Blob Blame History Raw
diff -Nurb resteasy-2.3.5.Final.orig/arquillian/pom.xml resteasy-2.3.5.Final/arquillian/pom.xml
--- resteasy-2.3.5.Final.orig/arquillian/pom.xml	2014-07-25 15:36:38.637079327 -0400
+++ resteasy-2.3.5.Final/arquillian/pom.xml	2014-07-25 15:52:17.575397163 -0400
@@ -15,6 +15,7 @@
         <!--module>RESTEASY-736-as71</module-->
         <module>RESTEASY-752-jetty</module>
         <module>RESTEASY-760-jetty</module>
+        <module>RESTEASY-1073-WF8</module>
     </modules>
     
     <artifactId>arquillian</artifactId>
diff -Nurb resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/pom.xml resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/pom.xml
--- resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/pom.xml	1969-12-31 19:00:00.000000000 -0500
+++ resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/pom.xml	2014-07-25 15:38:04.783298392 -0400
@@ -0,0 +1,189 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+
+  <parent>
+    <groupId>org.jboss.resteasy</groupId>
+    <artifactId>resteasy-jaxrs-all</artifactId>
+    <version>3.0.8.Final</version>
+    <relativePath>../../pom.xml</relativePath>
+  </parent>
+
+  <artifactId>RESTEASY-1073-WF8</artifactId>
+  <packaging>jar</packaging>
+  <name>RESTEASY-1073-WF8</name>
+  <url>http://maven.apache.org</url>
+
+  <properties>
+    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+    <as-version>8.0.0.Final</as-version>
+  </properties>
+
+  <build>
+    <plugins>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-compiler-plugin</artifactId>
+        <version>2.3.2</version>
+        <configuration>
+          <source>1.6</source>
+          <target>1.6</target>
+        </configuration>
+      </plugin>
+      <plugin>
+        <artifactId>maven-surefire-plugin</artifactId>
+        <version>2.12</version>
+      </plugin>
+        <plugin>
+            <artifactId>maven-dependency-plugin</artifactId>
+            <executions>
+                <execution>
+                    <id>unpack</id>
+                    <phase>process-test-classes</phase>
+                    <goals>
+                        <goal>unpack</goal>
+                    </goals>
+                    <configuration>
+                        <artifactItems>
+                            <artifactItem>
+                                <groupId>org.wildfly</groupId>
+                                <artifactId>wildfly-dist</artifactId>
+                                <version>${as-version}</version>
+                                <type>zip</type>
+                                <overWrite>false</overWrite>
+                                <outputDirectory>target</outputDirectory>
+                            </artifactItem>
+                        </artifactItems>
+                    </configuration>
+                </execution>
+            </executions>
+        </plugin>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-antrun-plugin</artifactId>
+        <version>1.6</version>
+        <executions>
+          <execution>
+            <id>unpack resteasy</id>
+            <phase>process-test-classes</phase>
+            <configuration>
+              <target>
+                <unzip src="../../jboss-modules/target/resteasy-jboss-modules-wf8-${project.version}.zip"
+                       dest="${project.build.directory}/wildfly-${as-version}/modules/system/layers/base"
+                       overwrite="true" />
+              </target>
+            </configuration>
+            <goals>
+              <goal>run</goal>
+            </goals>
+          </execution>
+        </executions>
+      </plugin>
+      
+     <plugin>
+       <groupId>org.apache.maven.plugins</groupId>
+       <artifactId>maven-war-plugin</artifactId>
+       <configuration>
