XXETest.java

/*
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
 *
 * Copyright (c) 2014-2017 Oracle and/or its affiliates. All rights reserved.
 *
 * The contents of this file are subject to the terms of either the GNU
 * General Public License Version 2 only ("GPL") or the Common Development
 * and Distribution License("CDDL") (collectively, the "License").  You
 * may not use this file except in compliance with the License.  You can
 * obtain a copy of the License at
 * http://glassfish.java.net/public/CDDL+GPL_1_1.html
 * or packager/legal/LICENSE.txt.  See the License for the specific
 * language governing permissions and limitations under the License.
 *
 * When distributing the software, include this License Header Notice in each
 * file and include the License file at packager/legal/LICENSE.txt.
 *
 * GPL Classpath Exception:
 * Oracle designates this particular file as subject to the "Classpath"
 * exception as provided by Oracle in the GPL Version 2 section of the License
 * file that accompanied this code.
 *
 * Modifications:
 * If applicable, add the following below the License Header, with the fields
 * enclosed by brackets [] replaced by your own identifying information:
 * "Portions Copyright [year] [name of copyright owner]"
 *
 * Contributor(s):
 * If you wish your version of this file to be governed by only the CDDL or
 * only the GPL Version 2, indicate your decision by adding "[Contributor]
 * elects to include this software in this distribution under the [CDDL or GPL
 * Version 2] license."  If you don't indicate a single choice of license, a
 * recipient has the option to distribute your version of this file under
 * either the CDDL, the GPL Version 2 or to extend the choice of license to
 * its licensees as provided above.  However, if you add GPL Version 2 code
 * and therefore, elected the GPL Version 2 license, then the option applies
 * only if the new code is made subject to such option by the copyright
 * holder.
 */
package org.glassfish.jersey.tests.e2e.entity;

import java.net.URL;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import java.util.concurrent.CountDownLatch;

import javax.ws.rs.Consumes;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.client.Entity;
import javax.ws.rs.core.MediaType;

import javax.xml.bind.JAXBElement;
import javax.xml.transform.dom.DOMSource;
import javax.xml.transform.sax.SAXSource;
import javax.xml.transform.stream.StreamSource;

import org.glassfish.jersey.server.ResourceConfig;
import org.glassfish.jersey.test.JerseyTest;

import org.junit.Ignore;
import org.junit.Test;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import static org.junit.Assert.assertEquals;

/**
 * Tests xml security.
 *
 * @author Paul Sandoz
 */
public class XXETest extends JerseyTest {

    private static final String DOCTYPE = "<!DOCTYPE foo [<!ENTITY xxe SYSTEM \"%s\">]>";
    private static final String XML = "<jaxbBean><value>&xxe;</value></jaxbBean>";

    private String getDocument() {
        final URL u = this.getClass().getResource("xxe.txt");
        return String.format(DOCTYPE, u.toString()) + XML;
    }

    private String getListDocument() {
        final URL u = this.getClass().getResource("xxe.txt");
        return String.format(DOCTYPE, u.toString()) + "<jaxbBeans>" + XML + XML + XML + "</jaxbBeans>";
    }

    @Path("/")
    @Consumes("application/xml")
    @Produces("application/xml")
    public static class EntityHolderResource {

        @Path("jaxb")
        @POST
        public String post(final JaxbBean s) {
            return s.value;
        }

        @Path("jaxbelement")
        @POST
        public String post(final JAXBElement<JaxbBeanType> s) {
            return s.getValue().value;
        }

        @Path("jaxb/list")
        @POST
        public String post(final List<JaxbBean> s) {
            return s.get(0).value;
        }

        @Path("sax")
        @POST
        public SAXSource postSax(final SAXSource s) {
            return s;
        }

        @Path("dom")
        @POST
        public String postDom(final DOMSource s) {
            final Document d = (Document) s.getNode();
            final Element e = (Element) d.getElementsByTagName("value").item(0);
            final Node n = e.getChildNodes().item(0);
            if (n.getNodeType() == Node.TEXT_NODE) {
                return n.getNodeValue();
            } else if (n.getNodeType() == Node.ENTITY_REFERENCE_NODE) {
                return "";
            } else {
                throw new WebApplicationException(400);
            }
        }

        @Path("stream")
        @POST
        public StreamSource postStream(final StreamSource s) {
            return s;
        }
    }

    @Override
    public ResourceConfig configure() {
        return new ResourceConfig(EntityHolderResource.class);
    }

    @Test
    public void testJAXBSecure() {
        final String s = target().path("jaxb").request("application/xml").post(Entity.entity(getDocument(),
                MediaType.APPLICATION_XML_TYPE), String.class);
        assertEquals("", s);
    }

    @Test
    public void testJAXBSecureWithThreads() throws Throwable {
        final int n = 4;
        final CountDownLatch latch = new CountDownLatch(n);

        final Runnable runnable = new Runnable() {
            public void run() {
                try {
                    final String s = target().path("jaxb").request("application/xml").post(Entity.entity(getDocument(),
                            MediaType.TEXT_PLAIN_TYPE), String.class);
                    assertEquals("", s);
                } finally {
                    latch.countDown();
                }
            }
        };

        final Set<Throwable> s = new HashSet<Throwable>();
        for (int i = 0; i < n; i++) {
            final Thread t = new Thread(runnable);
            t.setUncaughtExceptionHandler(new Thread.UncaughtExceptionHandler() {
                public void uncaughtException(final Thread t, final Throwable ex) {
                    s.add(ex);
                }
            });
            t.start();
        }

        try {
            latch.await();
        } catch (final InterruptedException ignored) {
        }
    }

    @Test
    public void testJAXBElementSecure() {
        final String s = target().path("jaxbelement").request("application/xml").post(Entity.entity(getDocument(),
                MediaType.APPLICATION_XML_TYPE), String.class);
        assertEquals("", s);
    }

    @Ignore // TODO
    @Test
    public void testJAXBListSecure() {
        final String s = target().path("jaxb/list").request("application/xml").post(Entity.entity(getListDocument(),
                MediaType.APPLICATION_XML_TYPE), String.class);
        assertEquals("", s);
    }

    @Test
    public void testSAXSecure() {
        final JaxbBean b = target().path("sax").request("application/xml").post(Entity.entity(getDocument(),
                MediaType.APPLICATION_XML_TYPE), JaxbBean.class);
        assertEquals("", b.value);
    }

    @Test
    public void testDOMSecure() {
        final String s = target().path("dom").request("application/xml").post(Entity.entity(getDocument(),
                MediaType.APPLICATION_XML_TYPE), String.class);
        assertEquals("", s);
    }

    @Test
    public void testStreamSecure() {
        final JaxbBean b = target().path("stream").request("application/xml").post(Entity.entity(getDocument(),
                MediaType.APPLICATION_XML_TYPE), JaxbBean.class);
        assertEquals("", b.value);
    }

    // NOTE - this is a tes migrated from Jersey 1.x tests. The original test class contains also insecure "versions" of the
    // methods above configured via FeaturesAndProperties.FEATURE_DISABLE_XML_SECURITY. Those methods are ommited,
    // as Jersey 2 does not support such consturct.

}