Updated Branches: refs/heads/master d6b118e5d -> e922f8929
CAMEL-7123 Enable the xml transformer security processing feature by default Project: http://git-wip-us.apache.org/repos/asf/camel/repo Commit: http://git-wip-us.apache.org/repos/asf/camel/commit/e922f892 Tree: http://git-wip-us.apache.org/repos/asf/camel/tree/e922f892 Diff: http://git-wip-us.apache.org/repos/asf/camel/diff/e922f892 Branch: refs/heads/master Commit: e922f89290f236f3107039de61af0375826bd96d Parents: d6b118e Author: Willem Jiang <[email protected]> Authored: Fri Jan 10 17:17:30 2014 +0800 Committer: Willem Jiang <[email protected]> Committed: Fri Jan 10 17:17:59 2014 +0800 ---------------------------------------------------------------------- .../camel/converter/jaxp/XmlConverter.java | 6 ++ .../component/xslt/XsltFeatureRouteTest.java | 62 ++++++++++++++++++ .../camel/component/xslt/XsltRouteTest.java | 28 ++++++++- .../camel/component/xslt/transform_text.xsl | 31 +++++++++ .../component/xslt/transform_text_imported.xsl | 25 ++++++++ .../xslt/SaxonXsltFeatureRouteTest.java | 66 ++++++++++++++++++++ .../camel/component/xslt/transform_text.xsl | 31 +++++++++ .../component/xslt/transform_text_imported.xsl | 25 ++++++++ 8 files changed, 273 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/camel/blob/e922f892/camel-core/src/main/java/org/apache/camel/converter/jaxp/XmlConverter.java ---------------------------------------------------------------------- diff --git a/camel-core/src/main/java/org/apache/camel/converter/jaxp/XmlConverter.java b/camel-core/src/main/java/org/apache/camel/converter/jaxp/XmlConverter.java index d841a15..43d39a4 100644 --- a/camel-core/src/main/java/org/apache/camel/converter/jaxp/XmlConverter.java +++ b/camel-core/src/main/java/org/apache/camel/converter/jaxp/XmlConverter.java @@ -974,6 +974,12 @@ public class XmlConverter { public TransformerFactory createTransformerFactory() { TransformerFactory factory = TransformerFactory.newInstance(); + // Enable the Security feature by default + try { + factory.setFeature(javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, true); + } catch (TransformerConfigurationException e) { + LOG.warn("TransformerFactory doesn't support the feature {} with value {}, due to {}.", new Object[]{javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, "true", e}); + } factory.setErrorListener(new XmlErrorListener()); return factory; } http://git-wip-us.apache.org/repos/asf/camel/blob/e922f892/camel-core/src/test/java/org/apache/camel/component/xslt/XsltFeatureRouteTest.java ---------------------------------------------------------------------- diff --git a/camel-core/src/test/java/org/apache/camel/component/xslt/XsltFeatureRouteTest.java b/camel-core/src/test/java/org/apache/camel/component/xslt/XsltFeatureRouteTest.java new file mode 100644 index 0000000..0456444 --- /dev/null +++ b/camel-core/src/test/java/org/apache/camel/component/xslt/XsltFeatureRouteTest.java @@ -0,0 +1,62 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.camel.component.xslt; + +import javax.xml.transform.TransformerException; + +import org.apache.camel.CamelExecutionException; +import org.apache.camel.ContextTestSupport; +import org.apache.camel.builder.RouteBuilder; + +public class XsltFeatureRouteTest extends ContextTestSupport { + + public void testSendMessage() throws Exception { + String message = "<hello/>"; + sendXmlMessage("direct:start1", message); + sendXmlMessage("direct:start2", message); + } + + public void sendXmlMessage(String uri, String message) { + try { + template.sendBody("direct:start1", message); + fail("expect an exception here"); + } catch (Exception ex) { + // expect an exception here + assertTrue("Get a wrong exception", ex instanceof CamelExecutionException); + assertTrue("Get a wrong exception cause", ex.getCause() instanceof TransformerException); + } + + } + + + @Override + protected RouteBuilder createRouteBuilder() throws Exception { + return new RouteBuilder() { + @Override + public void configure() throws Exception { + from("direct:start1") + .to("xslt:org/apache/camel/component/xslt/transform_text_imported.xsl") + .to("mock:result"); + + from("direct:start2") + .to("xslt:org/apache/camel/component/xslt/transform_text.xsl") + .to("mock:result"); + } + }; + } + +} http://git-wip-us.apache.org/repos/asf/camel/blob/e922f892/camel-core/src/test/java/org/apache/camel/component/xslt/XsltRouteTest.java ---------------------------------------------------------------------- diff --git a/camel-core/src/test/java/org/apache/camel/component/xslt/XsltRouteTest.java