+          <archive>
+             <manifestEntries>
+                <Dependencies>
+                javax.xml.bind.api
+                </Dependencies>
+             </manifestEntries>
+          </archive>
+       </configuration>
+     </plugin>
+     
+    </plugins>
+  </build>
+  
+<dependencyManagement>
+    <dependencies>
+        <dependency>
+            <groupId>org.jboss.arquillian</groupId>
+            <artifactId>arquillian-bom</artifactId>
+            <version>1.0.3.Final</version>
+            <scope>import</scope>
+            <type>pom</type>
+        </dependency>
+    </dependencies>
+</dependencyManagement>
+  
+  <dependencies>
+    <dependency>
+        <groupId>org.jboss.spec</groupId>
+        <artifactId>jboss-javaee-6.0</artifactId>
+        <version>1.0.0.Final</version>
+        <type>pom</type>
+        <scope>provided</scope>
+    </dependency>
+    <dependency>
+        <groupId>junit</groupId>
+        <artifactId>junit</artifactId>
+        <version>4.8.1</version>
+        <scope>test</scope>
+    </dependency>
+    <dependency>
+        <groupId>org.jboss.arquillian.junit</groupId>
+        <artifactId>arquillian-junit-container</artifactId>
+        <scope>test</scope>
+    </dependency>
+    <dependency>
+        <groupId>org.wildfly</groupId>
+        <artifactId>wildfly-arquillian-container-managed</artifactId>
+        <version>8.0.0.Alpha1</version>
+        <scope>test</scope>
+    </dependency>
+    <dependency>
+        <groupId>org.jboss.arquillian.protocol</groupId>
+        <artifactId>arquillian-protocol-servlet</artifactId>
+        <scope>test</scope>
+    </dependency>
+    <dependency>
+        <groupId>org.jboss.resteasy</groupId>
+        <artifactId>jaxrs-api</artifactId>
+        <version>${project.version}</version>
+    </dependency>
+    <dependency>
+        <groupId>org.jboss.resteasy</groupId>
+        <artifactId>resteasy-jaxrs</artifactId>
+        <version>${project.version}</version>
+    </dependency>
+    <dependency>
+        <groupId>org.jboss.resteasy</groupId>
+        <artifactId>resteasy-validator-provider-11</artifactId>
+        <version>${project.version}</version>
+    </dependency>
+    <dependency>
+        <groupId>javax.validation</groupId>
+        <artifactId>validation-api</artifactId>
+        <version>1.1.0.Final</version>
+    </dependency>
+    <dependency>
+        <groupId>org.hibernate</groupId>
+        <artifactId>hibernate-validator</artifactId>
+        <version>5.0.1.Final</version>
+    </dependency>
+    <dependency>
+        <groupId>javax.el</groupId>
+        <artifactId>javax.el-api</artifactId>
+        <version>2.2.4</version>
+    </dependency>
+    <dependency>
+        <groupId>org.glassfish.web</groupId>
+        <artifactId>javax.el</artifactId>
+        <version>2.2.4</version>
+    </dependency>
+<dependency>
+  <groupId>org.jboss.spec.javax.xml.bind</groupId>
+  <artifactId>jboss-jaxb-api_2.2_spec</artifactId>
+  <version>1.0.4.Final</version>
+</dependency>
+    <dependency>
+        <groupId>org.jboss.resteasy</groupId>
+        <artifactId>resteasy-jaxb-provider</artifactId>
+        <version>${project.version}</version>
+        <scope>test</scope>
+    </dependency>
+  </dependencies>
+</project>
diff -Nurb resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/main/java/org/jboss/resteasy/resteasy1073/TestApplication.java resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/main/java/org/jboss/resteasy/resteasy1073/TestApplication.java
--- resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/main/java/org/jboss/resteasy/resteasy1073/TestApplication.java	1969-12-31 19:00:00.000000000 -0500
+++ resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/main/java/org/jboss/resteasy/resteasy1073/TestApplication.java	2014-07-25 15:40:28.833658314 -0400
