SDO Deserialization fix (#695)

This SDO deserialization fix with unit test.
There are some new MOXy unit tests.

Signed-off-by: Radek Felcman <[email protected]>

foundation/org.eclipse.persistence.core/src/org/eclipse/persistence/internal/localization/i18n/LoggingLocalizationResource.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1998, 2018 Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1998, 2020 Oracle and/or its affiliates. All rights reserved.
  * Copyright (c) 1998, 2017 IBM Corporation and/or its affiliates. All rights reserved.
  *
  * This program and the accompanying materials are made available under the
@@ -410,6 +410,7 @@ public class LoggingLocalizationResource extends ListResourceBundle {
         { "sdo_missing_schemaLocation", "Referenced schema with uri {0} could not be processed because no schemaLocation attribute was specified."},
         { "sdo_invalid_schemaLocation", "Could not create schemaLocation [{0}] for import with uri [{1}]."},
         { "sdo_error_processing_referenced_schema", "An {0} occurred processing referenced schema with uri {1} with schemaLocation {2}."},
+        { "sdo_error_deserialization", "Unauthorized deserialization attempt with class {0}."},
         { "ox_turn_global_logging_off", " {0} Turning global session logging off."},
         { "ox_lowering_global_logging_from_default_info_to_warning", " {0} Lowering global logging from default INFO to WARNING level."},
         { "ox_turn_session_logging_off", " {0} Turning session logging off."},

moxy/eclipselink.moxy.test/resource/org/eclipse/persistence/testing/jaxb/security/xss/xssExternalEntity.txt

@@ -0,0 +1 @@
+abcde

moxy/eclipselink.moxy.test/resource/org/eclipse/persistence/testing/jaxb/security/xss/xssExternalEntity.xml

@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding ="UTF-8"?>
+<!--
+
+    Copyright (c) 2020 Oracle and/or its affiliates. All rights reserved.
+
+    This program and the accompanying materials are made available under the
+    terms of the Eclipse Public License v. 2.0 which is available at
+    http://www.eclipse.org/legal/epl-2.0,
+    or the Eclipse Distribution License v. 1.0 which is available at
+    http://www.eclipse.org/org/documents/edl-v10.php.
+
+    SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause
+
+-->
+
+<!DOCTYPE myroot[
+        <!ELEMENT myroot (elem1)>
+        <!ELEMENT elem1 (#PCDATA)>
+        <!ENTITY x1 SYSTEM "xssExternalEntity.txt">
+        ]>
+<myroot>
+   <elem1>&x1;</elem1>
+</myroot>

moxy/eclipselink.moxy.test/resource/org/eclipse/persistence/testing/jaxb/security/xss/xssExternalParameterEntity.txt

@@ -0,0 +1 @@
+<!ELEMENT elem1 (#PCDATA)>

moxy/eclipselink.moxy.test/resource/org/eclipse/persistence/testing/jaxb/security/xss/xssExternalParameterEntity.xml

@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding ="UTF-8"?>
+<!--
+
+    Copyright (c) 2020 Oracle and/or its affiliates. All rights reserved.
+
+    This program and the accompanying materials are made available under the
+    terms of the Eclipse Public License v. 2.0 which is available at
+    http://www.eclipse.org/legal/epl-2.0,
+    or the Eclipse Distribution License v. 1.0 which is available at
+    http://www.eclipse.org/org/documents/edl-v10.php.
+
+    SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause
+
+-->
+
+<!DOCTYPE myroot[
+        <!ENTITY % x1 SYSTEM "xssExternalParameterEntity.txt">
+        <!ELEMENT myroot (elem1)>
+        %x1;
+        ]>
+<myroot>
+   <elem1>abcde</elem1>
+</myroot>

moxy/eclipselink.moxy.test/resource/org/eclipse/persistence/testing/jaxb/security/xss/xssNestedEntities.xml

