I’m getting unit test failures in several tests of org.geoserver.wfs.v1_1.GetFeatureTest due to the following exception which seems to relate to the GEOS-7032 fix

org.xml.sax.SAXException: Entity resolution disallowed for file:/home/smithkm/og-proj/geoserver/src/ows/target/classes/org/geoserver/ows/xml/v1_0/owsAll.xsd
Entity resolution disallowed for file:/home/smithkm/og-proj/geoserver/src/ows/target/classes/org/geoserver/ows/xml/v1_0/owsAll.xsd

The failures seem to be stateful, depending on the other unit tests being run, which commit I’m on, etc. It’s not as simple (for a rather complicated definition of simple) as one previous test leaving some state in place that breaks the test. There’s some more complicated interaction of different factors going on that I haven’t figured out. The only thing that’s consistent is that the tests will pass when run as part of the full set of GeoServer unit tests, and will pass when run in isolation, regardless of which of my machines, which commit I build from, which JDK I use (Oracle 7, Oracle 8, OpenJDK 7).

in

com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaLoader.resolveDocument(XSDDescription, Map, XMLEntityResolver)

it’s trying to look up

…/…/ows/1.0.0/owsAll.xsd

from

jar:file:/home/smithkm/.m2-normal/repository/org/geotools/xsd/gt-xsd-wfs/14-SNAPSHOT/gt-xsd-wfs-14-SNAPSHOT.jar!/org/geotools/wfs/v1_1/wfs.xsd

and then “expanding” that to get

file:/home/smithkm/og-proj/geoserver/src/ows/target/classes/org/geoserver/ows/xml/v1_0/owsAll.xsd

This then runs afoul of the restriction on looking up XSDs from the local file system.

In the non failing case, there’s no attampt to resolve owsAll.xsd in XMLSchemaLoader.resolveDocument at all.

Kevin,

are you seeing these failures in Maven or Eclipse?

If the latter, please refer to the off-list vulnerability discussion "GeoServer XXE bypass ticket". I have included a couple of these below for your convenience.

Is something (like an Eclipse build) copying these resources into a target directory where it is then captured by Eclipse transitive dependency inclusion? Have you built with clean and eclipse:clean and a full workspace clean and rebuild and then an Eclipse restart (and stand up and run around your desk three times)?

Torben, do you expect unit tests to pass in Eclipse?

Kind regards,
Ben.

-------- Forwarded Message --------
Subject: Re: GeoServer XXE bypass ticket
Date: Fri, 03 Jul 2015 07:37:00 +1200
From: Ben Caradoc-Davies <ben@anonymised.com>
[...]
CC: [...] Kevin Smith <ksmith@anonymised.com> [...]

[...]

classpath dependencies are resolved as file: URLs if they are resources
of the current module or project dependencies in Eclipse (i.e. other
GeoServer modules), and as jar: URLs if they are GeoTools module
dependencies in Maven or GeoTools dependencies.

The standard Eclipse setup (GeoServer modules are project dependencies,
GeoTools dependencies are jar files referenced from your Maven repo)
will give different URL types; Maven always resolves dependencies as
jars from the Maven repo, even between GeoServer modules.

You may get more failures in Eclipse! A sneaky solution would be to move
xsd dependencies into GeoTools and then forbid file: URLs.

Kind regards,
Ben.

-------- Forwarded Message --------
Subject: Re: GeoServer XXE bypass ticket
Date: Fri, 03 Jul 2015 09:19:06 +1200
From: Ben Caradoc-Davies <ben@anonymised.com>
[...]
CC: [...] Kevin Smith <ksmith@anonymised.com> [...]

[...]

there is already a copy of wcsAll.xsd in the GeoTools net.opengis.wcs
module:
modules/ogc/net.opengis.wcs/schemas/wcs/1.1.1/wcsAll.xsd

It looks like it was only used for generating the bindings (with
xmlcodegen), and does not appear to be included in the jar for this
module. Including it may introduce more problems as this schema has
cross-source imports, e.g from wcsGeoCoverage.xsd (note ../../):
<import namespace="http://www.opengis.net/ows/1.1&quot;
schemaLocation="../../ows/1.1.0/owsAll.xsd"/>

gt-xml SchemaResolver was written to overcome these problems and to
allow resolution of test dependencies across jar files. It is not just
for downloading schemas.

Kind regards,
Ben.