@@ -0,0 +1,16 @@
+package org.jboss.resteasy.resteasy1073;
+
+import java.util.HashSet;
+import java.util.Set;
+
+import javax.ws.rs.core.Application;
+
+public class TestApplication extends Application
+{
+   @Override
+   public Set<Class<?>> getClasses() {
+      HashSet<Class<?>> set = new HashSet<Class<?>>();
+      set.add(TestResource.class);
+      return set;
+   }
+}
diff -Nurb resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/main/java/org/jboss/resteasy/resteasy1073/TestResource.java resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/main/java/org/jboss/resteasy/resteasy1073/TestResource.java
--- resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/main/java/org/jboss/resteasy/resteasy1073/TestResource.java	1969-12-31 19:00:00.000000000 -0500
+++ resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/main/java/org/jboss/resteasy/resteasy1073/TestResource.java	2014-07-25 15:41:14.393770993 -0400
@@ -0,0 +1,26 @@
+package org.jboss.resteasy.resteasy1073;
+
+import javax.ws.rs.Consumes;
+import javax.ws.rs.POST;
+import javax.ws.rs.Path;
+import javax.ws.rs.core.MediaType;
+
+/**
+* RESTEASY-1073
+*
+* @author <a href="ron.sigal@jboss.com">Ron Sigal</a>
+* @version $Revision: 1.1 $
+*
+* Copyright July 19, 2014
+*/
+@Path("")
+public class TestResource
+{
+   @POST
+   @Path("test")
+   @Consumes(MediaType.APPLICATION_XML)
+   public String post(TestWrapper wrapper)
+   {
+      return wrapper.getName();
+   }
+}
diff -Nurb resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/main/java/org/jboss/resteasy/resteasy1073/TestWrapper.java resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/main/java/org/jboss/resteasy/resteasy1073/TestWrapper.java
--- resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/main/java/org/jboss/resteasy/resteasy1073/TestWrapper.java	1969-12-31 19:00:00.000000000 -0500
+++ resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/main/java/org/jboss/resteasy/resteasy1073/TestWrapper.java	2014-07-25 15:41:52.762865571 -0400
@@ -0,0 +1,17 @@
+package org.jboss.resteasy.resteasy1073;
+
+import javax.xml.bind.annotation.XmlRootElement;
+
+@XmlRootElement
+public class TestWrapper
+{
+   private String name;
+   public String getName()
+   {
+      return name;
+   }
+   public void setName(String name)
+   {
+      this.name = name;
+   }
+}
diff -Nurb resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/test/java/org/jboss/resteasy/test/resteasy1073/TestExternalParameterEntity.java resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/test/java/org/jboss/resteasy/test/resteasy1073/TestExternalParameterEntity.java
--- resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/test/java/org/jboss/resteasy/test/resteasy1073/TestExternalParameterEntity.java	1969-12-31 19:00:00.000000000 -0500
+++ resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/test/java/org/jboss/resteasy/test/resteasy1073/TestExternalParameterEntity.java	2014-07-25 15:43:11.465058832 -0400
@@ -0,0 +1,96 @@
+package org.jboss.resteasy.test.resteasy1073;
+
+import java.io.File;
+
+import javax.ws.rs.core.MediaType;
+
+import junit.framework.Assert;
+
+import org.jboss.arquillian.container.test.api.Deployment;
+import org.jboss.arquillian.junit.Arquillian;
+import org.jboss.resteasy.client.ClientRequest;
+import org.jboss.resteasy.client.ClientResponse;
+import org.jboss.resteasy.resteasy1073.TestApplication;
+import org.jboss.resteasy.resteasy1073.TestResource;
+import org.jboss.resteasy.resteasy1073.TestWrapper;
+import org.jboss.shrinkwrap.api.Archive;
+import org.jboss.shrinkwrap.api.ShrinkWrap;
+import org.jboss.shrinkwrap.api.spec.WebArchive;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+/**
+ * RESTEASY-1073.