@@ -0,0 +1,122 @@
+<?xml version="1.0" encoding ="UTF-8"?>
+<!--
+
+    Copyright (c) 2020 Oracle and/or its affiliates. All rights reserved.
+
+    This program and the accompanying materials are made available under the
+    terms of the Eclipse Public License v. 2.0 which is available at
+    http://www.eclipse.org/legal/epl-2.0,
+    or the Eclipse Distribution License v. 1.0 which is available at
+    http://www.eclipse.org/org/documents/edl-v10.php.
+
+    SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause
+
+-->
+
+<!DOCTYPE myroot[
+        <!ELEMENT myroot (elem1)>
+        <!ELEMENT elem1 (#PCDATA)>
+        <!ENTITY x100 "data1">
+        <!ENTITY  x99 "&x100;&x100;">
+        <!ENTITY  x98 "&x99;&x99;">
+        <!ENTITY  x97 "&x98;&x98;">
+        <!ENTITY  x96 "&x97;&x97;">
+        <!ENTITY  x95 "&x96;&x96;">
+        <!ENTITY  x94 "&x95;&x95;">
+        <!ENTITY  x93 "&x94;&x94;">
+        <!ENTITY  x92 "&x93;&x93;">
+        <!ENTITY  x91 "&x92;&x92;">
+        <!ENTITY  x90 "&x91;&x91;">
+        <!ENTITY  x89 "&x90;&x90;">
+        <!ENTITY  x88 "&x89;&x89;">
+        <!ENTITY  x87 "&x88;&x88;">
+        <!ENTITY  x86 "&x87;&x87;">
+        <!ENTITY  x85 "&x86;&x86;">
+        <!ENTITY  x84 "&x85;&x85;">
+        <!ENTITY  x83 "&x84;&x84;">
+        <!ENTITY  x82 "&x83;&x83;">
+        <!ENTITY  x81 "&x82;&x82;">
+        <!ENTITY  x80 "&x81;&x81;">
+        <!ENTITY  x79 "&x80;&x80;">
+        <!ENTITY  x78 "&x79;&x79;">
+        <!ENTITY  x77 "&x78;&x78;">
+        <!ENTITY  x76 "&x77;&x77;">
+        <!ENTITY  x75 "&x76;&x76;">
+        <!ENTITY  x74 "&x75;&x75;">
+        <!ENTITY  x73 "&x74;&x74;">
+        <!ENTITY  x72 "&x73;&x73;">
+        <!ENTITY  x71 "&x72;&x72;">
+        <!ENTITY  x70 "&x71;&x71;">
+        <!ENTITY  x69 "&x70;&x70;">
+        <!ENTITY  x68 "&x69;&x69;">
+        <!ENTITY  x67 "&x68;&x68;">
+        <!ENTITY  x66 "&x67;&x67;">
+        <!ENTITY  x65 "&x66;&x66;">
+        <!ENTITY  x64 "&x65;&x65;">
+        <!ENTITY  x63 "&x64;&x64;">
+        <!ENTITY  x62 "&x63;&x63;">
+        <!ENTITY  x61 "&x62;&x62;">
+        <!ENTITY  x60 "&x61;&x61;">
+        <!ENTITY  x59 "&x60;&x60;">
+        <!ENTITY  x58 "&x59;&x59;">
+        <!ENTITY  x57 "&x58;&x58;">
+        <!ENTITY  x56 "&x57;&x57;">
+        <!ENTITY  x55 "&x56;&x56;">
+        <!ENTITY  x54 "&x55;&x55;">
+        <!ENTITY  x53 "&x54;&x54;">
+        <!ENTITY  x52 "&x53;&x53;">
+        <!ENTITY  x51 "&x52;&x52;">
+        <!ENTITY  x50 "&x51;&x51;">
+        <!ENTITY  x49 "&x50;&x50;">
+        <!ENTITY  x48 "&x49;&x49;">
+        <!ENTITY  x47 "&x48;&x48;">
+        <!ENTITY  x46 "&x47;&x47;">
+        <!ENTITY  x45 "&x46;&x46;">
+        <!ENTITY  x44 "&x45;&x45;">
+        <!ENTITY  x43 "&x44;&x44;">
+        <!ENTITY  x42 "&x43;&x43;">
+        <!ENTITY  x41 "&x42;&x42;">
+        <!ENTITY  x40 "&x41;&x41;">
+        <!ENTITY  x39 "&x40;&x40;">
+        <!ENTITY  x38 "&x39;&x39;">
+        <!ENTITY  x37 "&x38;&x38;">
+        <!ENTITY  x36 "&x37;&x37;">
+        <!ENTITY  x35 "&x36;&x36;">
+        <!ENTITY  x34 "&x35;&x35;">
+        <!ENTITY  x33 "&x34;&x34;">
+        <!ENTITY  x32 "&x33;&x33;">
+        <!ENTITY  x31 "&x32;&x32;">
+        <!ENTITY  x30 "&x31;&x31;">
+        <!ENTITY  x29 "&x30;&x30;">
+        <!ENTITY  x28 "&x29;&x29;">
+        <!ENTITY  x27 "&x28;&x28;">
+        <!ENTITY  x26 "&x27;&x27;">
+        <!ENTITY  x25 "&x26;&x26;">
+        <!ENTITY  x24 "&x25;&x25;">
+        <!ENTITY  x23 "&x24;&x24;">
+        <!ENTITY  x22 "&x23;&x23;">
+        <!ENTITY  x21 "&x22;&x22;">
+        <!ENTITY  x20 "&x21;&x21;">
+        <!ENTITY  x19 "&x20;&x20;">
+        <!ENTITY  x18 "&x19;&x19;">
+        <!ENTITY  x17 "&x18;&x18;">
+        <!ENTITY  x16 "&x17;&x17;">
+        <!ENTITY  x15 "&x16;&x16;">
+        <!ENTITY  x14 "&x15;&x15;">
+        <!ENTITY  x13 "&x14;&x14;">
+        <!ENTITY  x12 "&x13;&x13;">
+        <!ENTITY  x11 "&x12;&x12;">
+        <!ENTITY  x10 "&x11;&x11;">
+        <!ENTITY  x9 "&x10;&x10;">
+        <!ENTITY  x8 "&x9;&x9;">
+        <!ENTITY  x7 "&x8;&x8;">
+        <!ENTITY  x6 "&x7;&x7;">
+        <!ENTITY  x5 "&x6;&x6;">
+        <!ENTITY  x4 "&x5;&x5;">
+        <!ENTITY  x3 "&x4;&x4;">
+        <!ENTITY  x2 "&x3;&x3;">
+        <!ENTITY  x1 "&x2;&x2;">
+        ]>
+<myroot>
+   <elem1>&x1;</elem1>
+</myroot>

