[jbossws-commits] JBossWS SVN: r8977 - in stack/native/branches/jbossws-native-2.0.1.SP2_CP: src/main/java/org/jboss/ws/core/server and 2 other directories.

[jbossws-commits at lists.jboss.org]

Author: mageshbk at jboss.com
Date: 2009-01-07 06:25:21 -0500 (Wed, 07 Jan 2009)
New Revision: 8977

Added:
   stack/native/branches/jbossws-native-2.0.1.SP2_CP/src/test/java/org/jboss/test/ws/jaxws/jbws2437/
   stack/native/branches/jbossws-native-2.0.1.SP2_CP/src/test/java/org/jboss/test/ws/jaxws/jbws2437/Hello.java
   stack/native/branches/jbossws-native-2.0.1.SP2_CP/src/test/java/org/jboss/test/ws/jaxws/jbws2437/HelloJavaBean.java
   stack/native/branches/jbossws-native-2.0.1.SP2_CP/src/test/java/org/jboss/test/ws/jaxws/jbws2437/JBWS2437TestCase.java
Modified:
   stack/native/branches/jbossws-native-2.0.1.SP2_CP/ant-import-tests/build-jars-jaxws.xml
   stack/native/branches/jbossws-native-2.0.1.SP2_CP/src/main/java/org/jboss/ws/core/server/WSDLRequestHandler.java
Log:
[JBPAPP-1548] JBossWS - WSDL access url with resource suffix allows any arbitrary xml file to be viewed

Modified: stack/native/branches/jbossws-native-2.0.1.SP2_CP/ant-import-tests/build-jars-jaxws.xml
===================================================================
--- stack/native/branches/jbossws-native-2.0.1.SP2_CP/ant-import-tests/build-jars-jaxws.xml	2009-01-07 09:06:02 UTC (rev 8976)
+++ stack/native/branches/jbossws-native-2.0.1.SP2_CP/ant-import-tests/build-jars-jaxws.xml	2009-01-07 11:25:21 UTC (rev 8977)
@@ -568,8 +568,16 @@
       <webinf dir="${tests.output.dir}/resources/jaxws/jbws2319/WEB-INF">
         <include name="jboss-web.xml"/>
       </webinf>
-    </war> 
+    </war>
 
+    <!-- jaxws-jbws2437 -->
+    <jar destfile="${tests.output.dir}/libs/jaxws-jbws2437.jar">
+      <fileset dir="${tests.output.dir}/classes">
+        <include name="org/jboss/test/ws/jaxws/jbws2437/*.class"/>
+        <exclude name="org/jboss/test/ws/jaxws/jbws2437/*TestCase.class"/>
+      </fileset>
+    </jar>
+
     <!-- jaxws namespace -->
     <war warfile="${tests.output.dir}/libs/jaxws-namespace.war" webxml="${tests.output.dir}/resources/jaxws/namespace/WEB-INF/web.xml">
       <classes dir="${tests.output.dir}/classes">

Modified: stack/native/branches/jbossws-native-2.0.1.SP2_CP/src/main/java/org/jboss/ws/core/server/WSDLRequestHandler.java
===================================================================
--- stack/native/branches/jbossws-native-2.0.1.SP2_CP/src/main/java/org/jboss/ws/core/server/WSDLRequestHandler.java	2009-01-07 09:06:02 UTC (rev 8976)
+++ stack/native/branches/jbossws-native-2.0.1.SP2_CP/src/main/java/org/jboss/ws/core/server/WSDLRequestHandler.java	2009-01-07 11:25:21 UTC (rev 8977)
@@ -30,8 +30,11 @@
 
