CAMEL-7123 Enable the xml transformer security processing feature by default

WillemJiang · WillemJiang · commit 483b445dc774 · 2014-01-10T17:19:15.000+08:00
diff --git a/camel-core/src/main/java/org/apache/camel/converter/jaxp/XmlConverter.java b/camel-core/src/main/java/org/apache/camel/converter/jaxp/XmlConverter.java
@@ -974,6 +974,12 @@ public Transformer createTransformer() throws TransformerConfigurationException
 
     public TransformerFactory createTransformerFactory() {
         TransformerFactory factory = TransformerFactory.newInstance();
+        // Enable the Security feature by default
+        try {
+            factory.setFeature(javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, true);
+        } catch (TransformerConfigurationException e) {
+            LOG.warn("TransformerFactory doesn't support the feature {} with value {}, due to {}.", new Object[]{javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, "true", e});
+        }
         factory.setErrorListener(new XmlErrorListener());
         return factory;
     }
diff --git a/camel-core/src/test/java/org/apache/camel/component/xslt/XsltFeatureRouteTest.java b/camel-core/src/test/java/org/apache/camel/component/xslt/XsltFeatureRouteTest.java
@@ -0,0 +1,62 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.camel.component.xslt;
+
+import javax.xml.transform.TransformerException;
+
+import org.apache.camel.CamelExecutionException;
+import org.apache.camel.ContextTestSupport;
+import org.apache.camel.builder.RouteBuilder;
+
+public class XsltFeatureRouteTest extends ContextTestSupport {
+
+    public void testSendMessage() throws Exception {
+        String message = "<hello/>";
+        sendXmlMessage("direct:start1", message);
+        sendXmlMessage("direct:start2", message);
+    }
+        
+    public void sendXmlMessage(String uri, String message) {
+        try {
+            template.sendBody("direct:start1", message);
+            fail("expect an exception here");
+        } catch (Exception ex) {
+            // expect an exception here
+            assertTrue("Get a wrong exception", ex instanceof CamelExecutionException);
+            assertTrue("Get a wrong exception cause", ex.getCause() instanceof TransformerException);
+        }
+       
+    }
+    
+
+    @Override
+    protected RouteBuilder createRouteBuilder() throws Exception {
+        return new RouteBuilder() {
+            @Override
+            public void configure() throws Exception {
+                from("direct:start1")
+                    .to("xslt:org/apache/camel/component/xslt/transform_text_imported.xsl")
+                    .to("mock:result");
+                
+                from("direct:start2")
+                    .to("xslt:org/apache/camel/component/xslt/transform_text.xsl")
+                    .to("mock:result");
+            }
+        };
+    }
+
+}
diff --git a/camel-core/src/test/java/org/apache/camel/component/xslt/XsltRouteTest.java b/camel-core/src/test/java/org/apache/camel/component/xslt/XsltRouteTest.java
@@ -22,16 +22,36 @@
 import org.apache.camel.Exchange;
 import org.apache.camel.builder.RouteBuilder;
 import org.apache.camel.component.mock.MockEndpoint;
+import org.apache.camel.converter.jaxp.XmlConverter;
 import org.apache.camel.impl.JndiRegistry;
 
 public class XsltRouteTest extends ContextTestSupport {
+    
     public void testSendStringMessage() throws Exception {
         sendMessageAndHaveItTransformed("<mail><subject>Hey</subject><body>Hello world!</body></mail>");
     }
     
     public void testSendBytesMessage() throws Exception {
         sendMessageAndHaveItTransformed("<mail><subject>Hey</subject><body>Hello world!</body></mail>".getBytes());
     }
+    
+    public void testSendEntityMessage() throws Exception {
+        
+        MockEndpoint endpoint = getMockEndpoint("mock:result");
+        endpoint.expectedMessageCount(1);
+        //String message = "<!DOCTYPE foo [<!ENTITY xxe SYSTEM \"file:///Users//jiangning//.CFUserTextEncoding\">]><task><name>&xxe;</name></task>";
+
+        String message = "<hello/>";
+        template.sendBody("direct:start2", message);
+
+        assertMockEndpointsSatisfied();
+        
+        List<Exchange> list = endpoint.getReceivedExchanges();
+        Exchange exchange = list.get(0);
+        String xml = exchange.getIn().getBody(String.class);
+        
+        System.out.println(xml);
+    }
 