moxy/eclipselink.moxy.test/src/org/eclipse/persistence/testing/jaxb/JAXBTestSuite3.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1998, 2018 Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1998, 2020 Oracle and/or its affiliates. All rights reserved.
  *
  * This program and the accompanying materials are made available under the
  * terms of the Eclipse Public License v. 2.0 which is available at
@@ -32,6 +32,7 @@
 import org.eclipse.persistence.testing.jaxb.prefixmapper.PrefixMapperTestCases;
 import org.eclipse.persistence.testing.jaxb.properties.PropertyTestCases;
 import org.eclipse.persistence.testing.jaxb.readonly.ReadAndWriteOnlyTestCases;
+import org.eclipse.persistence.testing.jaxb.security.xss.SecurityXSSTestCases;
 import org.eclipse.persistence.testing.jaxb.stax.XMLStreamReaderEndEventTestCases;
 import org.eclipse.persistence.testing.jaxb.stax.XMLStreamWriterDefaultNamespaceTestCases;
 import org.eclipse.persistence.testing.jaxb.unmapped.UnmappedElementsWarningTestCases;
@@ -145,6 +146,7 @@ public static Test suite() {
         suite.addTestSuite(URITestCases.class);
         suite.addTestSuite(PropertyTestCases.class);
         suite.addTestSuite(UnmappedElementsWarningTestCases.class);
+        suite.addTestSuite(SecurityXSSTestCases.class);
 
         return suite;
     }

moxy/eclipselink.moxy.test/src/org/eclipse/persistence/testing/jaxb/security/xss/MyRoot.java

