Skip to content

Commit 9b7d0f5

Browse files
committed
RESTEASY-1073: Prevent expansion of XML external parameter entities.
1 parent 9f9f313 commit 9b7d0f5

File tree

12 files changed

+430
-0
lines changed

12 files changed

+430
-0
lines changed

Diff for: jaxrs/arquillian/RESTEASY-1073-WF8/pom.xml

+189
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,189 @@
1+
<?xml version="1.0" encoding="UTF-8"?>
2+
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
3+
<modelVersion>4.0.0</modelVersion>
4+
5+
<parent>
6+
<groupId>org.jboss.resteasy</groupId>
7+
<artifactId>resteasy-jaxrs-all</artifactId>
8+
<version>3.0.8.Final</version>
9+
<relativePath>../../pom.xml</relativePath>
10+
</parent>
11+
12+
<artifactId>RESTEASY-1073-WF8</artifactId>
13+
<packaging>jar</packaging>
14+
<name>RESTEASY-1073-WF8</name>
15+
<url>http://maven.apache.org</url>
16+
17+
<properties>
18+
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
19+
<as-version>8.0.0.Final</as-version>
20+
</properties>
21+
22+
<build>
23+
<plugins>
24+
<plugin>
25+
<groupId>org.apache.maven.plugins</groupId>
26+
<artifactId>maven-compiler-plugin</artifactId>
27+
<version>2.3.2</version>
28+
<configuration>
29+
<source>1.6</source>
30+
<target>1.6</target>
31+
</configuration>
32+
</plugin>
33+
<plugin>
34+
<artifactId>maven-surefire-plugin</artifactId>
35+
<version>2.12</version>
36+
</plugin>
37+
<plugin>
38+
<artifactId>maven-dependency-plugin</artifactId>
39+
<executions>
40+
<execution>
41+
<id>unpack</id>
42+
<phase>process-test-classes</phase>
43+
<goals>
44+
<goal>unpack</goal>
45+
</goals>
46+
<configuration>
47+
<artifactItems>
48+
<artifactItem>
49+
<groupId>org.wildfly</groupId>
50+
<artifactId>wildfly-dist</artifactId>
51+
<version>${as-version}</version>
52+
<type>zip</type>
53+
<overWrite>false</overWrite>
54+
<outputDirectory>target</outputDirectory>
55+
</artifactItem>
56+
</artifactItems>
57+
</configuration>
58+
</execution>
59+
</executions>
60+
</plugin>
61+
<plugin>
62+
<groupId>org.apache.maven.plugins</groupId>
63+
<artifactId>maven-antrun-plugin</artifactId>
64+
<version>1.6</version>
65+
<executions>
66+
<execution>
67+
<id>unpack resteasy</id>
68+
<phase>process-test-classes</phase>
69+
<configuration>
70+
<target>
71+
<unzip src="../../jboss-modules/target/resteasy-jboss-modules-wf8-${project.version}.zip"
72+
dest="${project.build.directory}/wildfly-${as-version}/modules/system/layers/base"
73+
overwrite="true" />
74+
</target>
75+
</configuration>
76+
<goals>
77+
<goal>run</goal>
78+
</goals>
79+
</execution>
80+
</executions>
81+
</plugin>
82+
83+
<plugin>
84+
<groupId>org.apache.maven.plugins</groupId>
85+
<artifactId>maven-war-plugin</artifactId>
86+
<configuration>
87+
<archive>
88+
<manifestEntries>
89+
<Dependencies>
90+
javax.xml.bind.api
91+
</Dependencies>
92+
</manifestEntries>
93+
</archive>
94+
</configuration>
95+
</plugin>
96+
97+
</plugins>
98+
</build>
99+
100+
<dependencyManagement>
101+
<dependencies>
102+
<dependency>
103+
<groupId>org.jboss.arquillian</groupId>
104+
<artifactId>arquillian-bom</artifactId>
105+
<version>1.0.3.Final</version>
106+
<scope>import</scope>
107+
<type>pom</type>
108+
</dependency>
109+
</dependencies>
110+
</dependencyManagement>
111+
112+
<dependencies>
113+
<dependency>
114+
<groupId>org.jboss.spec</groupId>
115+
<artifactId>jboss-javaee-6.0</artifactId>
116+
<version>1.0.0.Final</version>
117+
<type>pom</type>
118+
<scope>provided</scope>
119+
</dependency>
120+
<dependency>
121+
<groupId>junit</groupId>
122+
<artifactId>junit</artifactId>
123+
<version>4.8.1</version>
124+
<scope>test</scope>
125+
</dependency>
126+
<dependency>
127+
<groupId>org.jboss.arquillian.junit</groupId>
128+
<artifactId>arquillian-junit-container</artifactId>
129+
<scope>test</scope>
130+
</dependency>
131+
<dependency>
132+
<groupId>org.wildfly</groupId>
133+
<artifactId>wildfly-arquillian-container-managed</artifactId>
134+
<version>8.0.0.Alpha1</version>
135+
<scope>test</scope>