On 31/07/15 08:40, Kevin Smith wrote:

I'm getting unit test failures in several tests of
org.geoserver.wfs.v1_1.GetFeatureTest due to the following exception
which seems to relate to the GEOS-7032 fix

org.xml.sax.SAXException: Entity resolution disallowed for
file:/home/smithkm/og-proj/geoserver/src/ows/target/classes/org/geoserver/ows/xml/v1_0/owsAll.xsd
Entity resolution disallowed for
file:/home/smithkm/og-proj/geoserver/src/ows/target/classes/org/geoserver/ows/xml/v1_0/owsAll.xsd

The failures seem to be stateful, depending on the other unit tests
being run, which commit I'm on, etc. It's not as simple (for a rather
complicated definition of simple) as one previous test leaving some
state in place that breaks the test. There's some more complicated
interaction of different factors going on that I haven't figured out.
The only thing that's consistent is that the tests will pass when run as
part of the full set of GeoServer unit tests, and will pass when run in
isolation, regardless of which of my machines, which commit I build
from, which JDK I use (Oracle 7, Oracle 8, OpenJDK 7).

in

com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaLoader.resolveDocument(XSDDescription,
Map, XMLEntityResolver)

  it's trying to look up

../../ows/1.0.0/owsAll.xsd

from

jar:file:/home/smithkm/.m2-normal/repository/org/geotools/xsd/gt-xsd-wfs/14-SNAPSHOT/gt-xsd-wfs-14-SNAPSHOT.jar!/org/geotools/wfs/v1_1/wfs.xsd

and then "expanding" that to get

file:/home/smithkm/og-proj/geoserver/src/ows/target/classes/org/geoserver/ows/xml/v1_0/owsAll.xsd

This then runs afoul of the restriction on looking up XSDs from the
local file system.

In the non failing case, there's no attampt to resolve owsAll.xsd in
XMLSchemaLoader.resolveDocument at all.

------------------------------------------------------------------------------

_______________________________________________
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

--
Ben Caradoc-Davies <ben@anonymised.com>
Director
Transient Software Limited <http://transient.nz/&gt;
New Zealand

The tests should pass in eclipse (although I can’t be certain), I moved everything that is viable to move upstream to geotools. Based on the failure, it looks like owsAll.xsd is still in geoserver; maybe try removing the ows module from you eclipse setup then adding it to your build bath as a standalone jar?
The tests should certainly pass in maven, I made sure that all the file resolution stuff would work there.

Torben

Well, removing the OWS project and replacing it with a jar seems to have fixed it in Eclipse. So the tests for the full WFS module now pass in both Eclipse and Maven. When I run larger sets of tests across modules in Maven, I still get a failure because owsAll.xsd is being resolved as a file URL.

org.xml.sax.SAXException: Entity resolution disallowed for file:/home/smithkm/og-proj/geoserver/src/ows/target/classes/org/geoserver/ows/xml/v1_0/owsAll.xsd

–

Kevin Michael Smith

smithkm@anonymised.com

On Thu, Jul 30, 2015, at 02:36 PM, Torben Barsballe wrote:

The tests should pass in eclipse (although I can’t be certain), I moved everything that is viable to move upstream to geotools. Based on the failure, it looks like owsAll.xsd is still in geoserver; maybe try removing the ows module from you eclipse setup then adding it to your build bath as a standalone jar?

The tests should certainly pass in maven, I made sure that all the file resolution stuff would work there.

Torben

On Thu, Jul 30, 2015 at 1:57 PM, Ben Caradoc-Davies <ben@anonymised.com> wrote:

Kevin,

are you seeing these failures in Maven or Eclipse?

If the latter, please refer to the off-list vulnerability discussion “GeoServer XXE bypass ticket”. I have included a couple of these below for your convenience.

Is something (like an Eclipse build) copying these resources into a target directory where it is then captured by Eclipse transitive dependency inclusion? Have you built with clean and eclipse:clean and a full workspace clean and rebuild and then an Eclipse restart (and stand up and run around your desk three times)?

Torben, do you expect unit tests to pass in Eclipse?

Kind regards,

Ben.

-------- Forwarded Message --------

Subject: Re: GeoServer XXE bypass ticket

Date: Fri, 03 Jul 2015 07:37:00 +1200

From: Ben Caradoc-Davies <ben@anonymised.com>

[…]

CC: […] Kevin Smith <ksmith@anonymised.com> […]

[…]

classpath dependencies are resolved as file: URLs if they are resources

of the current module or project dependencies in Eclipse (i.e. other

GeoServer modules), and as jar: URLs if they are GeoTools module

dependencies in Maven or GeoTools dependencies.

The standard Eclipse setup (GeoServer modules are project dependencies,

GeoTools dependencies are jar files referenced from your Maven repo)

will give different URL types; Maven always resolves dependencies as

jars from the Maven repo, even between GeoServer modules.

You may get more failures in Eclipse! A sneaky solution would be to move

xsd dependencies into GeoTools and then forbid file: URLs.

Kind regards,

Ben.

