[camel] 04/04: CAMEL-18825: Make XML parser/transformers more secure out of the box.

Sun, 25 Dec 2022 05:41:54 -0800 

This is an automated email from the ASF dual-hosted git repository.

davsclaus pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel.git

commit 0bc10ee6139762053b2f696a05f5d0acf8341c93
Author: Claus Ibsen <claus.ib...@gmail.com>
AuthorDate: Sun Dec 25 14:30:40 2022 +0100

    CAMEL-18825: Make XML parser/transformers more secure out of the box.
---
 .../org/apache/camel/builder/xml/XPathFeatureTest.java     | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git 
a/core/camel-core/src/test/java/org/apache/camel/builder/xml/XPathFeatureTest.java
 
b/core/camel-core/src/test/java/org/apache/camel/builder/xml/XPathFeatureTest.java
index 19d231cc88b..2cebddd263d 100644
--- 
a/core/camel-core/src/test/java/org/apache/camel/builder/xml/XPathFeatureTest.java
+++ 
b/core/camel-core/src/test/java/org/apache/camel/builder/xml/XPathFeatureTest.java
@@ -70,15 +70,20 @@ public class XPathFeatureTest extends ContextTestSupport {
     }
 
     @Test
-    public void testXPathResult() throws Exception {
-        String result = (String) 
xpath("/").stringResult().evaluate(createExchange(XML_DATA));
-        assertEquals("  ", result, "Get a wrong result");
+    public void testXPathDocTypeDisallowed() throws Exception {
+        try {
+            xpath("/").stringResult().evaluate(createExchange(XML_DATA));
+            fail();
+        } catch (Exception e) {
+            assertIsInstanceOf(SAXParseException.class, e.getCause());
+        }
     }
 
     @Test
     public void testXPath() throws Exception {
-        // Set this feature will enable the external general entities
+        // Set these features will enable the external general entities
         System.setProperty(DOM_BUILDER_FACTORY_FEATURE + ":" + 
"http://xml.org/sax/features/external-general-entities";, "true");
+        System.setProperty(DOM_BUILDER_FACTORY_FEATURE + ":" + 
"http://apache.org/xml/features/disallow-doctype-decl";, "false");
         try {
             xpath("/").stringResult().evaluate(createExchange(XML_DATA));
             fail("Expect an Exception here");
@@ -88,6 +93,7 @@ public class XPathFeatureTest extends ContextTestSupport {
                     "Get a wrong exception cause: " + ex.getCause().getClass() 
+ " instead of " + FileNotFoundException.class);
         } finally {
             System.clearProperty(DOM_BUILDER_FACTORY_FEATURE + ":" + 
"http://xml.org/sax/features/external-general-entities";);
+            System.clearProperty(DOM_BUILDER_FACTORY_FEATURE + ":" + 
"http://apache.org/xml/features/disallow-doctype-decl";);
         }
     }

Reply via email to