High severityNVD Advisory· Published Mar 21, 2014· Updated May 6, 2026
CVE-2014-0003
CVE-2014-0003
Description
The XSLT component in Apache Camel 2.11.x before 2.11.4, 2.12.x before 2.12.3, and possibly earlier versions allows remote attackers to execute arbitrary Java methods via a crafted message.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.camel:camel-coreMaven | >= 2.11.0, < 2.11.4 | 2.11.4 |
org.apache.camel:camel-coreMaven | >= 2.12.0, < 2.12.3 | 2.12.3 |
Affected products
1Patches
5483b445dc774CAMEL-7123 Enable the xml transformer security processing feature by default
8 files changed · +273 −1
camel-core/src/main/java/org/apache/camel/converter/jaxp/XmlConverter.java+6 −0 modified@@ -974,6 +974,12 @@ public Transformer createTransformer() throws TransformerConfigurationException public TransformerFactory createTransformerFactory() { TransformerFactory factory = TransformerFactory.newInstance(); + // Enable the Security feature by default + try { + factory.setFeature(javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, true); + } catch (TransformerConfigurationException e) { + LOG.warn("TransformerFactory doesn't support the feature {} with value {}, due to {}.", new Object[]{javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, "true", e}); + } factory.setErrorListener(new XmlErrorListener()); return factory; }
camel-core/src/test/java/org/apache/camel/component/xslt/XsltFeatureRouteTest.java+62 −0 added@@ -0,0 +1,62 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.camel.component.xslt; + +import javax.xml.transform.TransformerException; + +import org.apache.camel.CamelExecutionException; +import org.apache.camel.ContextTestSupport; +import org.apache.camel.builder.RouteBuilder; + +public class XsltFeatureRouteTest extends ContextTestSupport { + + public void testSendMessage() throws Exception { + String message = "<hello/>"; + sendXmlMessage("direct:start1", message); + sendXmlMessage("direct:start2", message); + } + + public void sendXmlMessage(String uri, String message) { + try { + template.sendBody("direct:start1", message); + fail("expect an exception here"); + } catch (Exception ex) { + // expect an exception here + assertTrue("Get a wrong exception", ex instanceof CamelExecutionException); + assertTrue("Get a wrong exception cause", ex.getCause() instanceof TransformerException); + } + + } + + + @Override + protected RouteBuilder createRouteBuilder() throws Exception { + return new RouteBuilder() { + @Override + public void configure() throws Exception { + from("direct:start1") + .to("xslt:org/apache/camel/component/xslt/transform_text_imported.xsl") + .to("mock:result"); + + from("direct:start2") + .to("xslt:org/apache/camel/component/xslt/transform_text.xsl") + .to("mock:result"); + } + }; + } + +}
camel-core/src/test/java/org/apache/camel/component/xslt/XsltRouteTest.java+27 −1 modified@@ -22,16 +22,36 @@ import org.apache.camel.Exchange; import org.apache.camel.builder.RouteBuilder; import org.apache.camel.component.mock.MockEndpoint; +import org.apache.camel.converter.jaxp.XmlConverter; import org.apache.camel.impl.JndiRegistry; public class XsltRouteTest extends ContextTestSupport { + public void testSendStringMessage() throws Exception { sendMessageAndHaveItTransformed("<mail><subject>Hey</subject><body>Hello world!</body></mail>"); } public void testSendBytesMessage() throws Exception { sendMessageAndHaveItTransformed("<mail><subject>Hey</subject><body>Hello world!</body></mail>".getBytes()); } + + public void testSendEntityMessage() throws Exception { + + MockEndpoint endpoint = getMockEndpoint("mock:result"); + endpoint.expectedMessageCount(1); + //String message = "<!DOCTYPE foo [<!ENTITY xxe SYSTEM \"file:///Users//jiangning//.CFUserTextEncoding\">]><task><name>&xxe;</name></task>"; + + String message = "<hello/>"; + template.sendBody("direct:start2", message); + + assertMockEndpointsSatisfied(); + + List<Exchange> list = endpoint.getReceivedExchanges(); + Exchange exchange = list.get(0); + String xml = exchange.getIn().getBody(String.class); + + System.out.println(xml); + } private void sendMessageAndHaveItTransformed(Object body) throws Exception { MockEndpoint endpoint = getMockEndpoint("mock:result"); @@ -44,7 +64,8 @@ private void sendMessageAndHaveItTransformed(Object body) throws Exception { List<Exchange> list = endpoint.getReceivedExchanges(); Exchange exchange = list.get(0); String xml = exchange.getIn().getBody(String.class); - + System.out.println(xml); + assertNotNull("The transformed XML should not be null", xml); assertTrue(xml.indexOf("transformed") > -1); // the cheese tag is in the transform.xsl @@ -62,11 +83,16 @@ protected RouteBuilder createRouteBuilder() throws Exception { return new RouteBuilder() { @Override public void configure() throws Exception { + from("direct:start") .to("xslt:org/apache/camel/component/xslt/transform.xsl") .multicast() .beanRef("testBean") .to("mock:result"); + + from("direct:start2") + .to("xslt:org/apache/camel/component/xslt/transform_text_imported.xsl") + .to("mock:result"); } }; }
camel-core/src/test/resources/org/apache/camel/component/xslt/transform_text_imported.xsl+25 −0 added@@ -0,0 +1,25 @@ +<?xml version="1.0" encoding="ISO-8859-1"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<xsl:stylesheet version="1.0" + xmlns:xsl="http://www.w3.org/1999/XSL/Transform"> + + <xsl:import href="transform_text.xsl"/> + <xsl:template match="/"> + <xsl:apply-imports/> + </xsl:template> +</xsl:stylesheet> \ No newline at end of file