+ * 
+ * @author <a href="ron.sigal@jboss.com">Ron Sigal</a>
+ * @version $Revision: 1.1 $
+ *
+ * Created July 19, 2014
+ */
+@RunWith(Arquillian.class)
+public class TestExternalParameterEntity
+{  
+   @Deployment(name="war_expand", order=1)
+   public static Archive<?> createTestArchive1()
+   {
+      WebArchive war = ShrinkWrap.create(WebArchive.class, "RESTEASY-1073-expand.war")
+            .addClasses(TestApplication.class)
+            .addClasses(TestResource.class, TestWrapper.class)
+            .addAsWebInfResource("web_expand.xml", "web.xml")
+            ;
+      System.out.println(war.toString(true));
+      return war;
+   }
+
+   @Deployment(name="war_no_expand", order=2)
+   public static Archive<?> createTestArchive2()
+   {
+      WebArchive war = ShrinkWrap.create(WebArchive.class, "RESTEASY-1073-no-expand.war")
+            .addClasses(TestApplication.class)
+            .addClasses(TestResource.class, TestWrapper.class)
+            .addAsWebInfResource("web_no_expand.xml", "web.xml")
+            ;
+      System.out.println(war.toString(true));
+      return war;
+   }
+   
+   private String passwdFile = new File("src/test/resources/passwd").getAbsolutePath();
+   private String dtdFile = new File("src/test/resources/test.dtd").getAbsolutePath();
+      
+   private String text =
+"<!DOCTYPE foo [\r" +
+"  <!ENTITY % file SYSTEM \"" + passwdFile + "\">\r" +
+"  <!ENTITY % start \"<![CDATA[\">\r" + 
+"  <!ENTITY % end \"]]>\">\r" +
+"  <!ENTITY % dtd SYSTEM \"" + dtdFile + "\">\r" +
+"%dtd;\r" +
+"]>\r" +
+"<testWrapper><name>&xxe;</name></testWrapper>";
+   
+   @Test
+   public void testExternalParameterEntityExpand() throws Exception
+   {
+      ClientRequest request = new ClientRequest("http://localhost:8080/RESTEASY-1073-expand/test");
+      System.out.println(text);
+      request.body(MediaType.APPLICATION_XML, text);
+      ClientResponse<?> response = request.post();
+      Assert.assertEquals(200, response.getStatus());
+      String entity = response.getEntity(String.class);
+      System.out.println("Result: " + entity);
+      Assert.assertEquals("root:x:0:0:root:/root:/bin/bash", entity.trim());
+   }
+   
+   @Test
+   public void testExternalParameterEntityNoExpand() throws Exception
+   {
+      ClientRequest request = new ClientRequest("http://localhost:8080/RESTEASY-1073-no-expand/test");
+      System.out.println(text);
+      request.body(MediaType.APPLICATION_XML, text);
+      ClientResponse<?> response = request.post();
+      Assert.assertEquals(200, response.getStatus());
+      String entity = response.getEntity(String.class);
+      System.out.println("Result: " + entity);
+      Assert.assertEquals("", entity.trim());
+   }
+}
+
diff -Nurb resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/test/resources/arquillian.xml resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/test/resources/arquillian.xml
--- resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/test/resources/arquillian.xml	1969-12-31 19:00:00.000000000 -0500
+++ resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/test/resources/arquillian.xml	2014-07-25 15:44:43.551284000 -0400
@@ -0,0 +1,23 @@
+<arquillian xmlns="http://jboss.org/schema/arquillian"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="
+http://jboss.org/schema/arquillian
+http://jboss.org/schema/arquillian/arquillian_1_0.xsd">
+    
+   <!-- Force the use of the Servlet 3.0 protocol with all containers, as it is the most mature -->
+   <defaultProtocol type="Servlet 3.0" />
+   
+    <engine>
+        <property name="deploymentExportPath">target/deployments</property>
+    </engine>
+   
+   <container qualifier="jbossas-managed" default="true">
+     <configuration>
+       <property name="jbossHome">target/wildfly-8.0.0.Final</property>
+       <!--property name="javaHome">/opt/local/java/jdk1.7.0_21</property-->
+       <property name="serverConfig">standalone-full.xml</property>
+       <!-- Uncomment next line to run server in debug mode. -->
+       <!--property name="javaVmArguments">-Xmx512m -XX:MaxPermSize=128m -Xrunjdwp:transport=dt_socket,address=8787,server=y,suspend=y</property-->
+     </configuration>
+   </container>
+</arquillian>
diff -Nurb resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/test/resources/passwd resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/test/resources/passwd
--- resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/test/resources/passwd	1969-12-31 19:00:00.000000000 -0500
+++ resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/test/resources/passwd	2014-07-25 15:49:38.648001614 -0400
@@ -0,0 +1 @@
+root:x:0:0:root:/root:/bin/bash