@@ -0,0 +1,47 @@
+/*
+ * Copyright (c) 2020 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0 which is available at
+ * http://www.eclipse.org/legal/epl-2.0,
+ * or the Eclipse Distribution License v. 1.0 which is available at
+ * http://www.eclipse.org/org/documents/edl-v10.php.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause
+ */
+
+// Contributors:
+//     Oracle - initial API and implementation
+package org.eclipse.persistence.testing.jaxb.security.xss;
+
+import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlRootElement;
+
+@XmlRootElement(name = "myroot")
+public class MyRoot {
+
+    private String elem1;
+
+    public MyRoot() {
+    }
+
+    public MyRoot(String elem1) {
+        this.elem1 = elem1;
+    }
+
+    @XmlElement(name = "elem1")
+    public String getElem1() {
+        return elem1;
+    }
+
+    public void setElem1(String elem1) {
+        this.elem1 = elem1;
+    }
+
+    @Override
+    public String toString() {
+        return "MyRoot{" +
+                "elem1='" + elem1 + '\'' +
+                '}';
+    }
+}

moxy/eclipselink.moxy.test/src/org/eclipse/persistence/testing/jaxb/security/xss/SecurityXSSTestCases.java

@@ -0,0 +1,71 @@
+/*
+ * Copyright (c) 2020 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0 which is available at
+ * http://www.eclipse.org/legal/epl-2.0,
+ * or the Eclipse Distribution License v. 1.0 which is available at
+ * http://www.eclipse.org/org/documents/edl-v10.php.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause
+ */
+
+// Contributors:
+//     Oracle - initial API and implementation
+package org.eclipse.persistence.testing.jaxb.security.xss;
+
+import junit.framework.TestCase;
+
+import javax.xml.bind.*;
+import java.io.File;
+import java.util.HashMap;
+
+public class SecurityXSSTestCases extends TestCase {
+
+    private static final String XML_DOCUMENT_NESTED_ENTITIES = "org/eclipse/persistence/testing/jaxb/security/xss/xssNestedEntities.xml";
+    private static final String XML_DOCUMENT_EXTERNAL_ENTITIES = "org/eclipse/persistence/testing/jaxb/security/xss/xssExternalEntity.xml";
+    private static final String XML_DOCUMENT_EXTERNAL_PARAMETER_ENTITIES = "org/eclipse/persistence/testing/jaxb/security/xss/xssExternalParameterEntity.xml";
+    private static final Class<?>[] DOMAIN_CLASSES = new Class<?>[]{MyRoot.class};
+
+    private JAXBContext jaxbContext;
+    private Unmarshaller unmarshaller;
+
+    public SecurityXSSTestCases(String name) {
+        super(name);
+    }
+
+    public void testSecurityXSSExternalEntities() {
+        unmarshallDocument(XML_DOCUMENT_EXTERNAL_ENTITIES);
+    }
+
+    public void testSecurityXSSExternalParameterEntities() {
+        unmarshallDocument(XML_DOCUMENT_EXTERNAL_PARAMETER_ENTITIES);
+    }
+
+    public void testSecurityXSSNestedEntities() {
+        unmarshallDocument(XML_DOCUMENT_NESTED_ENTITIES);
+    }
+
+    public void setUp() throws Exception {
+        final HashMap<String, Object> contextProperties = new HashMap<>();
+        jaxbContext = JAXBContext.newInstance(DOMAIN_CLASSES, contextProperties);
+        unmarshaller = jaxbContext.createUnmarshaller();
+    }
+
+    private void unmarshallDocument(String fileName) {
+        Object testObject = null;
+        File file = new File(ClassLoader.getSystemResource(fileName).getFile());
+        try {
+            testObject = unmarshaller.unmarshal(file);
+            fail("javax.xml.bind.UnmarshalException was not occured for " + fileName);
+        } catch (UnmarshalException e) {
+            assertNotNull(e);
+        } catch (Exception e) {
+            fail("No expected javax.xml.bind.UnmarshalException was thrown: " + e);
+        }
+        // the deserialized object variable must be null
+        assertNull(testObject);
+    }
+
+
+}