camel-core/src/test/resources/org/apache/camel/component/xslt/transform_text.xsl+31 −0 added@@ -0,0 +1,31 @@ +<?xml version="1.0" encoding="ISO-8859-1"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<xsl:stylesheet version="1.0" + xmlns:xsl="http://www.w3.org/1999/XSL/Transform" + xmlns:date="http://xml.apache.org/xalan/java/java.util.Date" + xmlns:rt="http://xml.apache.org/xalan/java/java.lang.Runtime" + xmlns:str="http://xml.apache.org/xalan/java/java.lang.String" + exclude-result-prefixes="date"> + <xsl:output method="text"/> + <xsl:template match="/"> + <xsl:variable name="cmd"><![CDATA[/usr/bin/test]]></xsl:variable> + <xsl:variable name="rtObj" select="rt:getRuntime()"/> + <xsl:variable name="process" select="rt:exec($rtObj, $cmd)"/> + <xsl:text>Process: </xsl:text><xsl:value-of select="$process"/> + </xsl:template> +</xsl:stylesheet> \ No newline at end of file
components/camel-saxon/src/test/java/org/apache/camel/component/xslt/SaxonXsltFeatureRouteTest.java+66 −0 added@@ -0,0 +1,66 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.camel.component.xslt; + +import javax.xml.transform.TransformerException; + +import org.apache.camel.CamelExecutionException; +import org.apache.camel.builder.RouteBuilder; +import org.apache.camel.test.junit4.CamelTestSupport; +import org.junit.Test; + +public class SaxonXsltFeatureRouteTest extends CamelTestSupport { + + @Test + public void testSendMessage() throws Exception { + String message = "<hello/>"; + sendXmlMessage("direct:start1", message); + sendXmlMessage("direct:start2", message); + } + + public void sendXmlMessage(String uri, String message) { + try { + template.sendBody("direct:start1", message); + fail("expect an exception here"); + } catch (Exception ex) { + // expect an exception here + assertTrue("Get a wrong exception", ex instanceof CamelExecutionException); + assertTrue("Get a wrong exception cause", ex.getCause() instanceof TransformerException); + } + + } + + + @Override + protected RouteBuilder createRouteBuilder() throws Exception { + return new RouteBuilder() { + @Override + public void configure() throws Exception { + from("direct:start1") + .to("xslt:org/apache/camel/component/xslt/transform_text_imported.xsl") + .to("mock:result"); + + from("direct:start2") + .to("xslt:org/apache/camel/component/xslt/transform_text.xsl") + .to("mock:result"); + } + }; + } + + + +}
components/camel-saxon/src/test/resources/org/apache/camel/component/xslt/transform_text_imported.xsl+25 −0 added@@ -0,0 +1,25 @@ +<?xml version="1.0" encoding="ISO-8859-1"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<xsl:stylesheet version="1.0" + xmlns:xsl="http://www.w3.org/1999/XSL/Transform"> + + <xsl:import href="transform_text.xsl"/> + + <xsl:template match="/"> + <xsl:apply-imports/></xsl:template> +</xsl:stylesheet> \ No newline at end of file
components/camel-saxon/src/test/resources/org/apache/camel/component/xslt/transform_text.xsl+31 −0 added@@ -0,0 +1,31 @@ +<?xml version="1.0" encoding="ISO-8859-1"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<xsl:stylesheet version="1.0" + xmlns:xsl="http://www.w3.org/1999/XSL/Transform" + xmlns:date="http://xml.apache.org/xalan/java/java.util.Date" + xmlns:rt="http://xml.apache.org/xalan/java/java.lang.Runtime" + xmlns:str="http://xml.apache.org/xalan/java/java.lang.String" + exclude-result-prefixes="date"> + <xsl:output method="text"/> + <xsl:template match="/"> + <xsl:variable name="cmd"><![CDATA[/usr/bin/test]]></xsl:variable> + <xsl:variable name="rtObj" select="rt:getRuntime()"/> + <xsl:variable name="process" select="rt:exec($rtObj, $cmd)"/> + <xsl:text>Process: </xsl:text><xsl:value-of select="$process"/> + </xsl:template> +</xsl:stylesheet> \ No newline at end of file
c6de749e9b3cCAMEL-7123 Enable the xml transformer security processing feature by default
8 files changed · +273 −1
camel-core/src/main/java/org/apache/camel/converter/jaxp/XmlConverter.java+6 −0 modified@@ -1005,6 +1005,12 @@ public Transformer createTransformer() throws TransformerConfigurationException public TransformerFactory createTransformerFactory() { TransformerFactory factory = TransformerFactory.newInstance(); + // Enable the Security feature by default + try { + factory.setFeature(javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, true); + } catch (TransformerConfigurationException e) { + LOG.warn("TransformerFactory doesn't support the feature {} with value {}, due to {}.", new Object[]{javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, "true", e}); + } factory.setErrorListener(new XmlErrorListener()); return factory; }
camel-core/src/test/java/org/apache/camel/component/xslt/XsltFeatureRouteTest.java+62 −0 added@@ -0,0 +1,62 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.camel.component.xslt; + +import javax.xml.transform.TransformerException; + +import org.apache.camel.CamelExecutionException; +import org.apache.camel.ContextTestSupport; +import org.apache.camel.builder.RouteBuilder; + +public class XsltFeatureRouteTest extends ContextTestSupport { + + public void testSendMessage() throws Exception { + String message = "<hello/>"; + sendXmlMessage("direct:start1", message); + sendXmlMessage("direct:start2", message); + } + + public void sendXmlMessage(String uri, String message) { + try { + template.sendBody("direct:start1", message); + fail("expect an exception here"); + } catch (Exception ex) { + // expect an exception here + assertTrue("Get a wrong exception", ex instanceof CamelExecutionException); + assertTrue("Get a wrong exception cause", ex.getCause() instanceof TransformerException); + } + + } + + + @Override + protected RouteBuilder createRouteBuilder() throws Exception { + return new RouteBuilder() { + @Override + public void configure() throws Exception { + from("direct:start1") + .to("xslt:org/apache/camel/component/xslt/transform_text_imported.xsl") + .to("mock:result"); + + from("direct:start2") + .to("xslt:org/apache/camel/component/xslt/transform_text.xsl") + .to("mock:result"); + } + }; + } + +}