 import org.jboss.logging.Logger;
 import org.jboss.ws.metadata.umdm.EndpointMetaData;
+import org.jboss.wsf.common.DOMUtils;
+import org.jboss.wsf.spi.SPIProvider;
+import org.jboss.wsf.spi.SPIProviderResolver;
 import org.jboss.wsf.spi.management.ServerConfig;
-import org.jboss.wsf.common.DOMUtils;
+import org.jboss.wsf.spi.management.ServerConfigFactory;
 import org.w3c.dom.Attr;
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
@@ -88,11 +91,31 @@
       // get some imported resource
       else
       {
-         String impResourcePath = new File(wsdlLocation.getPath()).getParent() + File.separatorChar + resPath;
+         File wsdlLocFile = new File(wsdlLocation.getPath());
+         String impResourcePath = wsdlLocFile.getParent() + File.separatorChar + resPath;
          File impResourceFile = new File(impResourcePath);
+         String wsdlPublishLoc = epMetaData.getServiceMetaData().getWsdlPublishLocation();
 
-         Element wsdlElement = DOMUtils.parse(impResourceFile.toURL().openStream());
-         wsdlDoc = wsdlElement.getOwnerDocument();
+         log.debug("Importing resource file: " + impResourceFile.getCanonicalPath());
+
+         String wsdlLocFilePath = wsdlLocFile.getParentFile().getCanonicalPath();
+         SPIProvider spiProvider = SPIProviderResolver.getInstance().getProvider();
+         ServerConfig serverConfig = spiProvider.getSPI(ServerConfigFactory.class).getServerConfig();
+         String wsdlDataLoc = serverConfig.getServerDataDir().getCanonicalPath() + File.separatorChar + "wsdl";
+
+         //allow wsdl file's parent or server's data/wsdl or overriden wsdl publish directories only
+         if (impResourceFile.getCanonicalPath().indexOf(wsdlLocFilePath) >= 0
+             || impResourceFile.getCanonicalPath().indexOf(wsdlDataLoc) >= 0
+             || (wsdlPublishLoc != null 
+                  && impResourceFile.getCanonicalPath().indexOf(new File(new URL(wsdlPublishLoc).getPath()).getCanonicalPath()) >= 0))
+         {
+            Element wsdlElement = DOMUtils.parse(impResourceFile.toURL().openStream());
+            wsdlDoc = wsdlElement.getOwnerDocument();
+         }
+         else
+         {
+            throw new IOException("Access to this resource is not allowed");
+         }
       }
 
       modifyAddressReferences(reqURL, wsdlHost, resPath, wsdlDoc.getDocumentElement());

Added: stack/native/branches/jbossws-native-2.0.1.SP2_CP/src/test/java/org/jboss/test/ws/jaxws/jbws2437/Hello.java
===================================================================
--- stack/native/branches/jbossws-native-2.0.1.SP2_CP/src/test/java/org/jboss/test/ws/jaxws/jbws2437/Hello.java	                        (rev 0)
+++ stack/native/branches/jbossws-native-2.0.1.SP2_CP/src/test/java/org/jboss/test/ws/jaxws/jbws2437/Hello.java	2009-01-07 11:25:21 UTC (rev 8977)
@@ -0,0 +1,31 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2006, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.test.ws.jaxws.jbws2437;
+
+import javax.jws.WebService;
+
+ at WebService(name = "Hello", serviceName = "HelloService", targetNamespace = "http://org.jboss.ws/jaxws/jbws2437")
+public interface Hello
+{
+
+   public String echo(String in0);
+}


Property changes on: stack/native/branches/jbossws-native-2.0.1.SP2_CP/src/test/java/org/jboss/test/ws/jaxws/jbws2437/Hello.java
___________________________________________________________________
Name: svn:keywords
   + Id Revision
Name: svn:eol-style
   + LF