b/camel-core/src/test/java/org/apache/camel/component/xslt/XsltRouteTest.java index df6c4cc..9d1e5d9 100644 --- a/camel-core/src/test/java/org/apache/camel/component/xslt/XsltRouteTest.java +++ b/camel-core/src/test/java/org/apache/camel/component/xslt/XsltRouteTest.java @@ -22,9 +22,11 @@ import org.apache.camel.ContextTestSupport; import org.apache.camel.Exchange; import org.apache.camel.builder.RouteBuilder; import org.apache.camel.component.mock.MockEndpoint; +import org.apache.camel.converter.jaxp.XmlConverter; import org.apache.camel.impl.JndiRegistry; public class XsltRouteTest extends ContextTestSupport { + public void testSendStringMessage() throws Exception { sendMessageAndHaveItTransformed("<mail><subject>Hey</subject><body>Hello world!</body></mail>"); } @@ -32,6 +34,24 @@ public class XsltRouteTest extends ContextTestSupport { public void testSendBytesMessage() throws Exception { sendMessageAndHaveItTransformed("<mail><subject>Hey</subject><body>Hello world!</body></mail>".getBytes()); } + + public void testSendEntityMessage() throws Exception { + + MockEndpoint endpoint = getMockEndpoint("mock:result"); + endpoint.expectedMessageCount(1); + //String message = "<!DOCTYPE foo [<!ENTITY xxe SYSTEM \"file:///Users//jiangning//.CFUserTextEncoding\">]><task><name>&xxe;</name></task>"; + + String message = "<hello/>"; + template.sendBody("direct:start2", message); + + assertMockEndpointsSatisfied(); + + List<Exchange> list = endpoint.getReceivedExchanges(); + Exchange exchange = list.get(0); + String xml = exchange.getIn().getBody(String.class); + + System.out.println(xml); + } private void sendMessageAndHaveItTransformed(Object body) throws Exception { MockEndpoint endpoint = getMockEndpoint("mock:result"); @@ -44,7 +64,8 @@ public class XsltRouteTest extends ContextTestSupport { List<Exchange> list = endpoint.getReceivedExchanges(); Exchange exchange = list.get(0); String xml = exchange.getIn().getBody(String.class); - + System.out.println(xml); + assertNotNull("The transformed XML should not be null", xml); assertTrue(xml.indexOf("transformed") > -1); // the cheese tag is in the transform.xsl @@ -62,11 +83,16 @@ public class XsltRouteTest extends ContextTestSupport { return new RouteBuilder() { @Override public void configure() throws Exception { + from("direct:start") .to("xslt:org/apache/camel/component/xslt/transform.xsl") .multicast() .beanRef("testBean") .to("mock:result"); + + from("direct:start2") + .to("xslt:org/apache/camel/component/xslt/transform_text_imported.xsl") + .to("mock:result"); } }; } http://git-wip-us.apache.org/repos/asf/camel/blob/e922f892/camel-core/src/test/resources/org/apache/camel/component/xslt/transform_text.xsl ---------------------------------------------------------------------- diff --git a/camel-core/src/test/resources/org/apache/camel/component/xslt/transform_text.xsl b/camel-core/src/test/resources/org/apache/camel/component/xslt/transform_text.xsl new file mode 100644 index 0000000..6c38e4a --- /dev/null +++ b/camel-core/src/test/resources/org/apache/camel/component/xslt/transform_text.xsl @@ -0,0 +1,31 @@ +<?xml version="1.0" encoding="ISO-8859-1"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<xsl:stylesheet version="1.0" + xmlns:xsl="http://www.w3.org/1999/XSL/Transform"; + xmlns:date="http://xml.apache.org/xalan/java/java.util.Date"; + xmlns:rt="http://xml.apache.org/xalan/java/java.lang.Runtime"; + xmlns:str="http://xml.apache.org/xalan/java/java.lang.String"; + exclude-result-prefixes="date"> + <xsl:output method="text"/> + <xsl:template match="/"> + <xsl:variable name="cmd"><![CDATA[/usr/bin/test]]></xsl:variable> + <xsl:variable name="rtObj" select="rt:getRuntime()"/> + <xsl:variable name="process" select="rt:exec($rtObj, $cmd)"/> + <xsl:text>Process: </xsl:text><xsl:value-of select="$process"/> + </xsl:template> +</xsl:stylesheet> \ No newline at end of file http://git-wip-us.apache.org/repos/asf/camel/blob/e922f892/camel-core/src/test/resources/org/apache/camel/component/xslt/transform_text_imported.xsl ---------------------------------------------------------------------- diff --git a/camel-core/src/test/resources/org/apache/camel/component/xslt/transform_text_imported.xsl b/camel-core/src/test/resources/org/apache/camel/component/xslt/transform_text_imported.xsl new file mode 100644 index 0000000..8954b0a --- /dev/null +++ b/camel-core/src/test/resources/org/apache/camel/component/xslt/transform_text_imported.xsl @@ -0,0 +1,25 @@ +<?xml version="1.0" encoding="ISO-8859-1"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<xsl:stylesheet