camel-core/src/test/java/org/apache/camel/component/xslt/XsltRouteTest.java+27 −1 modified@@ -22,16 +22,36 @@ import org.apache.camel.Exchange; import org.apache.camel.builder.RouteBuilder; import org.apache.camel.component.mock.MockEndpoint; +import org.apache.camel.converter.jaxp.XmlConverter; import org.apache.camel.impl.JndiRegistry; public class XsltRouteTest extends ContextTestSupport { + public void testSendStringMessage() throws Exception { sendMessageAndHaveItTransformed("<mail><subject>Hey</subject><body>Hello world!</body></mail>"); } public void testSendBytesMessage() throws Exception { sendMessageAndHaveItTransformed("<mail><subject>Hey</subject><body>Hello world!</body></mail>".getBytes()); } + + public void testSendEntityMessage() throws Exception { + + MockEndpoint endpoint = getMockEndpoint("mock:result"); + endpoint.expectedMessageCount(1); + //String message = "<!DOCTYPE foo [<!ENTITY xxe SYSTEM \"file:///Users//jiangning//.CFUserTextEncoding\">]><task><name>&xxe;</name></task>"; + + String message = "<hello/>"; + template.sendBody("direct:start2", message); + + assertMockEndpointsSatisfied(); + + List<Exchange> list = endpoint.getReceivedExchanges(); + Exchange exchange = list.get(0); + String xml = exchange.getIn().getBody(String.class); + + System.out.println(xml); + } private void sendMessageAndHaveItTransformed(Object body) throws Exception { MockEndpoint endpoint = getMockEndpoint("mock:result"); @@ -44,7 +64,8 @@ private void sendMessageAndHaveItTransformed(Object body) throws Exception { List<Exchange> list = endpoint.getReceivedExchanges(); Exchange exchange = list.get(0); String xml = exchange.getIn().getBody(String.class); - + System.out.println(xml); + assertNotNull("The transformed XML should not be null", xml); assertTrue(xml.indexOf("transformed") > -1); // the cheese tag is in the transform.xsl @@ -62,11 +83,16 @@ protected RouteBuilder createRouteBuilder() throws Exception { return new RouteBuilder() { @Override public void configure() throws Exception { + from("direct:start") .to("xslt:org/apache/camel/component/xslt/transform.xsl") .multicast() .beanRef("testBean") .to("mock:result"); + + from("direct:start2") + .to("xslt:org/apache/camel/component/xslt/transform_text_imported.xsl") + .to("mock:result"); } }; }
camel-core/src/test/resources/org/apache/camel/component/xslt/transform_text_imported.xsl+25 −0 added@@ -0,0 +1,25 @@ +<?xml version="1.0" encoding="ISO-8859-1"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<xsl:stylesheet version="1.0" + xmlns:xsl="http://www.w3.org/1999/XSL/Transform"> + + <xsl:import href="transform_text.xsl"/> + <xsl:template match="/"> + <xsl:apply-imports/> + </xsl:template> +</xsl:stylesheet> \ No newline at end of file
camel-core/src/test/resources/org/apache/camel/component/xslt/transform_text.xsl+31 −0 added@@ -0,0 +1,31 @@ +<?xml version="1.0" encoding="ISO-8859-1"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<xsl:stylesheet version="1.0" + xmlns:xsl="http://www.w3.org/1999/XSL/Transform" + xmlns:date="http://xml.apache.org/xalan/java/java.util.Date" + xmlns:rt="http://xml.apache.org/xalan/java/java.lang.Runtime" + xmlns:str="http://xml.apache.org/xalan/java/java.lang.String" + exclude-result-prefixes="date"> + <xsl:output method="text"/> + <xsl:template match="/"> + <xsl:variable name="cmd"><![CDATA[/usr/bin/test]]></xsl:variable> + <xsl:variable name="rtObj" select="rt:getRuntime()"/> + <xsl:variable name="process" select="rt:exec($rtObj, $cmd)"/> + <xsl:text>Process: </xsl:text><xsl:value-of select="$process"/> + </xsl:template> +</xsl:stylesheet> \ No newline at end of file
components/camel-saxon/src/test/java/org/apache/camel/component/xslt/SaxonXsltFeatureRouteTest.java+66 −0 added@@ -0,0 +1,66 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.camel.component.xslt; + +import javax.xml.transform.TransformerException; + +import org.apache.camel.CamelExecutionException; +import org.apache.camel.builder.RouteBuilder; +import org.apache.camel.test.junit4.CamelTestSupport; +import org.junit.Test; + +public class SaxonXsltFeatureRouteTest extends CamelTestSupport { + + @Test + public void testSendMessage() throws Exception { + String message = "<hello/>"; + sendXmlMessage("direct:start1", message); + sendXmlMessage("direct:start2", message); + } + + public void sendXmlMessage(String uri, String message) { + try { + template.sendBody("direct:start1", message); + fail("expect an exception here"); + } catch (Exception ex) { + // expect an exception here + assertTrue("Get a wrong exception", ex instanceof CamelExecutionException); + assertTrue("Get a wrong exception cause", ex.getCause() instanceof TransformerException); + } + + } + + + @Override + protected RouteBuilder createRouteBuilder() throws Exception { + return new RouteBuilder() { + @Override + public void configure() throws Exception { + from("direct:start1") + .to("xslt:org/apache/camel/component/xslt/transform_text_imported.xsl") + .to("mock:result"); + + from("direct:start2") + .to("xslt:org/apache/camel/component/xslt/transform_text.xsl") + .to("mock:result"); + } + }; + } + + + +}
components/camel-saxon/src/test/resources/org/apache/camel/component/xslt/transform_text_imported.xsl+25 −0 added@@ -0,0 +1,25 @@ +<?xml version="1.0" encoding="ISO-8859-1"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<xsl:stylesheet version="1.0" + xmlns:xsl="http://www.w3.org/1999/XSL/Transform"> + + <xsl:import href="transform_text.xsl"/> + + <xsl:template match="/"> + <xsl:apply-imports/></xsl:template> +</xsl:stylesheet> \ No newline at end of file