-------- Forwarded Message --------

Subject: Re: GeoServer XXE bypass ticket

Date: Fri, 03 Jul 2015 09:19:06 +1200

From: Ben Caradoc-Davies <ben@anonymised.com>

[…]

CC: […] Kevin Smith <ksmith@anonymised.com> […]

[…]

there is already a copy of wcsAll.xsd in the GeoTools net.opengis.wcs

module:

modules/ogc/net.opengis.wcs/schemas/wcs/1.1.1/wcsAll.xsd

It looks like it was only used for generating the bindings (with

xmlcodegen), and does not appear to be included in the jar for this

module. Including it may introduce more problems as this schema has

cross-source imports, e.g from wcsGeoCoverage.xsd (note …/…/):

<import namespace=“http://www.opengis.net/ows/1.1”

schemaLocation=“…/…/ows/1.1.0/owsAll.xsd”/>

gt-xml SchemaResolver was written to overcome these problems and to

allow resolution of test dependencies across jar files. It is not just

for downloading schemas.

Kind regards,

Ben.

On 31/07/15 08:40, Kevin Smith wrote:

I’m getting unit test failures in several tests of

org.geoserver.wfs.v1_1.GetFeatureTest due to the following exception

which seems to relate to the GEOS-7032 fix

org.xml.sax.SAXException: Entity resolution disallowed for

file:/home/smithkm/og-proj/geoserver/src/ows/target/classes/org/geoserver/ows/xml/v1_0/owsAll.xsd

Entity resolution disallowed for

file:/home/smithkm/og-proj/geoserver/src/ows/target/classes/org/geoserver/ows/xml/v1_0/owsAll.xsd

The failures seem to be stateful, depending on the other unit tests

being run, which commit I’m on, etc. It’s not as simple (for a rather

complicated definition of simple) as one previous test leaving some

state in place that breaks the test. There’s some more complicated

interaction of different factors going on that I haven’t figured out.

The only thing that’s consistent is that the tests will pass when run as

part of the full set of GeoServer unit tests, and will pass when run in

isolation, regardless of which of my machines, which commit I build

from, which JDK I use (Oracle 7, Oracle 8, OpenJDK 7).

in

com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaLoader.resolveDocument(XSDDescription,

Map, XMLEntityResolver)

it’s trying to look up

…/…/ows/1.0.0/owsAll.xsd

from

jar:file:/home/smithkm/.m2-normal/repository/org/geotools/xsd/gt-xsd-wfs/14-SNAPSHOT/gt-xsd-wfs-14-SNAPSHOT.jar!/org/geotools/wfs/v1_1/wfs.xsd

and then “expanding” that to get

file:/home/smithkm/og-proj/geoserver/src/ows/target/classes/org/geoserver/ows/xml/v1_0/owsAll.xsd

This then runs afoul of the restriction on looking up XSDs from the

local file system.

In the non failing case, there’s no attampt to resolve owsAll.xsd in

XMLSchemaLoader.resolveDocument at all.

---

---

Geoserver-devel mailing list

Geoserver-devel@lists.sourceforge.net

https://lists.sourceforge.net/lists/listinfo/geoserver-devel

–
Ben Caradoc-Davies <ben@anonymised.com>
Director
Transient Software Limited <http://transient.nz/>
New Zealand

It surprises me that you still get a failure in maven, especially since the tests pass on ares Jenkins.

Torben

Running locating with a full maven build I make it past the wfs module …

I am getting new failures in WMS but I will start a second thread for that.

On 31/07/15 12:11, Jody Garnett wrote:

I am getting new failures in WMS but I will start a second thread for that.

Here you go. I also see failures.

I see the following failures in gs-wms on OpenJDK 7 on Linux. Travis CI passes for openjdk7. In my experience, OpenJDK is sensitive to antialiasing and system installed fonts. Travis CI runs Ubuntu, and may have more or different fonts.

Failed tests: testIndexedBlackBG(org.geoserver.wms.map.GetMapIntegrationTest): Images are visibly different, found 4717 different pixels, against a threshold of 0
   testIndexed(org.geoserver.wms.map.GetMapIntegrationTest): Images are visibly different, found 4717 different pixels, against a threshold of 0
testTimeElevation(org.geoserver.wms.wms_1_1_1.DimensionsRasterGetMapTest): expected:<java.awt.Color[r=0,g=0,b=0]> but was:<java.awt.Color[r=255,g=255,b=255]>
testElevation(org.geoserver.wms.wms_1_1_1.DimensionsRasterGetMapTest): expected:<java.awt.Color[r=0,g=0,b=0]> but was:<java.awt.Color[r=255,g=255,b=255]>
testTimeRange(org.geoserver.wms.wms_1_1_1.DimensionsRasterGetMapTest): expected:<java.awt.Color[r=0,g=0,b=0]> but was:<java.awt.Color[r=255,g=255,b=255]>
testGetMapValidValue(org.geoserver.wms.wms_1_1_1.DynamicDimensionsTest): expected:<java.awt.Color[r=0,g=0,b=0]> but was:<java.awt.Color[r=255,g=255,b=255]>
testGetMapCaseInsensitiveKey(org.geoserver.wms.wms_1_1_1.DynamicDimensionsTest): expected:<java.awt.Color[r=0,g=0,b=0]> but was:<java.awt.Color[r=255,g=255,b=255]>