136+
</dependency>
137+
<dependency>
138+
<groupId>org.jboss.arquillian.protocol</groupId>
139+
<artifactId>arquillian-protocol-servlet</artifactId>
140+
<scope>test</scope>
141+
</dependency>
142+
<dependency>
143+
<groupId>org.jboss.resteasy</groupId>
144+
<artifactId>jaxrs-api</artifactId>
145+
<version>${project.version}</version>
146+
</dependency>
147+
<dependency>
148+
<groupId>org.jboss.resteasy</groupId>
149+
<artifactId>resteasy-jaxrs</artifactId>
150+
<version>${project.version}</version>
151+
</dependency>
152+
<dependency>
153+
<groupId>org.jboss.resteasy</groupId>
154+
<artifactId>resteasy-validator-provider-11</artifactId>
155+
<version>${project.version}</version>
156+
</dependency>
157+
<dependency>
158+
<groupId>javax.validation</groupId>
159+
<artifactId>validation-api</artifactId>
160+
<version>1.1.0.Final</version>
161+
</dependency>
162+
<dependency>
163+
<groupId>org.hibernate</groupId>
164+
<artifactId>hibernate-validator</artifactId>
165+
<version>5.0.1.Final</version>
166+
</dependency>
167+
<dependency>
168+
<groupId>javax.el</groupId>
169+
<artifactId>javax.el-api</artifactId>
170+
<version>2.2.4</version>
171+
</dependency>
172+
<dependency>
173+
<groupId>org.glassfish.web</groupId>
174+
<artifactId>javax.el</artifactId>
175+
<version>2.2.4</version>
176+
</dependency>
177+
<dependency>
178+
<groupId>org.jboss.spec.javax.xml.bind</groupId>
179+
<artifactId>jboss-jaxb-api_2.2_spec</artifactId>
180+
<version>1.0.4.Final</version>
181+
</dependency>
182+
<dependency>
183+
<groupId>org.jboss.resteasy</groupId>
184+
<artifactId>resteasy-jaxb-provider</artifactId>
185+
<version>${project.version}</version>
186+
<scope>test</scope>
187+
</dependency>
188+
</dependencies>
189+
</project>
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,17 @@
1+
package org.jboss.resteasy.resteasy1073;
2+
3+
import java.util.HashSet;
4+
import java.util.Set;
5+
6+
import javax.ws.rs.core.Application;
7+
8+
public class TestApplication extends Application
9+
{
10+
@Override
11+
public Set<Class<?>> getClasses() {
12+
HashSet<Class<?>> set = new HashSet<Class<?>>();
13+
set.add(TestResource.class);
14+
return set;
15+
}
16+
}
17+
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,26 @@
1+
package org.jboss.resteasy.resteasy1073;
2+
3+
import javax.ws.rs.Consumes;
4+
import javax.ws.rs.POST;
5+
import javax.ws.rs.Path;
6+
import javax.ws.rs.core.MediaType;
7+
8+
/**
9+
* RESTEASY-1073
10+
*
11+
* @author <a href="ron.sigal@jboss.com">Ron Sigal</a>
12+
* @version $Revision: 1.1 $
13+
*
14+
* Copyright July 19, 2014
15+
*/
16+
@Path("")
17+
public class TestResource
18+
{
19+
@POST
20+
@Path("test")
21+
@Consumes(MediaType.APPLICATION_XML)
22+
public String post(TestWrapper wrapper)
23+
{
24+
return wrapper.getName();
25+
}
26+
}
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,17 @@
1+
package org.jboss.resteasy.resteasy1073;
2+
3+
import javax.xml.bind.annotation.XmlRootElement;
4+
5+
@XmlRootElement
6+
public class TestWrapper
7+
{
8+
private String name;
9+
public String getName()
10+
{
11+
return name;
12+
}
13+
public void setName(String name)
14+
{
15+
this.name = name;
16+
}
17+
}
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,95 @@
1+
package org.jboss.resteasy.test.resteasy1073;
2+
3+
import java.io.File;
4+
5+
import javax.ws.rs.core.MediaType;
6+
7+
import junit.framework.Assert;
8+
9+
import org.jboss.arquillian.container.test.api.Deployment;
10+
import org.jboss.arquillian.junit.Arquillian;
11+
import org.jboss.resteasy.client.ClientRequest;
12+
import org.jboss.resteasy.client.ClientResponse;
13+
import org.jboss.resteasy.resteasy1073.TestApplication;
14+
import org.jboss.resteasy.resteasy1073.TestResource;
15+
import org.jboss.resteasy.resteasy1073.TestWrapper;
16+
import org.jboss.shrinkwrap.api.Archive;
17+
import org.jboss.shrinkwrap.api.ShrinkWrap;
18+
import org.jboss.shrinkwrap.api.spec.WebArchive;
19+
import org.junit.Test;
20+
import org.junit.runner.RunWith;
