Repository: cxf Updated Branches: refs/heads/3.0.x-fixes 0928b2f09 -> 7680385c3
Adding a test to make sure that XXE declarations are not processed Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/7680385c Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/7680385c Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/7680385c Branch: refs/heads/3.0.x-fixes Commit: 7680385c322955fc6d0dcf64d538bbf93919c766 Parents: 0928b2f Author: Colm O hEigeartaigh <cohei...@apache.org> Authored: Mon Mar 27 12:15:10 2017 +0100 Committer: Colm O hEigeartaigh <cohei...@apache.org> Committed: Mon Mar 27 12:31:01 2017 +0100 ---------------------------------------------------------------------- .../org/apache/cxf/systest/jaxrs/BookStore.java | 7 ++ .../org/apache/cxf/systest/jaxrs/XXETest.java | 54 ++++++++++++++ .../jaxrs/src/test/resources/logging.properties | 74 ++++++++++++++++++++ 3 files changed, 135 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/7680385c/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/BookStore.java ---------------------------------------------------------------------- diff --git a/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/BookStore.java b/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/BookStore.java index 37fb3b2..09dedbc 100644 --- a/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/BookStore.java +++ b/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/BookStore.java @@ -315,6 +315,13 @@ public class BookStore { } @POST + @Path("/echoxmlbook") + @Produces("application/xml") + public Book echoXmlBook(Book book) { + return book; + } + + @POST @Path("/emptyform") @Produces("text/plain") @Consumes(MediaType.APPLICATION_FORM_URLENCODED) http://git-wip-us.apache.org/repos/asf/cxf/blob/7680385c/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/XXETest.java ---------------------------------------------------------------------- diff --git a/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/XXETest.java b/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/XXETest.java new file mode 100644 index 0000000..68f7499 --- /dev/null +++ b/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/XXETest.java @@ -0,0 +1,54 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.cxf.systest.jaxrs; + +import org.apache.cxf.jaxrs.client.WebClient; +import org.apache.cxf.jaxrs.model.AbstractResourceInfo; +import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase; +import org.junit.BeforeClass; +import org.junit.Test; + +/** + * A test to make sure that DOCTYPE declarations are not allowed + */ +public class XXETest extends AbstractBusClientServerTestBase { + public static final String PORT = BookServer.PORT; + + @BeforeClass + public static void startServers() throws Exception { + AbstractResourceInfo.clearAllMaps(); + assertTrue("server did not launch correctly", + launchServer(BookServer.class, true)); + createStaticBus(); + } + + @Test + public void testEchoXmlBookQuery() throws Exception { + String address = "http://localhost:" + PORT + "/bookstore/echoxmlbook"; + + WebClient webClient = WebClient.create(address).accept("application/xml"); + String payload = "<!DOCTYPE requestType [<!ENTITY file SYSTEM \"/etc/hosts\">]>" + + "<Book><id>125</id><name>&file;</name></Book>"; + Book b = webClient.post(payload, Book.class); + assertEquals(125L, b.getId()); + assertEquals("", b.getName()); + } + +} \ No newline at end of file http://git-wip-us.apache.org/repos/asf/cxf/blob/7680385c/systests/jaxrs/src/test/resources/logging.properties ---------------------------------------------------------------------- diff --git a/systests/jaxrs/src/test/resources/logging.properties b/systests/jaxrs/src/test/resources/logging.properties new file mode 100644 index 0000000..b2e5a79 --- /dev/null +++ b/systests/jaxrs/src/test/resources/logging.properties @@ -0,0 +1,74 @@ +# +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# +# +############################################################ +# Default Logging Configuration File +# +# You can use a different file by specifying a filename +# with the java.util.logging.config.file system property. +# For example java -Djava.util.logging.config.file=myfile +############################################################ + +############################################################ +# Global properties +############################################################ + +# "handlers" specifies a comma separated list of log Handler +# classes. These handlers will be installed during VM startup. +# Note that these classes must be on the system classpath. +# By default we only configure a ConsoleHandler, which will only +# show messages at the INFO and above levels. +#handlers= java.util.logging.ConsoleHandler + +# To also add the FileHandler, use the following line instead. +#handlers= java.util.logging.FileHandler, java.util.logging.ConsoleHandler + +# Default global logging level. +# This specifies which kinds of events are logged across +# all loggers. For any given facility this global level +# can be overriden by a facility specific level +# Note that the ConsoleHandler also has a separate level +# setting to limit messages printed to the console. +.level= INFO + +############################################################ +# Handler specific properties. +# Describes specific configuration info for Handlers. +############################################################ + +# default file output is in user's home directory. +java.util.logging.FileHandler.pattern = %h/java%u.log +java.util.logging.FileHandler.limit = 50000 +java.util.logging.FileHandler.count = 1 +java.util.logging.FileHandler.formatter = java.util.logging.XMLFormatter + +# Limit the message that are printed on the console to INFO and above. +java.util.logging.ConsoleHandler.level = INFO +java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter + + +############################################################ +# Facility specific properties. +# Provides extra control for each logger. +############################################################ + +# For example, set the com.xyz.foo logger to only log SEVERE +# messages: +#com.xyz.foo.level = SEVERE