean xIncludeAware;
+
     /** The source XML representation. */
     private volatile Representation xmlRepresentation;
 
@@ -161,6 +189,14 @@ private JaxbRepresentation(MediaType mediaType, T object,
         this.object = object;
         this.validationEventHandler = null;
         this.xmlRepresentation = null;
+        this.expandingEntityRefs = false;
+        this.formattedOutput = false;
+        this.fragment = false;
+        this.noNamespaceSchemaLocation = null;
+        this.schemaLocation = null;
+        this.secureProcessing = true;
+        this.validatingDtd = false;
+        this.xIncludeAware = false;
     }
 
     /**
@@ -270,7 +306,6 @@ private JaxbRepresentation(Representation xmlRepresentation,
         this.object = null;
         this.validationEventHandler = validationHandler;
         this.xmlRepresentation = xmlRepresentation;
-
     }
 
     /**
@@ -374,8 +409,8 @@ public T getObject() throws IOException {
             }
 
             try {
-                this.object = (T) u.unmarshal(this.xmlRepresentation
-                        .getReader());
+                this.object = (T) u.unmarshal(this,
+                        this.xmlRepresentation.getReader());
             } catch (JAXBException e) {
                 Context.getCurrentLogger().log(Level.WARNING,
                         "Unable to unmarshal the XML representation", e);
@@ -416,6 +451,16 @@ public ValidationEventHandler getValidationEventHandler() {
         return this.validationEventHandler;
     }
 
+    /**
+     * Indicates if the parser will expand entity reference nodes. By default
+     * the value of this is set to true.
+     * 
+     * @return True if the parser will expand entity reference nodes.
+     */
+    public boolean isExpandingEntityRefs() {
+        return expandingEntityRefs;
+    }
+
     /**
      * Indicates if the resulting XML data should be formatted with line breaks
      * and indentation. Defaults to false.
@@ -437,6 +482,36 @@ public boolean isFragment() {
         return fragment;
     }
 
+    /**
+     * Indicates if it limits potential XML overflow attacks.
+     * 
+     * @return True if it limits potential XML overflow attacks.
+     */
+    public boolean isSecureProcessing() {
+        return secureProcessing;
+    }
+
+    /**
+     * Indicates the desire for validating this type of XML representations
+     * against an XML schema if one is referenced within the contents.
+     * 
+     * @return True if the schema-based validation is enabled.
+     */
+    public boolean isValidatingDtd() {
+        return validatingDtd;
+    }
+
+    /**
+     * Indicates the desire for processing <em>XInclude</em> if found in this
+     * type of XML representations. By default the value of this is set to
+     * false.
+     * 
+     * @return The current value of the xIncludeAware flag.
+     */
+    public boolean isXIncludeAware() {
+        return xIncludeAware;
+    }
+
     /**
      * Sets the list of Java package names that contain schema derived class
      * and/or Java to schema (JAXB-annotated) mapped classes.
@@ -448,6 +523,17 @@ public void setContextPath(String contextPath) {
         this.contextPath = contextPath;
     }
 
+    /**
+     * Indicates if the parser will expand entity reference nodes. By default
+     * the value of this is set to true.
+     * 
+     * @param expandEntityRefs
+     *            True if the parser will expand entity reference nodes.
+     */
+    public void setExpandingEntityRefs(boolean expandEntityRefs) {
+        this.expandingEntityRefs = expandEntityRefs;
+    }
+
     /**
      * Indicates if the resulting XML data should be formatted with line breaks
      * and indentation.
@@ -504,6 +590,27 @@ public void setSchemaLocation(String schemaLocation) {
         this.schemaLocation = schemaLocation;
     }
 
+    /**
+     * Indicates if it limits potential XML overflow attacks.
+     * 
+     * @param secureProcessing
+     *            True if it limits potential XML overflow attacks.
+     */
+    public void setSecureProcessing(boolean secureProcessing) {
+        this.secureProcessing = secureProcessing;
+    }
+
+    /**
+     * Indicates the desire for validating this type of XML representations
+     * against an XML schema if one is referenced within the contents.
+     * 
+     * @param validating
+     *            The new validation flag to set.
+     */
+    public void setValidatingDtd(boolean validating) {
+        this.validatingDtd = validating;
+    }
+
     /**
      * Sets the validation event handler.
      * 
@@ -515,6 +622,18 @@ public void setValidationEventHandler(
         this.validationEventHandler = validationEventHandler;
     }
 
+    /**
+     * Indicates the desire for processing <em>XInclude</em> if found in this
+     * type of XML representations. By default the value of this is set to
+     * false.
+     * 
+     * @param includeAware
+     *            The new value of the xIncludeAware flag.
+     */
+    public void setXIncludeAware(boolean includeAware) {
+        xIncludeAware = includeAware;
+    }
+
     /**
      * Writes the representation to a stream of characters.
      * 

modules/org.restlet.ext.jaxb/src/org/restlet/ext/jaxb/internal/Marshaller.java

@@ -34,16 +34,14 @@
 package org.restlet.ext.jaxb.internal;
 
 import java.io.OutputStream;
-import java.io.StringWriter;
+import java.io.OutputStreamWriter;
 import java.io.Writer;
 import java.util.logging.Level;
 
 import javax.xml.bind.JAXBException;
-import javax.xml.bind.ValidationEventHandler;
 
 import org.restlet.Context;
 import org.restlet.ext.jaxb.JaxbRepresentation;
-import org.restlet.representation.StringRepresentation;
 
 /**
  * This is a utility class to assist in marshaling Java content trees into XML.
@@ -184,25 +182,7 @@ private javax.xml.bind.Marshaller getMarshaller() throws JAXBException {
      */
     public void marshal(Object jaxbElement, OutputStream stream)
             throws JAXBException {
-        getMarshaller().marshal(jaxbElement, stream);
-    }
-
-    /**
-     * Marshal the content tree rooted at {@code jaxbElement} into a Restlet
-     * String representation.
-     * 
-     * @param jaxbElement
-     *            The root of the content tree to be marshaled.
-     * @param rep
-     *            The target string representation write the XML to.
-     * @throws JAXBException
-     *             If any unexpected problem occurs during marshaling.
-     */
-    public void marshal(Object jaxbElement, StringRepresentation rep)
-            throws JAXBException {
-        final StringWriter writer = new StringWriter();
-        marshal(jaxbElement, writer);
-        rep.setText(writer.toString());
+        marshal(jaxbElement, new OutputStreamWriter(stream));
     }
 
     /**
@@ -216,20 +196,9 @@ public void marshal(Object jaxbElement, StringRepresentation rep)
      *             If any unexpected problem occurs during marshaling.
      */
     public void marshal(Object jaxbElement, Writer writer) throws JAXBException {
+        getMarshaller().setEventHandler(
+                getJaxbRepresentation().getValidationEventHandler());
         getMarshaller().marshal(jaxbElement, writer);
     }
 
-    /**
-     * Sets the validation handler for this marshaler.
-     * 
-     * @param handler
-     *            A validation handler.
-     * @throws JAXBException
-     *             If an error was encountered while setting the event handler.
-     */
-    public void setEventHandler(ValidationEventHandler handler)
-            throws JAXBException {
-        getMarshaller().setEventHandler(handler);
-    }
-
 }