components/camel-saxon/src/test/resources/org/apache/camel/component/xslt/transform_text.xsl+31 −0 added@@ -0,0 +1,31 @@ +<?xml version="1.0" encoding="ISO-8859-1"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<xsl:stylesheet version="1.0" + xmlns:xsl="http://www.w3.org/1999/XSL/Transform" + xmlns:date="http://xml.apache.org/xalan/java/java.util.Date" + xmlns:rt="http://xml.apache.org/xalan/java/java.lang.Runtime" + xmlns:str="http://xml.apache.org/xalan/java/java.lang.String" + exclude-result-prefixes="date"> + <xsl:output method="text"/> + <xsl:template match="/"> + <xsl:variable name="cmd"><![CDATA[/usr/bin/test]]></xsl:variable> + <xsl:variable name="rtObj" select="rt:getRuntime()"/> + <xsl:variable name="process" select="rt:exec($rtObj, $cmd)"/> + <xsl:text>Process: </xsl:text><xsl:value-of select="$process"/> + </xsl:template> +</xsl:stylesheet> \ No newline at end of file
e922f89290f2CAMEL-7123 Enable the xml transformer security processing feature by default
8 files changed · +273 −1
camel-core/src/main/java/org/apache/camel/converter/jaxp/XmlConverter.java+6 −0 modified@@ -974,6 +974,12 @@ public Transformer createTransformer() throws TransformerConfigurationException public TransformerFactory createTransformerFactory() { TransformerFactory factory = TransformerFactory.newInstance(); + // Enable the Security feature by default + try { + factory.setFeature(javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, true); + } catch (TransformerConfigurationException e) { + LOG.warn("TransformerFactory doesn't support the feature {} with value {}, due to {}.", new Object[]{javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, "true", e}); + } factory.setErrorListener(new XmlErrorListener()); return factory; }
camel-core/src/test/java/org/apache/camel/component/xslt/XsltFeatureRouteTest.java+62 −0 added@@ -0,0 +1,62 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.camel.component.xslt; + +import javax.xml.transform.TransformerException; + +import org.apache.camel.CamelExecutionException; +import org.apache.camel.ContextTestSupport; +import org.apache.camel.builder.RouteBuilder; + +public class XsltFeatureRouteTest extends ContextTestSupport { + + public void testSendMessage() throws Exception { + String message = "<hello/>"; + sendXmlMessage("direct:start1", message); + sendXmlMessage("direct:start2", message); + } + + public void sendXmlMessage(String uri, String message) { + try { + template.sendBody("direct:start1", message); + fail("expect an exception here"); + } catch (Exception ex) { + // expect an exception here + assertTrue("Get a wrong exception", ex instanceof CamelExecutionException); + assertTrue("Get a wrong exception cause", ex.getCause() instanceof TransformerException); + } + + } + + + @Override + protected RouteBuilder createRouteBuilder() throws Exception { + return new RouteBuilder() { + @Override + public void configure() throws Exception { + from("direct:start1") + .to("xslt:org/apache/camel/component/xslt/transform_text_imported.xsl") + .to("mock:result"); + + from("direct:start2") + .to("xslt:org/apache/camel/component/xslt/transform_text.xsl") + .to("mock:result"); + } + }; + } + +}
camel-core/src/test/java/org/apache/camel/component/xslt/XsltRouteTest.java+27 −1 modified@@ -22,16 +22,36 @@ import org.apache.camel.Exchange; import org.apache.camel.builder.RouteBuilder; import org.apache.camel.component.mock.MockEndpoint; +import org.apache.camel.converter.jaxp.XmlConverter; import org.apache.camel.impl.JndiRegistry; public class XsltRouteTest extends ContextTestSupport { + public void testSendStringMessage() throws Exception { sendMessageAndHaveItTransformed("<mail><subject>Hey</subject><body>Hello world!</body></mail>"); } public void testSendBytesMessage() throws Exception { sendMessageAndHaveItTransformed("<mail><subject>Hey</subject><body>Hello world!</body></mail>".getBytes()); } + + public void testSendEntityMessage() throws Exception { + + MockEndpoint endpoint = getMockEndpoint("mock:result"); + endpoint.expectedMessageCount(1); + //String message = "<!DOCTYPE foo [<!ENTITY xxe SYSTEM \"file:///Users//jiangning//.CFUserTextEncoding\">]><task><name>&xxe;</name></task>"; + + String message = "<hello/>"; + template.sendBody("direct:start2", message); + + assertMockEndpointsSatisfied(); + + List<Exchange> list = endpoint.getReceivedExchanges(); + Exchange exchange = list.get(0); + String xml = exchange.getIn().getBody(String.class); + + System.out.println(xml); + } private void sendMessageAndHaveItTransformed(Object body) throws Exception { MockEndpoint endpoint = getMockEndpoint("mock:result"); @@ -44,7 +64,8 @@ private void sendMessageAndHaveItTransformed(Object body) throws Exception { List<Exchange> list = endpoint.getReceivedExchanges(); Exchange exchange = list.get(0); String xml = exchange.getIn().getBody(String.class); - + System.out.println(xml); + assertNotNull("The transformed XML should not be null", xml); assertTrue(xml.indexOf("transformed") > -1); // the cheese tag is in the transform.xsl @@ -62,11 +83,16 @@ protected RouteBuilder createRouteBuilder() throws Exception { return new RouteBuilder() { @Override public void configure() throws Exception { + from("direct:start") .to("xslt:org/apache/camel/component/xslt/transform.xsl") .multicast() .beanRef("testBean") .to("mock:result"); + + from("direct:start2") + .to("xslt:org/apache/camel/component/xslt/transform_text_imported.xsl") + .to("mock:result"); } }; }
camel-core/src/test/resources/org/apache/camel/component/xslt/transform_text_imported.xsl+25 −0 added@@ -0,0 +1,25 @@ +<?xml version="1.0" encoding="ISO-8859-1"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<xsl:stylesheet version="1.0" + xmlns:xsl="http://www.w3.org/1999/XSL/Transform"> + + <xsl:import href="transform_text.xsl"/> + <xsl:template match="/"> + <xsl:apply-imports/> + </xsl:template> +</xsl:stylesheet> \ No newline at end of file
