From e7ce8a92bc02be54da102efb64c99aeee21a2106 Mon Sep 17 00:00:00 2001 From: Andreas Veithen Date: Sun, 20 May 2018 20:10:32 +0000 Subject: [PATCH] Correctly escape namespace URIs in namespace declarations. git-svn-id: https://svn.apache.org/repos/asf/axis/axis1/java/trunk@1831943 13f79535-47bb-0310-9956-ffa450edef68 --- .../axis/encoding/SerializationContext.java | 11 ++-- axis-war/pom.xml | 13 +++++ .../test/java/org/apache/axis/war/Utils.java | 33 +++++++++++ .../java/org/apache/axis/war/XssTest.java | 57 +++++++++++++++++++ .../java/test/httpunit/HttpUnitTestBase.java | 5 +- .../org/apache/axis/war/getVersion-xss.xml | 9 +++ pom.xml | 5 ++ 7 files changed, 125 insertions(+), 8 deletions(-) create mode 100644 axis-war/src/test/java/org/apache/axis/war/Utils.java create mode 100644 axis-war/src/test/java/org/apache/axis/war/XssTest.java create mode 100644 axis-war/src/test/resources/org/apache/axis/war/getVersion-xss.xml diff --git a/axis-rt-core/src/main/java/org/apache/axis/encoding/SerializationContext.java b/axis-rt-core/src/main/java/org/apache/axis/encoding/SerializationContext.java index 0cf0ac907..f33ec28df 100644 --- a/src/org/apache/axis/encoding/SerializationContext.java +++ b/src/org/apache/axis/encoding/SerializationContext.java @@ -1181,12 +1181,13 @@ public void startElement(QName qName, Attributes attributes) sb.append(':'); sb.append(map.getPrefix()); } - if ((vecQNames==null) || (vecQNames.indexOf(sb.toString())==-1)) { + String qname = sb.toString(); + if ((vecQNames==null) || (vecQNames.indexOf(qname)==-1)) { writer.write(' '); - sb.append("=\""); - sb.append(map.getNamespaceURI()); - sb.append('"'); - writer.write(sb.toString()); + writer.write(qname); + writer.write("=\""); + getEncoder().writeEncoded(writer, map.getNamespaceURI()); + writer.write('"'); } } } diff --git a/axis-war/src/test/java/org/apache/axis/war/Utils.java b/axis-war/src/test/java/org/apache/axis/war/Utils.java new file mode 100644 index 000000000..77d03ee25 --- /dev/null +++ b/org/apache/axis/war/Utils.java @@ -0,0 +1,33 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.axis.war; + +import static org.junit.Assert.assertNotNull; + +public final class Utils { + private static String URL_PROPERTY = "test.functional.webapp.url"; + + private Utils() {} + + public static String getWebappUrl() { + String url = System.getProperty(URL_PROPERTY); + assertNotNull(URL_PROPERTY + " not set", url); + return url; + } +} diff --git a/axis-war/src/test/java/org/apache/axis/war/XssTest.java b/axis-war/src/test/java/org/apache/axis/war/XssTest.java new file mode 100644 index 000000000..0504e1a8c --- /dev/null +++ b/org/apache/axis/war/XssTest.java @@ -0,0 +1,57 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.axis.war; + +import static com.google.common.truth.Truth.assertThat; + +import java.io.InputStream; +import java.io.OutputStream; +import java.net.HttpURLConnection; +import java.net.URL; + +import org.apache.commons.io.IOUtils; +import org.junit.Test; + +public class XssTest { + /** + * Tests for potential XSS vulnerability in the Version service. + *

+ * The Version service returns a body with whatever namespace URI was used in the request. If + * the namespace URI is not properly encoded in the response, then this creates a potential + * XSS vulnerability. + * + * @throws Exception + */ + @Test + public void testGetVersion() throws Exception { + HttpURLConnection conn = (HttpURLConnection)new URL(Utils.getWebappUrl() + "/services/Version").openConnection(); + conn.setDoInput(true); + conn.setDoOutput(true); + conn.setRequestProperty("SOAPAction", ""); + conn.setRequestProperty("Content-Type", "text/xml;charset=UTF-8"); + InputStream payload = XssTest.class.getResourceAsStream("getVersion-xss.xml"); + OutputStream out = conn.getOutputStream(); + IOUtils.copy(payload, out); + payload.close(); + out.close(); + assertThat(conn.getResponseCode()).isEqualTo(200); + InputStream in = conn.getInputStream(); + assertThat(IOUtils.toString(in, "UTF-8")).doesNotContain(" + + + +