Apache Maven 3.2.5 (12a6b3acb947671f09b81f49094c53f426d8cea1; 2014-12-15T06:29:23+13:00)
Maven home: /home/ben/java/maven
Java version: 1.7.0_79, vendor: Oracle Corporation
Java home: /usr/lib/jvm/java-7-openjdk-amd64/jre
Default locale: en_GB, platform encoding: UTF-8
OS name: "linux", version: "4.0.0-2-amd64", arch: "amd64", family: "unix"

Kind regards,

--
Ben Caradoc-Davies <ben@anonymised.com>
Director
Transient Software Limited <http://transient.nz/&gt;
New Zealand

The green blob in the middle is missing for these two tests. This is not a font or antialiasing problem.

On 31/07/15 13:03, Ben Caradoc-Davies wrote:

testIndexedBlackBG(org.geoserver.wms.map.GetMapIntegrationTest): Images
are visibly different, found 4717 different pixels, against a threshold of 0
    testIndexed(org.geoserver.wms.map.GetMapIntegrationTest): Images are
visibly different, found 4717 different pixels, against a threshold of 0

--
Ben Caradoc-Davies <ben@anonymised.com>
Director
Transient Software Limited <http://transient.nz/&gt;
New Zealand

Boundless Jenkins is also failing on these tests. First failing build appears to have been triggered by this GeoTools change:

[GEOT-5175] Allow image mosaic to handle a mix of images in different color models
http://ares.boundlessgeo.com/jenkins/job/geotools-master/776/changes#detail0

Kind regards,
Ben.

On 31/07/15 13:33, Ben Caradoc-Davies wrote:

The green blob in the middle is missing for these two tests. This is not
a font or antialiasing problem.

On 31/07/15 13:03, Ben Caradoc-Davies wrote:

testIndexedBlackBG(org.geoserver.wms.map.GetMapIntegrationTest): Images
are visibly different, found 4717 different pixels, against a threshold of 0
     testIndexed(org.geoserver.wms.map.GetMapIntegrationTest): Images are
visibly different, found 4717 different pixels, against a threshold of 0

--
Ben Caradoc-Davies <ben@anonymised.com>
Director
Transient Software Limited <http://transient.nz/&gt;
New Zealand

On Fri, Jul 31, 2015 at 3:47 AM, Ben Caradoc-Davies <ben@anonymised.com>
wrote:

Boundless Jenkins is also failing on these tests. First failing build
appears to have been triggered by this GeoTools change:

[GEOT-5175] Allow image mosaic to handle a mix of images in different
color models

http://ares.boundlessgeo.com/jenkins/job/geotools-master/776/changes#detail0

Yes, I replied to one of the failed builds and said the same, and that I
would have looked into it today.

Cheers
Andrea

--

GeoServer Professional Services from the experts! Visit
http://goo.gl/it488V for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

*AVVERTENZE AI SENSI DEL D.Lgs. 196/2003*

Le informazioni contenute in questo messaggio di posta elettronica e/o
nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il
loro utilizzo è consentito esclusivamente al destinatario del messaggio,
per le finalità indicate nel messaggio stesso. Qualora riceviate questo
messaggio senza esserne il destinatario, Vi preghiamo cortesemente di
darcene notizia via e-mail e di procedere alla distruzione del messaggio
stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso,
divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od
utilizzarlo per finalità diverse, costituisce comportamento contrario ai
principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for
the attention and use of the named addressee(s) and may be confidential or
proprietary in nature or covered by the provisions of privacy act
(Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection
Code).Any use not in accord with its purpose, any disclosure, reproduction,
copying, distribution, or either dissemination, either whole or partial, is
strictly forbidden except previous formal approval of the named
addressee(s). If you are not the intended recipient, please contact
immediately the sender by telephone, fax or e-mail and delete the
information in this message that has been received in error. The sender
does not give any warranty or accept liability as the content, accuracy or
completeness of sent messages and accepts no responsibility for changes
made after they were sent or for other risks which arise as a result of
e-mail transmission, viruses, etc.

-------------------------------------------------------

Aha, yes you did! I should not read email out of order.

On 31/07/15 19:00, Andrea Aime wrote:

Yes, I replied to one of the failed builds and said the same, and that I
would have looked into it today.

--
Ben Caradoc-Davies <ben@anonymised.com>
Director
Transient Software Limited <http://transient.nz/&gt;
New Zealand

It seems the builds are working again

Cheers
Andrea