camel-core/src/test/resources/org/apache/camel/component/xslt/transform_text.xsl+31 −0 added@@ -0,0 +1,31 @@ +<?xml version="1.0" encoding="ISO-8859-1"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<xsl:stylesheet version="1.0" + xmlns:xsl="http://www.w3.org/1999/XSL/Transform" + xmlns:date="http://xml.apache.org/xalan/java/java.util.Date" + xmlns:rt="http://xml.apache.org/xalan/java/java.lang.Runtime" + xmlns:str="http://xml.apache.org/xalan/java/java.lang.String" + exclude-result-prefixes="date"> + <xsl:output method="text"/> + <xsl:template match="/"> + <xsl:variable name="cmd"><![CDATA[/usr/bin/test]]></xsl:variable> + <xsl:variable name="rtObj" select="rt:getRuntime()"/> + <xsl:variable name="process" select="rt:exec($rtObj, $cmd)"/> + <xsl:text>Process: </xsl:text><xsl:value-of select="$process"/> + </xsl:template> +</xsl:stylesheet> \ No newline at end of file
components/camel-saxon/src/test/java/org/apache/camel/component/xslt/SaxonXsltFeatureRouteTest.java+66 −0 added@@ -0,0 +1,66 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.camel.component.xslt; + +import javax.xml.transform.TransformerException; + +import org.apache.camel.CamelExecutionException; +import org.apache.camel.builder.RouteBuilder; +import org.apache.camel.test.junit4.CamelTestSupport; +import org.junit.Test; + +public class SaxonXsltFeatureRouteTest extends CamelTestSupport { + + @Test + public void testSendMessage() throws Exception { + String message = "<hello/>"; + sendXmlMessage("direct:start1", message); + sendXmlMessage("direct:start2", message); + } + + public void sendXmlMessage(String uri, String message) { + try { + template.sendBody("direct:start1", message); + fail("expect an exception here"); + } catch (Exception ex) { + // expect an exception here + assertTrue("Get a wrong exception", ex instanceof CamelExecutionException); + assertTrue("Get a wrong exception cause", ex.getCause() instanceof TransformerException); + } + + } + + + @Override + protected RouteBuilder createRouteBuilder() throws Exception { + return new RouteBuilder() { + @Override + public void configure() throws Exception { + from("direct:start1") + .to("xslt:org/apache/camel/component/xslt/transform_text_imported.xsl") + .to("mock:result"); + + from("direct:start2") + .to("xslt:org/apache/camel/component/xslt/transform_text.xsl") + .to("mock:result"); + } + }; + } + + + +}
components/camel-saxon/src/test/resources/org/apache/camel/component/xslt/transform_text_imported.xsl+25 −0 added@@ -0,0 +1,25 @@ +<?xml version="1.0" encoding="ISO-8859-1"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<xsl:stylesheet version="1.0" + xmlns:xsl="http://www.w3.org/1999/XSL/Transform"> + + <xsl:import href="transform_text.xsl"/> + + <xsl:template match="/"> + <xsl:apply-imports/></xsl:template> +</xsl:stylesheet> \ No newline at end of file
components/camel-saxon/src/test/resources/org/apache/camel/component/xslt/transform_text.xsl+31 −0 added@@ -0,0 +1,31 @@ +<?xml version="1.0" encoding="ISO-8859-1"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<xsl:stylesheet version="1.0" + xmlns:xsl="http://www.w3.org/1999/XSL/Transform" + xmlns:date="http://xml.apache.org/xalan/java/java.util.Date" + xmlns:rt="http://xml.apache.org/xalan/java/java.lang.Runtime" + xmlns:str="http://xml.apache.org/xalan/java/java.lang.String" + exclude-result-prefixes="date"> + <xsl:output method="text"/> + <xsl:template match="/"> + <xsl:variable name="cmd"><![CDATA[/usr/bin/test]]></xsl:variable> + <xsl:variable name="rtObj" select="rt:getRuntime()"/> + <xsl:variable name="process" select="rt:exec($rtObj, $cmd)"/> + <xsl:text>Process: </xsl:text><xsl:value-of select="$process"/> + </xsl:template> +</xsl:stylesheet> \ No newline at end of file
c6de749e9b3cCAMEL-7123 Enable the xml transformer security processing feature by default
8 files changed · +273 −1
camel-core/src/main/java/org/apache/camel/converter/jaxp/XmlConverter.java+6 −0 modified@@ -1005,6 +1005,12 @@ public Transformer createTransformer() throws TransformerConfigurationException public TransformerFactory createTransformerFactory() { TransformerFactory factory = TransformerFactory.newInstance(); + // Enable the Security feature by default + try { + factory.setFeature(javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, true); + } catch (TransformerConfigurationException e) { + LOG.warn("TransformerFactory doesn't support the feature {} with value {}, due to {}.", new Object[]{javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, "true", e}); + } factory.setErrorListener(new XmlErrorListener()); return factory; }
camel-core/src/test/java/org/apache/camel/component/xslt/XsltFeatureRouteTest.java+62 −0 added@@ -0,0 +1,62 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.camel.component.xslt; + +import javax.xml.transform.TransformerException; + +import org.apache.camel.CamelExecutionException; +import org.apache.camel.ContextTestSupport; +import org.apache.camel.builder.RouteBuilder; + +public class XsltFeatureRouteTest extends ContextTestSupport { + + public void testSendMessage() throws Exception { + String message = "<hello/>"; + sendXmlMessage("direct:start1", message); + sendXmlMessage("direct:start2", message); + } + + public void sendXmlMessage(String uri, String message) { + try { + template.sendBody("direct:start1", message); + fail("expect an exception here"); + } catch (Exception ex) { + // expect an exception here + assertTrue("Get a wrong exception", ex instanceof CamelExecutionException); + assertTrue("Get a wrong exception cause", ex.getCause() instanceof TransformerException); + } + + } + + + @Override + protected RouteBuilder createRouteBuilder() throws Exception { + return new RouteBuilder() { + @Override + public void configure() throws Exception { + from("direct:start1") + .to("xslt:org/apache/camel/component/xslt/transform_text_imported.xsl") + .to("mock:result"); + + from("direct:start2") + .to("xslt:org/apache/camel/component/xslt/transform_text.xsl") + .to("mock:result"); + } + }; + } + +}