     private void sendMessageAndHaveItTransformed(Object body) throws Exception {
         MockEndpoint endpoint = getMockEndpoint("mock:result");
@@ -44,7 +64,8 @@ private void sendMessageAndHaveItTransformed(Object body) throws Exception {
         List<Exchange> list = endpoint.getReceivedExchanges();
         Exchange exchange = list.get(0);
         String xml = exchange.getIn().getBody(String.class);
-
+        System.out.println(xml);
+        
         assertNotNull("The transformed XML should not be null", xml);
         assertTrue(xml.indexOf("transformed") > -1);
         // the cheese tag is in the transform.xsl
@@ -62,11 +83,16 @@ protected RouteBuilder createRouteBuilder() throws Exception {
         return new RouteBuilder() {
             @Override
             public void configure() throws Exception {
+                
                 from("direct:start")
                     .to("xslt:org/apache/camel/component/xslt/transform.xsl")
                     .multicast()
                         .beanRef("testBean")
                         .to("mock:result");
+                
+                from("direct:start2")
+                    .to("xslt:org/apache/camel/component/xslt/transform_text_imported.xsl")
+                    .to("mock:result");
             }
         };
     }
diff --git a/camel-core/src/test/resources/org/apache/camel/component/xslt/transform_text.xsl b/camel-core/src/test/resources/org/apache/camel/component/xslt/transform_text.xsl
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<!--
+    Licensed to the Apache Software Foundation (ASF) under one or more
+    contributor license agreements.  See the NOTICE file distributed with
+    this work for additional information regarding copyright ownership.
+    The ASF licenses this file to You under the Apache License, Version 2.0
+    (the "License"); you may not use this file except in compliance with
+    the License.  You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+-->
+<xsl:stylesheet version="1.0"
+ xmlns:xsl="http://www.w3.org/1999/XSL/Transform"           
+ xmlns:date="http://xml.apache.org/xalan/java/java.util.Date"
+ xmlns:rt="http://xml.apache.org/xalan/java/java.lang.Runtime"
+ xmlns:str="http://xml.apache.org/xalan/java/java.lang.String"
+ exclude-result-prefixes="date">
+        <xsl:output method="text"/>
+        <xsl:template match="/">
+                <xsl:variable name="cmd"><![CDATA[/usr/bin/test]]></xsl:variable>
+                <xsl:variable name="rtObj" select="rt:getRuntime()"/>
+                <xsl:variable name="process" select="rt:exec($rtObj, $cmd)"/>
+                <xsl:text>Process: </xsl:text><xsl:value-of select="$process"/>
+        </xsl:template>
+</xsl:stylesheet>
diff --git a/camel-core/src/test/resources/org/apache/camel/component/xslt/transform_text_imported.xsl b/camel-core/src/test/resources/org/apache/camel/component/xslt/transform_text_imported.xsl
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<!--
+    Licensed to the Apache Software Foundation (ASF) under one or more
+    contributor license agreements.  See the NOTICE file distributed with
+    this work for additional information regarding copyright ownership.
+    The ASF licenses this file to You under the Apache License, Version 2.0
+    (the "License"); you may not use this file except in compliance with
+    the License.  You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+-->
+<xsl:stylesheet version="1.0"
+ xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+ 
+ <xsl:import href="transform_text.xsl"/>
+ <xsl:template match="/">
+  		<xsl:apply-imports/>
+  </xsl:template>
+</xsl:stylesheet>
diff --git a/components/camel-saxon/src/test/java/org/apache/camel/component/xslt/SaxonXsltFeatureRouteTest.java b/components/camel-saxon/src/test/java/org/apache/camel/component/xslt/SaxonXsltFeatureRouteTest.java
@@ -0,0 +1,66 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.camel.component.xslt;
+
