Add external entity test

Issue: SPR-11376

Author: rstoyanchev

spring-web/src/test/java/org/springframework/http/converter/xml/Jaxb2CollectionHttpMessageConverterTests.java

@@ -28,11 +28,15 @@
 import javax.xml.bind.annotation.XmlElement;
 import javax.xml.bind.annotation.XmlRootElement;
 import javax.xml.bind.annotation.XmlType;
+import javax.xml.stream.XMLInputFactory;
 
 import org.junit.Before;
 import org.junit.Test;
 import org.springframework.core.ParameterizedTypeReference;
+import org.springframework.core.io.ClassPathResource;
+import org.springframework.core.io.Resource;
 import org.springframework.http.MockHttpInputMessage;
+import org.springframework.http.converter.HttpMessageConverter;
 
 /**
  * Test fixture for {@link Jaxb2CollectionHttpMessageConverter}.
@@ -120,6 +124,48 @@ public void readXmlTypeSet() throws Exception {
 		assertTrue("Invalid result", result.contains(new TestType("2")));
 	}
 
+	@Test
+	@SuppressWarnings("unchecked")
+	public void readXmlRootElementWithExternalEntity() throws Exception {
+
+		Resource external = new ClassPathResource("external.txt", getClass());
+		String content =  "<!DOCTYPE root [" +
+				"  <!ELEMENT external ANY >\n" +
+				"  <!ENTITY ext SYSTEM \"" + external.getURI() + "\" >]>" +
+				"  <list><rootElement><type s=\"1\"/><external>&ext;</external></rootElement></list>";
+		MockHttpInputMessage inputMessage = new MockHttpInputMessage(content.getBytes("UTF-8"));
+
+		Collection<RootElement> result = converter.read(rootElementListType, null, inputMessage);
+		assertEquals(1, result.size());
+		assertEquals("", result.iterator().next().external);
+	}
+
+	@Test
+	@SuppressWarnings("unchecked")
+	public void readXmlRootElementExternalEntityEnabled() throws Exception {
+
+		Resource external = new ClassPathResource("external.txt", getClass());
+		String content =  "<!DOCTYPE root [" +
+				"  <!ELEMENT external ANY >\n" +
+				"  <!ENTITY ext SYSTEM \"" + external.getURI() + "\" >]>" +
+				"  <list><rootElement><type s=\"1\"/><external>&ext;</external></rootElement></list>";
+		MockHttpInputMessage inputMessage = new MockHttpInputMessage(content.getBytes("UTF-8"));
+
+		// Now read with
+		Jaxb2CollectionHttpMessageConverter<?> c = new Jaxb2CollectionHttpMessageConverter<Collection<Object>>() {
+			@Override
+			protected XMLInputFactory createXmlInputFactory() {
+				XMLInputFactory inputFactory = XMLInputFactory.newInstance();
+				inputFactory.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES, true);
+				return inputFactory;
+			}
+		};
+
+		Collection<RootElement> result = c.read(rootElementListType, null, inputMessage);
+		assertEquals(1, result.size());
+		assertEquals("Foo Bar", result.iterator().next().external);
+	}
+
 
 	@XmlRootElement
 	public static class RootElement {
@@ -134,6 +180,9 @@ public RootElement(String s) {
 		@XmlElement
 		public TestType type = new TestType();
 
+		@XmlElement(required=false)
+		public String external;
+
 		@Override
 		public boolean equals(Object o) {
 			if (this == o) {
@@ -181,9 +230,6 @@ public boolean equals(Object o) {
 		public int hashCode() {
 			return s.hashCode();
 		}
-
-
-
 	}
 
 }