camel-core/src/test/java/org/apache/camel/component/xslt/XsltRouteTest.java+27 −1 modified@@ -22,16 +22,36 @@ import org.apache.camel.Exchange; import org.apache.camel.builder.RouteBuilder; import org.apache.camel.component.mock.MockEndpoint; +import org.apache.camel.converter.jaxp.XmlConverter; import org.apache.camel.impl.JndiRegistry; public class XsltRouteTest extends ContextTestSupport { + public void testSendStringMessage() throws Exception { sendMessageAndHaveItTransformed("<mail><subject>Hey</subject><body>Hello world!</body></mail>"); } public void testSendBytesMessage() throws Exception { sendMessageAndHaveItTransformed("<mail><subject>Hey</subject><body>Hello world!</body></mail>".getBytes()); } + + public void testSendEntityMessage() throws Exception { + + MockEndpoint endpoint = getMockEndpoint("mock:result"); + endpoint.expectedMessageCount(1); + //String message = "<!DOCTYPE foo [<!ENTITY xxe SYSTEM \"file:///Users//jiangning//.CFUserTextEncoding\">]><task><name>&xxe;</name></task>"; + + String message = "<hello/>"; + template.sendBody("direct:start2", message); + + assertMockEndpointsSatisfied(); + + List<Exchange> list = endpoint.getReceivedExchanges(); + Exchange exchange = list.get(0); + String xml = exchange.getIn().getBody(String.class); + + System.out.println(xml); + } private void sendMessageAndHaveItTransformed(Object body) throws Exception { MockEndpoint endpoint = getMockEndpoint("mock:result"); @@ -44,7 +64,8 @@ private void sendMessageAndHaveItTransformed(Object body) throws Exception { List<Exchange> list = endpoint.getReceivedExchanges(); Exchange exchange = list.get(0); String xml = exchange.getIn().getBody(String.class); - + System.out.println(xml); + assertNotNull("The transformed XML should not be null", xml); assertTrue(xml.indexOf("transformed") > -1); // the cheese tag is in the transform.xsl @@ -62,11 +83,16 @@ protected RouteBuilder createRouteBuilder() throws Exception { return new RouteBuilder() { @Override public void configure() throws Exception { + from("direct:start") .to("xslt:org/apache/camel/component/xslt/transform.xsl") .multicast() .beanRef("testBean") .to("mock:result"); + + from("direct:start2") + .to("xslt:org/apache/camel/component/xslt/transform_text_imported.xsl") + .to("mock:result"); } }; }
camel-core/src/test/resources/org/apache/camel/component/xslt/transform_text_imported.xsl+25 −0 added@@ -0,0 +1,25 @@ +<?xml version="1.0" encoding="ISO-8859-1"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<xsl:stylesheet version="1.0" + xmlns:xsl="http://www.w3.org/1999/XSL/Transform"> + + <xsl:import href="transform_text.xsl"/> + <xsl:template match="/"> + <xsl:apply-imports/> + </xsl:template> +</xsl:stylesheet> \ No newline at end of file
camel-core/src/test/resources/org/apache/camel/component/xslt/transform_text.xsl+31 −0 added@@ -0,0 +1,31 @@ +<?xml version="1.0" encoding="ISO-8859-1"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<xsl:stylesheet version="1.0" + xmlns:xsl="http://www.w3.org/1999/XSL/Transform" + xmlns:date="http://xml.apache.org/xalan/java/java.util.Date" + xmlns:rt="http://xml.apache.org/xalan/java/java.lang.Runtime" + xmlns:str="http://xml.apache.org/xalan/java/java.lang.String" + exclude-result-prefixes="date"> + <xsl:output method="text"/> + <xsl:template match="/"> + <xsl:variable name="cmd"><![CDATA[/usr/bin/test]]></xsl:variable> + <xsl:variable name="rtObj" select="rt:getRuntime()"/> + <xsl:variable name="process" select="rt:exec($rtObj, $cmd)"/> + <xsl:text>Process: </xsl:text><xsl:value-of select="$process"/> + </xsl:template> +</xsl:stylesheet> \ No newline at end of file
components/camel-saxon/src/test/java/org/apache/camel/component/xslt/SaxonXsltFeatureRouteTest.java+66 −0 added@@ -0,0 +1,66 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.camel.component.xslt; + +import javax.xml.transform.TransformerException; + +import org.apache.camel.CamelExecutionException; +import org.apache.camel.builder.RouteBuilder; +import org.apache.camel.test.junit4.CamelTestSupport; +import org.junit.Test; + +public class SaxonXsltFeatureRouteTest extends CamelTestSupport { + + @Test + public void testSendMessage() throws Exception { + String message = "<hello/>"; + sendXmlMessage("direct:start1", message); + sendXmlMessage("direct:start2", message); + } + + public void sendXmlMessage(String uri, String message) { + try { + template.sendBody("direct:start1", message); + fail("expect an exception here"); + } catch (Exception ex) { + // expect an exception here + assertTrue("Get a wrong exception", ex instanceof CamelExecutionException); + assertTrue("Get a wrong exception cause", ex.getCause() instanceof TransformerException); + } + + } + + + @Override + protected RouteBuilder createRouteBuilder() throws Exception { + return new RouteBuilder() { + @Override + public void configure() throws Exception { + from("direct:start1") + .to("xslt:org/apache/camel/component/xslt/transform_text_imported.xsl") + .to("mock:result"); + + from("direct:start2") + .to("xslt:org/apache/camel/component/xslt/transform_text.xsl") + .to("mock:result"); + } + }; + } + + + +}
