Spring Integration Issue With Latest XXE Patch and WebSphere 9.0 [SWS-1090] #1156
Description
Will Weyant opened SWS-1090 and commented
When we deployed our application with Spring Integration 5.3.2.RELEASE we discovered that our application failed to deploy to WebSphere 9.0 via script or the console. Deploying via Eclipse worked fine. In the WebSphere SystemOut.log, we found the following error message: "org.springframework.xml.validation.XmlValidationException: Could not create Schema: Failed to load external schema document "wsjar:[file:|file:///]...", because "wsjar" access is not allowed". This occurred when loading XSD files contained in another jar from our interfaces war. The affected versions are the patched versions and later found here: .[https://github.com/advisories/GHSA-wr5r-m8pc-85j9].
We traced the issue to the org.springframework.xml.validation.SchemaFactoryUtils. class called via Jaxp15ValidatorFactory.createValidator(...) and SchemaLoaderUtils.loadSchema(...). The SchemaFactoryUtils.newInstance(...) method has a hard coded list of protocols (see attached image of code). This list does not include WebSphere's proprietary wsjar protocol.
!https://user-images.githubusercontent.com/33791605/92931312-45bf2e80-f411-11ea-9d0e-bfe2a7f0a51a.jpg!
To resolve our issue, we created a custom XML validator, which adds wsjar to the accepted protocols and applied to our int-xml:validating-filter in our integration flow configuration.|
Affects: 3.0.6, 3.0.7, 3.0.8, 3.0.9
Attachments:
- SchemaFactoryUtils_MissingWSJARProtocol.jpg (228.47 kB)
