Merge pull request #2558 from kavya-shastri/XSDLookUpUpdate

[XSDLookUp] Updated entity resolver to not fallback to network lookup when xsd is not found
liquibase · Mar 1, 2022 · 51d290f · 51d290f
2 parents 512581f + 54e15c7
commit 51d290f
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 4 deletions.
diff --git a/liquibase-core/src/main/java/liquibase/parser/core/xml/LiquibaseEntityResolver.java b/liquibase-core/src/main/java/liquibase/parser/core/xml/LiquibaseEntityResolver.java
@@ -1,8 +1,11 @@
 package liquibase.parser.core.xml;
 
+import liquibase.GlobalConfiguration;
 import liquibase.Scope;
 import liquibase.logging.Logger;
-import liquibase.resource.*;
+import liquibase.resource.ClassLoaderResourceAccessor;
+import liquibase.resource.InputStreamList;
+import liquibase.resource.ResourceAccessor;
 import org.xml.sax.InputSource;
 import org.xml.sax.SAXException;
 import org.xml.sax.ext.EntityResolver2;
@@ -34,13 +37,17 @@ public InputSource resolveEntity(String name, String publicId, String baseURI, S
                 .replace("http://www.liquibase.org/xml/ns/migrator/", "http://www.liquibase.org/xml/ns/dbchangelog/")
                 .replaceFirst("https?://", "");
 
-
         ResourceAccessor resourceAccessor = Scope.getCurrentScope().getResourceAccessor();
         InputStreamList streams = resourceAccessor.openStreams(null, path);
         if (streams.isEmpty()) {
             streams = getFallbackResourceAccessor().openStreams(null, path);
 
-            if (streams.isEmpty()) {
+            if (streams.isEmpty() && GlobalConfiguration.SECURE_PARSING.getCurrentValue()) {
+                String errorMessage = "Unable to resolve xml entity " + systemId + " locally: " +
+                        GlobalConfiguration.SECURE_PARSING.getKey() + " is set to 'true' which does not allow remote lookups. " +
+                        "Set it to 'false' to allow remote lookups of xsd files.";
+                throw new XSDLookUpException(errorMessage);
+            } else {
                 log.fine("Unable to resolve XML entity locally. Will load from network.");
                 return null;
             }

diff --git a/liquibase-core/src/main/java/liquibase/parser/core/xml/XSDLookUpException.java b/liquibase-core/src/main/java/liquibase/parser/core/xml/XSDLookUpException.java
@@ -0,0 +1,9 @@
+package liquibase.parser.core.xml;
+
+public class XSDLookUpException extends RuntimeException{
+
+    public XSDLookUpException(String message) {
+        super(message);
+    }
+
+}
diff --git a/liquibase-core/src/test/groovy/liquibase/parser/core/xml/XMLChangeLogSAXParserTest.groovy b/liquibase-core/src/test/groovy/liquibase/parser/core/xml/XMLChangeLogSAXParserTest.groovy
@@ -83,7 +83,7 @@ class XMLChangeLogSAXParserTest extends Specification {
 
         then:
         def e = thrown(ChangeLogParseException)
-        e.message.contains("access is not allowed due to restriction set by the accessExternalDTD property")
+        e.message.contains("Unable to resolve xml entity file:///invalid.txt locally: liquibase.secureParsing is set to 'true' which does not allow remote lookups. Set it to 'false' to allow remote lookups of xsd files")
     }
 
     def "allows liquibase.secureParsing=false to disable secure parsing"() {