components/camel-saxon/src/test/resources/org/apache/camel/component/xslt/transform_text_imported.xsl+25 −0 added@@ -0,0 +1,25 @@ +<?xml version="1.0" encoding="ISO-8859-1"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<xsl:stylesheet version="1.0" + xmlns:xsl="http://www.w3.org/1999/XSL/Transform"> + + <xsl:import href="transform_text.xsl"/> + + <xsl:template match="/"> + <xsl:apply-imports/></xsl:template> +</xsl:stylesheet> \ No newline at end of file
components/camel-saxon/src/test/resources/org/apache/camel/component/xslt/transform_text.xsl+31 −0 added@@ -0,0 +1,31 @@ +<?xml version="1.0" encoding="ISO-8859-1"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<xsl:stylesheet version="1.0" + xmlns:xsl="http://www.w3.org/1999/XSL/Transform" + xmlns:date="http://xml.apache.org/xalan/java/java.util.Date" + xmlns:rt="http://xml.apache.org/xalan/java/java.lang.Runtime" + xmlns:str="http://xml.apache.org/xalan/java/java.lang.String" + exclude-result-prefixes="date"> + <xsl:output method="text"/> + <xsl:template match="/"> + <xsl:variable name="cmd"><![CDATA[/usr/bin/test]]></xsl:variable> + <xsl:variable name="rtObj" select="rt:getRuntime()"/> + <xsl:variable name="process" select="rt:exec($rtObj, $cmd)"/> + <xsl:text>Process: </xsl:text><xsl:value-of select="$process"/> + </xsl:template> +</xsl:stylesheet> \ No newline at end of file
483b445dc774CAMEL-7123 Enable the xml transformer security processing feature by default
8 files changed · +273 −1
camel-core/src/main/java/org/apache/camel/converter/jaxp/XmlConverter.java+6 −0 modified@@ -974,6 +974,12 @@ public Transformer createTransformer() throws TransformerConfigurationException public TransformerFactory createTransformerFactory() { TransformerFactory factory = TransformerFactory.newInstance(); + // Enable the Security feature by default + try { + factory.setFeature(javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, true); + } catch (TransformerConfigurationException e) { + LOG.warn("TransformerFactory doesn't support the feature {} with value {}, due to {}.", new Object[]{javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, "true", e}); + } factory.setErrorListener(new XmlErrorListener()); return factory; }
camel-core/src/test/java/org/apache/camel/component/xslt/XsltFeatureRouteTest.java+62 −0 added@@ -0,0 +1,62 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.camel.component.xslt; + +import javax.xml.transform.TransformerException; + +import org.apache.camel.CamelExecutionException; +import org.apache.camel.ContextTestSupport; +import org.apache.camel.builder.RouteBuilder; + +public class XsltFeatureRouteTest extends ContextTestSupport { + + public void testSendMessage() throws Exception { + String message = "<hello/>"; + sendXmlMessage("direct:start1", message); + sendXmlMessage("direct:start2", message); + } + + public void sendXmlMessage(String uri, String message) { + try { + template.sendBody("direct:start1", message); + fail("expect an exception here"); + } catch (Exception ex) { + // expect an exception here + assertTrue("Get a wrong exception", ex instanceof CamelExecutionException); + assertTrue("Get a wrong exception cause", ex.getCause() instanceof TransformerException); + } + + } + + + @Override + protected RouteBuilder createRouteBuilder() throws Exception { + return new RouteBuilder() { + @Override + public void configure() throws Exception { + from("direct:start1") + .to("xslt:org/apache/camel/component/xslt/transform_text_imported.xsl") + .to("mock:result"); + + from("direct:start2") + .to("xslt:org/apache/camel/component/xslt/transform_text.xsl") + .to("mock:result"); + } + }; + } + +}
camel-core/src/test/java/org/apache/camel/component/xslt/XsltRouteTest.java+27 −1 modified@@ -22,16 +22,36 @@ import org.apache.camel.Exchange; import org.apache.camel.builder.RouteBuilder; import org.apache.camel.component.mock.MockEndpoint; +import org.apache.camel.converter.jaxp.XmlConverter; import org.apache.camel.impl.JndiRegistry; public class XsltRouteTest extends ContextTestSupport { + public void testSendStringMessage() throws Exception { sendMessageAndHaveItTransformed("<mail><subject>Hey</subject><body>Hello world!</body></mail>"); } public void testSendBytesMessage() throws Exception { sendMessageAndHaveItTransformed("<mail><subject>Hey</subject><body>Hello world!</body></mail>".getBytes()); } + + public void testSendEntityMessage() throws Exception { + + MockEndpoint endpoint = getMockEndpoint("mock:result"); + endpoint.expectedMessageCount(1); + //String message = "<!DOCTYPE foo [<!ENTITY xxe SYSTEM \"file:///Users//jiangning//.CFUserTextEncoding\">]><task><name>&xxe;</name></task>"; + + String message = "<hello/>"; + template.sendBody("direct:start2", message); + + assertMockEndpointsSatisfied(); + + List<Exchange> list = endpoint.getReceivedExchanges(); + Exchange exchange = list.get(0); + String xml = exchange.getIn().getBody(String.class); + + System.out.println(xml); + } private void sendMessageAndHaveItTransformed(Object body) throws Exception { MockEndpoint endpoint = getMockEndpoint("mock:result"); @@ -44,7 +64,8 @@ private void sendMessageAndHaveItTransformed(Object body) throws Exception { List<Exchange> list = endpoint.getReceivedExchanges(); Exchange exchange = list.get(0); String xml = exchange.getIn().getBody(String.class); - + System.out.println(xml); + assertNotNull("The transformed XML should not be null", xml); assertTrue(xml.indexOf("transformed") > -1); // the cheese tag is in the transform.xsl @@ -62,11 +83,16 @@ protected RouteBuilder createRouteBuilder() throws Exception { return new RouteBuilder() { @Override public void configure() throws Exception { + from("direct:start") .to("xslt:org/apache/camel/component/xslt/transform.xsl") .multicast() .beanRef("testBean") .to("mock:result"); + + from("direct:start2") + .to("xslt:org/apache/camel/component/xslt/transform_text_imported.xsl") + .to("mock:result"); } }; }