21+
22+
/**
23+
* RESTEASY-1073.
24+
*
25+
* @author <a href="ron.sigal@jboss.com">Ron Sigal</a>
26+
* @version $Revision: 1.1 $
27+
*
28+
* Created July 19, 2014
29+
*/
30+
@RunWith(Arquillian.class)
31+
public class TestExternalParameterEntity
32+
{
33+
@Deployment(name="war_expand", order=1)
34+
public static Archive<?> createTestArchive1()
35+
{
36+
WebArchive war = ShrinkWrap.create(WebArchive.class, "RESTEASY-1073-expand.war")
37+
.addClasses(TestApplication.class)
38+
.addClasses(TestResource.class, TestWrapper.class)
39+
.addAsWebInfResource("web_expand.xml", "web.xml")
40+
;
41+
System.out.println(war.toString(true));
42+
return war;
43+
}
44+
45+
@Deployment(name="war_no_expand", order=2)
46+
public static Archive<?> createTestArchive2()
47+
{
48+
WebArchive war = ShrinkWrap.create(WebArchive.class, "RESTEASY-1073-no-expand.war")
49+
.addClasses(TestApplication.class)
50+
.addClasses(TestResource.class, TestWrapper.class)
51+
.addAsWebInfResource("web_no_expand.xml", "web.xml")
52+
;
53+
System.out.println(war.toString(true));
54+
return war;
55+
}
56+
57+
private String passwdFile = new File("src/test/resources/passwd").getAbsolutePath();
58+
private String dtdFile = new File("src/test/resources/test.dtd").getAbsolutePath();
59+
60+
private String text =
61+
"<!DOCTYPE foo [\r" +
62+
" <!ENTITY % file SYSTEM \"" + passwdFile + "\">\r" +
63+
" <!ENTITY % start \"<![CDATA[\">\r" +
64+
" <!ENTITY % end \"]]>\">\r" +
65+
" <!ENTITY % dtd SYSTEM \"" + dtdFile + "\">\r" +
66+
"%dtd;\r" +
67+
"]>\r" +
68+
"<testWrapper><name>&xxe;</name></testWrapper>";
69+
70+
@Test
71+
public void testExternalParameterEntityExpand() throws Exception
72+
{
73+
ClientRequest request = new ClientRequest("http://localhost:8080/RESTEASY-1073-expand/test");
74+
System.out.println(text);
75+
request.body(MediaType.APPLICATION_XML, text);
76+
ClientResponse<?> response = request.post();
77+
Assert.assertEquals(200, response.getStatus());
78+
String entity = response.getEntity(String.class);
79+
System.out.println("Result: " + entity);
80+
Assert.assertEquals("root:x:0:0:root:/root:/bin/bash", entity.trim());
81+
}
82+
83+
@Test
84+
public void testExternalParameterEntityNoExpand() throws Exception
85+
{
86+
ClientRequest request = new ClientRequest("http://localhost:8080/RESTEASY-1073-no-expand/test");
87+
System.out.println(text);
88+
request.body(MediaType.APPLICATION_XML, text);
89+
ClientResponse<?> response = request.post();
90+
Assert.assertEquals(200, response.getStatus());
91+
String entity = response.getEntity(String.class);
92+
System.out.println("Result: " + entity);
93+
Assert.assertEquals("", entity.trim());
94+
}
95+
}
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
<arquillian xmlns="http://jboss.org/schema/arquillian"
2+
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
3+
xsi:schemaLocation="
4+
http://jboss.org/schema/arquillian
5+
http://jboss.org/schema/arquillian/arquillian_1_0.xsd">
6+
7+
<!-- Force the use of the Servlet 3.0 protocol with all containers, as it is the most mature -->
8+
<defaultProtocol type="Servlet 3.0" />
9+
10+
<engine>
11+
<property name="deploymentExportPath">target/deployments</property>
12+
</engine>
13+
14+
<container qualifier="jbossas-managed" default="true">
15+
<configuration>
16+
<property name="jbossHome">target/wildfly-8.0.0.Final</property>
17+
<!--property name="javaHome">/opt/local/java/jdk1.7.0_21</property-->
18+
<property name="serverConfig">standalone-full.xml</property>
19+
<!-- Uncomment next line to run server in debug mode. -->
20+
<!--property name="javaVmArguments">-Xmx512m -XX:MaxPermSize=128m -Xrunjdwp:transport=dt_socket,address=8787,server=y,suspend=y</property-->
21+
</configuration>
22+
</container>
23+
</arquillian>
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
root:x:0:0:root:/root:/bin/bash
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
<!ENTITY xxe "%start; %file; %end;">

0 commit comments

Comments
 (0)