version="1.0" + xmlns:xsl="http://www.w3.org/1999/XSL/Transform";> + + <xsl:import href="transform_text.xsl"/> + <xsl:template match="/"> + <xsl:apply-imports/> + </xsl:template> +</xsl:stylesheet> \ No newline at end of file http://git-wip-us.apache.org/repos/asf/camel/blob/e922f892/components/camel-saxon/src/test/java/org/apache/camel/component/xslt/SaxonXsltFeatureRouteTest.java ---------------------------------------------------------------------- diff --git a/components/camel-saxon/src/test/java/org/apache/camel/component/xslt/SaxonXsltFeatureRouteTest.java b/components/camel-saxon/src/test/java/org/apache/camel/component/xslt/SaxonXsltFeatureRouteTest.java new file mode 100644 index 0000000..12b438c --- /dev/null +++ b/components/camel-saxon/src/test/java/org/apache/camel/component/xslt/SaxonXsltFeatureRouteTest.java @@ -0,0 +1,66 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.camel.component.xslt; + +import javax.xml.transform.TransformerException; + +import org.apache.camel.CamelExecutionException; +import org.apache.camel.builder.RouteBuilder; +import org.apache.camel.test.junit4.CamelTestSupport; +import org.junit.Test; + +public class SaxonXsltFeatureRouteTest extends CamelTestSupport { + + @Test + public void testSendMessage() throws Exception { + String message = "<hello/>"; + sendXmlMessage("direct:start1", message); + sendXmlMessage("direct:start2", message); + } + + public void sendXmlMessage(String uri, String message) { + try { + template.sendBody("direct:start1", message); + fail("expect an exception here"); + } catch (Exception ex) { + // expect an exception here + assertTrue("Get a wrong exception", ex instanceof CamelExecutionException); + assertTrue("Get a wrong exception cause", ex.getCause() instanceof TransformerException); + } + + } + + + @Override + protected RouteBuilder createRouteBuilder() throws Exception { + return new RouteBuilder() { + @Override + public void configure() throws Exception { + from("direct:start1") + .to("xslt:org/apache/camel/component/xslt/transform_text_imported.xsl") + .to("mock:result"); + + from("direct:start2") + .to("xslt:org/apache/camel/component/xslt/transform_text.xsl") + .to("mock:result"); + } + }; + } + + + +} http://git-wip-us.apache.org/repos/asf/camel/blob/e922f892/components/camel-saxon/src/test/resources/org/apache/camel/component/xslt/transform_text.xsl ---------------------------------------------------------------------- diff --git a/components/camel-saxon/src/test/resources/org/apache/camel/component/xslt/transform_text.xsl b/components/camel-saxon/src/test/resources/org/apache/camel/component/xslt/transform_text.xsl new file mode 100644 index 0000000..6c38e4a --- /dev/null +++ b/components/camel-saxon/src/test/resources/org/apache/camel/component/xslt/transform_text.xsl @@ -0,0 +1,31 @@ +<?xml version="1.0" encoding="ISO-8859-1"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<xsl:stylesheet version="1.0" + xmlns:xsl="http://www.w3.org/1999/XSL/Transform"; + xmlns:date="http://xml.apache.org/xalan/java/java.util.Date"; + xmlns:rt="http://xml.apache.org/xalan/java/java.lang.Runtime"; + xmlns:str="http://xml.apache.org/xalan/java/java.lang.String"; + exclude-result-prefixes="date"> + <xsl:output method="text"/> + <xsl:template match="/"> + <xsl:variable name="cmd"><![CDATA[/usr/bin/test]]></xsl:variable> + <xsl:variable name="rtObj" select="rt:getRuntime()"/> + <xsl:variable name="process" select="rt:exec($rtObj, $cmd)"/> + <xsl:text>Process: </xsl:text><xsl:value-of select="$process"/> + </xsl:template> +</xsl:stylesheet> \ No newline at end of file http://git-wip-us.apache.org/repos/asf/camel/blob/e922f892/components/camel-saxon/src/test/resources/org/apache/camel/component/xslt/transform_text_imported.xsl ---------------------------------------------------------------------- diff --git a/components/camel-saxon/src/test/resources/org/apache/camel/component/xslt/transform_text_imported.xsl b/components/camel-saxon/src/test/resources/org/apache/camel/component/xslt/transform_text_imported.xsl new file mode 100644 index 0000000..e7ae4b0 --- /dev/null +++ b/components/camel-saxon/src/test/resources/org/apache/camel/component/xslt/transform_text_imported.xsl @@ -0,0 +1,25 @@ +<?xml version="1.0" encoding="ISO-8859-1"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<xsl:stylesheet version="1.0" + xmlns:xsl="http://www.w3.org/1999/XSL/Transform";> + + <xsl:import href="transform_text.xsl"/> + + <xsl:template match="/"> + <xsl:apply-imports/></xsl:template> +</xsl:stylesheet> \ No newline at end of file