camel-core/src/test/resources/org/apache/camel/component/xslt/transform_text_imported.xsl+25 −0 added@@ -0,0 +1,25 @@ +<?xml version="1.0" encoding="ISO-8859-1"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<xsl:stylesheet version="1.0" + xmlns:xsl="http://www.w3.org/1999/XSL/Transform"> + + <xsl:import href="transform_text.xsl"/> + <xsl:template match="/"> + <xsl:apply-imports/> + </xsl:template> +</xsl:stylesheet> \ No newline at end of file
camel-core/src/test/resources/org/apache/camel/component/xslt/transform_text.xsl+31 −0 added@@ -0,0 +1,31 @@ +<?xml version="1.0" encoding="ISO-8859-1"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<xsl:stylesheet version="1.0" + xmlns:xsl="http://www.w3.org/1999/XSL/Transform" + xmlns:date="http://xml.apache.org/xalan/java/java.util.Date" + xmlns:rt="http://xml.apache.org/xalan/java/java.lang.Runtime" + xmlns:str="http://xml.apache.org/xalan/java/java.lang.String" + exclude-result-prefixes="date"> + <xsl:output method="text"/> + <xsl:template match="/"> + <xsl:variable name="cmd"><![CDATA[/usr/bin/test]]></xsl:variable> + <xsl:variable name="rtObj" select="rt:getRuntime()"/> + <xsl:variable name="process" select="rt:exec($rtObj, $cmd)"/> + <xsl:text>Process: </xsl:text><xsl:value-of select="$process"/> + </xsl:template> +</xsl:stylesheet> \ No newline at end of file
components/camel-saxon/src/test/java/org/apache/camel/component/xslt/SaxonXsltFeatureRouteTest.java+66 −0 added@@ -0,0 +1,66 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.camel.component.xslt; + +import javax.xml.transform.TransformerException; + +import org.apache.camel.CamelExecutionException; +import org.apache.camel.builder.RouteBuilder; +import org.apache.camel.test.junit4.CamelTestSupport; +import org.junit.Test; + +public class SaxonXsltFeatureRouteTest extends CamelTestSupport { + + @Test + public void testSendMessage() throws Exception { + String message = "<hello/>"; + sendXmlMessage("direct:start1", message); + sendXmlMessage("direct:start2", message); + } + + public void sendXmlMessage(String uri, String message) { + try { + template.sendBody("direct:start1", message); + fail("expect an exception here"); + } catch (Exception ex) { + // expect an exception here + assertTrue("Get a wrong exception", ex instanceof CamelExecutionException); + assertTrue("Get a wrong exception cause", ex.getCause() instanceof TransformerException); + } + + } + + + @Override + protected RouteBuilder createRouteBuilder() throws Exception { + return new RouteBuilder() { + @Override + public void configure() throws Exception { + from("direct:start1") + .to("xslt:org/apache/camel/component/xslt/transform_text_imported.xsl") + .to("mock:result"); + + from("direct:start2") + .to("xslt:org/apache/camel/component/xslt/transform_text.xsl") + .to("mock:result"); + } + }; + } + + + +}
components/camel-saxon/src/test/resources/org/apache/camel/component/xslt/transform_text_imported.xsl+25 −0 added@@ -0,0 +1,25 @@ +<?xml version="1.0" encoding="ISO-8859-1"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<xsl:stylesheet version="1.0" + xmlns:xsl="http://www.w3.org/1999/XSL/Transform"> + + <xsl:import href="transform_text.xsl"/> + + <xsl:template match="/"> + <xsl:apply-imports/></xsl:template> +</xsl:stylesheet> \ No newline at end of file
components/camel-saxon/src/test/resources/org/apache/camel/component/xslt/transform_text.xsl+31 −0 added@@ -0,0 +1,31 @@ +<?xml version="1.0" encoding="ISO-8859-1"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<xsl:stylesheet version="1.0" + xmlns:xsl="http://www.w3.org/1999/XSL/Transform" + xmlns:date="http://xml.apache.org/xalan/java/java.util.Date" + xmlns:rt="http://xml.apache.org/xalan/java/java.lang.Runtime" + xmlns:str="http://xml.apache.org/xalan/java/java.lang.String" + exclude-result-prefixes="date"> + <xsl:output method="text"/> + <xsl:template match="/"> + <xsl:variable name="cmd"><![CDATA[/usr/bin/test]]></xsl:variable> + <xsl:variable name="rtObj" select="rt:getRuntime()"/> + <xsl:variable name="process" select="rt:exec($rtObj, $cmd)"/> + <xsl:text>Process: </xsl:text><xsl:value-of select="$process"/> + </xsl:template> +</xsl:stylesheet> \ No newline at end of file
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
20- camel.apache.org/security-advisories.data/CVE-2014-0003.txt.ascnvdExploitVendor AdvisoryWEB
- secunia.com/advisories/57125nvdVendor Advisory
- github.com/advisories/GHSA-h6rp-8v4j-hwphghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2014-0003ghsaADVISORY
- rhn.redhat.com/errata/RHSA-2014-0245.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2014-0254.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2014-0371.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2014-0372.htmlnvdWEB
- github.com/apache/camel/commit/483b445dc77487e2d0f3d8c8bf1a7bbab04464cghsaWEB
- github.com/apache/camel/commit/c6de749e9b3c7b61861c5480e91550290585224ghsaWEB
- github.com/apache/camel/commit/e922f89290f236f3107039de61af0375826bd96dghsaWEB
- issues.apache.org/jira/browse/CAMEL-7123ghsaWEB
- lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3EnvdWEB
- lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf@%3Ccommits.camel.apache.org%3EghsaWEB
- lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d%40%3Ccommits.camel.apache.org%3EnvdWEB
- lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d@%3Ccommits.camel.apache.org%3EghsaWEB
- web.archive.org/web/20200229061309/http://www.securityfocus.com/bid/65902ghsaWEB
- secunia.com/advisories/57716nvd
- secunia.com/advisories/57719nvd
- www.securityfocus.com/bid/65902nvd
News mentions
0No linked articles in our index yet.