Added: stack/native/branches/jbossws-native-2.0.1.SP2_CP/src/test/java/org/jboss/test/ws/jaxws/jbws2437/HelloJavaBean.java
===================================================================
--- stack/native/branches/jbossws-native-2.0.1.SP2_CP/src/test/java/org/jboss/test/ws/jaxws/jbws2437/HelloJavaBean.java	                        (rev 0)
+++ stack/native/branches/jbossws-native-2.0.1.SP2_CP/src/test/java/org/jboss/test/ws/jaxws/jbws2437/HelloJavaBean.java	2009-01-07 11:25:21 UTC (rev 8977)
@@ -0,0 +1,47 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2006, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.test.ws.jaxws.jbws2437;
+
+import javax.ejb.Stateless;
+import javax.jws.WebMethod;
+import javax.jws.WebParam;
+import javax.jws.WebService;
+import javax.jws.soap.SOAPBinding;
+
+import org.jboss.logging.Logger;
+import org.jboss.wsf.spi.annotation.WebContext;
+
+ at Stateless
+ at WebService(name = "Hello", serviceName = "HelloService", targetNamespace = "http://org.jboss.ws/jaxws/jbws2437")
+ at SOAPBinding(style = SOAPBinding.Style.RPC)
+ at WebContext(contextRoot="jaxws-jbws2437", urlPattern="/*")
+public class HelloJavaBean implements Hello
+{
+   private Logger log = Logger.getLogger(HelloJavaBean.class);
+
+   @WebMethod
+   public String echo(@WebParam(name = "user") String in0)
+   {
+      log.info(in0);
+      return in0;
+   }
+}


Property changes on: stack/native/branches/jbossws-native-2.0.1.SP2_CP/src/test/java/org/jboss/test/ws/jaxws/jbws2437/HelloJavaBean.java
___________________________________________________________________
Name: svn:keywords
   + Id Revision
Name: svn:eol-style
   + LF

Added: stack/native/branches/jbossws-native-2.0.1.SP2_CP/src/test/java/org/jboss/test/ws/jaxws/jbws2437/JBWS2437TestCase.java
===================================================================
--- stack/native/branches/jbossws-native-2.0.1.SP2_CP/src/test/java/org/jboss/test/ws/jaxws/jbws2437/JBWS2437TestCase.java	                        (rev 0)
+++ stack/native/branches/jbossws-native-2.0.1.SP2_CP/src/test/java/org/jboss/test/ws/jaxws/jbws2437/JBWS2437TestCase.java	2009-01-07 11:25:21 UTC (rev 8977)
@@ -0,0 +1,69 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2006, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.test.ws.jaxws.jbws2437;
+
+import java.io.InputStream;
+import java.net.HttpURLConnection;
+import java.net.URL;
+
+import junit.framework.Test;
+
+import org.jboss.wsf.test.JBossWSTest;
+import org.jboss.wsf.test.JBossWSTestSetup;
+
+
+/**
+ * Disallow access to directories other than "data/wsdl"
+ * 
+ * http://jira.jboss.org/jira/browse/JBWS-2437
+ *
+ * @author mageshbk at jboss.com
+ * @since 04-Jan-2009
+ */
+public class JBWS2437TestCase extends JBossWSTest
+{
+   public final String WSDL_LOCATION = "http://" + getServerHost() + ":8080/jaxws-jbws2437?wsdl";
+   public final String WSDL_RESOURCE = "&resource=../../ejb-deployer.xml";
+
+   public static Test suite() throws Exception
+   {
+      return new JBossWSTestSetup(JBWS2437TestCase.class, "jaxws-jbws2437.jar");
+   }
+
+   public void testWSDLAccess() throws Exception
+   {
+      HttpURLConnection connection = (HttpURLConnection)new URL(WSDL_LOCATION).openConnection();
+      InputStream in = connection.getInputStream();
+      int fileSize = in.available();
+      in.close();
+      assertTrue("WSDL cannot be accessed", fileSize > 0);
+   }
+
+   public void testOtherFileAccess() throws Exception
+   {
+      HttpURLConnection connection = (HttpURLConnection)new URL(WSDL_LOCATION + WSDL_RESOURCE).openConnection();
+      InputStream in = connection.getInputStream();
+      int fileSize = in.available();
+      in.close();
+      assertTrue("Unrestricted access to xml files found", fileSize == 0);
+   }
+}


Property changes on: stack/native/branches/jbossws-native-2.0.1.SP2_CP/src/test/java/org/jboss/test/ws/jaxws/jbws2437/JBWS2437TestCase.java
___________________________________________________________________
Name: svn:keywords
   + Id Revision
Name: svn:eol-style
   + LF