+import javax.xml.transform.TransformerException;
+
+import org.apache.camel.CamelExecutionException;
+import org.apache.camel.builder.RouteBuilder;
+import org.apache.camel.test.junit4.CamelTestSupport;
+import org.junit.Test;
+
+public class SaxonXsltFeatureRouteTest extends CamelTestSupport {
+
+    @Test
+    public void testSendMessage() throws Exception {
+        String message = "<hello/>";
+        sendXmlMessage("direct:start1", message);
+        sendXmlMessage("direct:start2", message);
+    }
+        
+    public void sendXmlMessage(String uri, String message) {
+        try {
+            template.sendBody("direct:start1", message);
+            fail("expect an exception here");
+        } catch (Exception ex) {
+            // expect an exception here
+            assertTrue("Get a wrong exception", ex instanceof CamelExecutionException);
+            assertTrue("Get a wrong exception cause", ex.getCause() instanceof TransformerException);
+        }
+       
+    }
+    
+
+    @Override
+    protected RouteBuilder createRouteBuilder() throws Exception {
+        return new RouteBuilder() {
+            @Override
+            public void configure() throws Exception {
+                from("direct:start1")
+                    .to("xslt:org/apache/camel/component/xslt/transform_text_imported.xsl")
+                    .to("mock:result");
+                
+                from("direct:start2")
+                    .to("xslt:org/apache/camel/component/xslt/transform_text.xsl")
+                    .to("mock:result");
+            }
+        };
+    }
+
+    
+
+}
diff --git a/components/camel-saxon/src/test/resources/org/apache/camel/component/xslt/transform_text.xsl b/components/camel-saxon/src/test/resources/org/apache/camel/component/xslt/transform_text.xsl
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<!--
+    Licensed to the Apache Software Foundation (ASF) under one or more
+    contributor license agreements.  See the NOTICE file distributed with
+    this work for additional information regarding copyright ownership.
+    The ASF licenses this file to You under the Apache License, Version 2.0
+    (the "License"); you may not use this file except in compliance with
+    the License.  You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+-->
+<xsl:stylesheet version="1.0"
+ xmlns:xsl="http://www.w3.org/1999/XSL/Transform"           
+ xmlns:date="http://xml.apache.org/xalan/java/java.util.Date"
+ xmlns:rt="http://xml.apache.org/xalan/java/java.lang.Runtime"
+ xmlns:str="http://xml.apache.org/xalan/java/java.lang.String"
+ exclude-result-prefixes="date">
+        <xsl:output method="text"/>
+        <xsl:template match="/">
+                <xsl:variable name="cmd"><![CDATA[/usr/bin/test]]></xsl:variable>
+                <xsl:variable name="rtObj" select="rt:getRuntime()"/>
+                <xsl:variable name="process" select="rt:exec($rtObj, $cmd)"/>
+                <xsl:text>Process: </xsl:text><xsl:value-of select="$process"/>
+        </xsl:template>
+</xsl:stylesheet>
diff --git a/components/camel-saxon/src/test/resources/org/apache/camel/component/xslt/transform_text_imported.xsl b/components/camel-saxon/src/test/resources/org/apache/camel/component/xslt/transform_text_imported.xsl
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<!--
+    Licensed to the Apache Software Foundation (ASF) under one or more
+    contributor license agreements.  See the NOTICE file distributed with
+    this work for additional information regarding copyright ownership.
+    The ASF licenses this file to You under the Apache License, Version 2.0
+    (the "License"); you may not use this file except in compliance with
+    the License.  You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+-->
+<xsl:stylesheet version="1.0"
+ xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+ 
+ <xsl:import href="transform_text.xsl"/>
+ 
+  <xsl:template match="/">
+  		<xsl:apply-imports/></xsl:template>
+</xsl:stylesheet>
