Bug #496536 - Limit scope of bean lookup
Signed-off-by: Petros Splinakis <petros.splinakis@oracle.com>
Reviewed-by: Lukas Jungmann <lukas.jungmann@oracle.com>, Tomas Kraus <tomas.kraus@oracle.com>
diff --git a/dbws/org.eclipse.persistence.dbws/src/org/eclipse/persistence/jpa/rs/logging/i18n/LoggingLocalizationResource.java b/dbws/org.eclipse.persistence.dbws/src/org/eclipse/persistence/jpa/rs/logging/i18n/LoggingLocalizationResource.java
index fea3873..45fd03c 100644
--- a/dbws/org.eclipse.persistence.dbws/src/org/eclipse/persistence/jpa/rs/logging/i18n/LoggingLocalizationResource.java
+++ b/dbws/org.eclipse.persistence.dbws/src/org/eclipse/persistence/jpa/rs/logging/i18n/LoggingLocalizationResource.java
@@ -1,5 +1,5 @@
/****************************************************************************
- * Copyright (c) 2011, 2013 Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2011, 2016 Oracle and/or its affiliates. All rights reserved.
* This program and the accompanying materials are made available under the
* terms of the Eclipse Public License v1.0 and Eclipse Distribution License v. 1.0
* which accompanies this distribution.
@@ -17,6 +17,7 @@
public class LoggingLocalizationResource extends ListResourceBundle {
static final Object[][] contents = {
+ { "jpars_invalid_jndi_name", "requestId: {0}. A call is being made to a session bean with JNDI Name: [{1}]. That JNDI Name is invalid." },
{ "jpars_could_not_find_session_bean", "A call is being made to a session bean with JNDI Name: [{0}]. That bean can not be found."},
{ "jpars_could_not_find_persistence_context", "A JPA-RS call is requesting persistence context: [{0}]. That persistence context is not found."},
{ "jpars_could_not_find_class_in_persistence_unit", "Type: [{0}] cannot be found in persistence unit: [{1}]."},
diff --git a/dbws/org.eclipse.persistence.dbws/src/org/eclipse/persistence/jpa/rs/resources/common/AbstractPersistenceResource.java b/dbws/org.eclipse.persistence.dbws/src/org/eclipse/persistence/jpa/rs/resources/common/AbstractPersistenceResource.java
index 9c2f7be..3d8aba1 100644
--- a/dbws/org.eclipse.persistence.dbws/src/org/eclipse/persistence/jpa/rs/resources/common/AbstractPersistenceResource.java
+++ b/dbws/org.eclipse.persistence.dbws/src/org/eclipse/persistence/jpa/rs/resources/common/AbstractPersistenceResource.java
@@ -1,5 +1,5 @@
/*******************************************************************************
- * Copyright (c) 2011, 2013 Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2011, 2016 Oracle and/or its affiliates. All rights reserved.
* This program and the accompanying materials are made available under the
* terms of the Eclipse Public License v1.0 and Eclipse Distribution License v. 1.0
* which accompanies this distribution.
@@ -90,6 +90,11 @@
call = unmarshallSessionBeanCall(is);
String jndiName = call.getJndiName();
+ if (!isValid(jndiName)) {
+ JPARSLogger.fine("jpars_invalid_jndi_name", new Object[] { jndiName });
+ return Response.status(Status.FORBIDDEN).type(StreamingOutputMarshaller.getResponseMediaType(hh)).build();
+ }
+
javax.naming.Context ctx = new InitialContext();
Object ans = ctx.lookup(jndiName);
if (ans == null) {
@@ -130,6 +135,16 @@
return Response.ok(new StreamingOutputMarshaller(null, returnValue, hh.getAcceptableMediaTypes())).build();
}
+ private boolean isValid(String jndiName) {
+ String protocol = null;
+ int colon = jndiName.indexOf(':');
+ int slash = jndiName.indexOf('/');
+ if (colon > 0 && (slash == -1 || colon < slash)) {
+ protocol = jndiName.substring(0, colon);
+ }
+ return protocol == null || protocol.isEmpty() || protocol.equalsIgnoreCase("java") || protocol.equalsIgnoreCase("ejb");
+ }
+
protected SessionBeanCall unmarshallSessionBeanCall(InputStream data) throws JAXBException {
Class<?>[] jaxbClasses = new Class[] { SessionBeanCall.class };
JAXBContext context = (JAXBContext) JAXBContextFactory.createContext(jaxbClasses, null);