diff -Nurb resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/test/resources/test.dtd resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/test/resources/test.dtd
--- resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/test/resources/test.dtd	1969-12-31 19:00:00.000000000 -0500
+++ resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/test/resources/test.dtd	2014-07-25 15:50:14.822089344 -0400
@@ -0,0 +1 @@
+<!ENTITY xxe "%start; %file; %end;">
diff -Nurb resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/test/resources/web_expand.xml resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/test/resources/web_expand.xml
--- resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/test/resources/web_expand.xml	1969-12-31 19:00:00.000000000 -0500
+++ resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/test/resources/web_expand.xml	2014-07-25 15:50:50.589177751 -0400
@@ -0,0 +1,29 @@
+<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee"
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
+
+    <display-name>RESTEASY-1073-Expand</display-name>
+
+    <context-param>
+       <param-name>resteasy.document.expand.entity.references</param-name>
+       <param-value>true</param-value>
+    </context-param>
+    
+    <servlet>
+        <servlet-name>Resteasy</servlet-name>
+
+        <servlet-class>
+            org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher
+        </servlet-class>
+        <init-param>
+            <param-name>javax.ws.rs.Application</param-name>
+            <param-value>org.jboss.resteasy.resteasy1073.TestApplication</param-value>
+        </init-param>
+    </servlet>
+
+    <servlet-mapping>
+        <servlet-name>Resteasy</servlet-name>
+        <url-pattern>/*</url-pattern>
+    </servlet-mapping>
+
+</web-app>
diff -Nurb resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/test/resources/web_no_expand.xml resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/test/resources/web_no_expand.xml
--- resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/test/resources/web_no_expand.xml	1969-12-31 19:00:00.000000000 -0500
+++ resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/test/resources/web_no_expand.xml	2014-07-25 15:51:27.218270317 -0400
@@ -0,0 +1,29 @@
+<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee"
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
+
+    <display-name>RESTEASY-1073-NoExpand</display-name>
+
+    <context-param>
+       <param-name>resteasy.document.expand.entity.references</param-name>
+       <param-value>false</param-value>
+    </context-param>
+     
+    <servlet>
+        <servlet-name>Resteasy</servlet-name>
+
+        <servlet-class>
+            org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher
+        </servlet-class>
+        <init-param>
+            <param-name>javax.ws.rs.Application</param-name>
+            <param-value>org.jboss.resteasy.resteasy1073.TestApplication</param-value>
+        </init-param>
+    </servlet>
+
+    <servlet-mapping>
+        <servlet-name>Resteasy</servlet-name>
+        <url-pattern>/*</url-pattern>
+    </servlet-mapping>
+
+</web-app>
diff -Nurb resteasy-2.3.5.Final.orig/providers/jaxb/src/main/java/org/jboss/resteasy/plugins/providers/jaxb/ExternalEntityUnmarshaller.java resteasy-2.3.5.Final/providers/jaxb/src/main/java/org/jboss/resteasy/plugins/providers/jaxb/ExternalEntityUnmarshaller.java
--- resteasy-2.3.5.Final.orig/providers/jaxb/src/main/java/org/jboss/resteasy/plugins/providers/jaxb/ExternalEntityUnmarshaller.java	2014-07-25 15:36:38.989080230 -0400
+++ resteasy-2.3.5.Final/providers/jaxb/src/main/java/org/jboss/resteasy/plugins/providers/jaxb/ExternalEntityUnmarshaller.java	2014-07-25 15:54:25.056716412 -0400
@@ -150,6 +150,7 @@
           XMLReader xmlReader = XMLReaderFactory.createXMLReader();
           xmlReader.setFeature("http://xml.org/sax/features/validation", false);
           xmlReader.setFeature("http://xml.org/sax/features/external-general-entities", false);
+          xmlReader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
           SAXSource saxSource = new SAXSource(xmlReader, source);
           return delegate.unmarshal(saxSource);
       }
@@ -188,6 +189,7 @@
             XMLReader xmlReader = XMLReaderFactory.createXMLReader();
             xmlReader.setFeature("http://xml.org/sax/features/validation", false);
             xmlReader.setFeature("http://xml.org/sax/features/external-general-entities", false);
+            xmlReader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
             ((SAXSource) source).setXMLReader(xmlReader);
             return delegate.unmarshal(source, declaredType);
          }