Add quarkus.liquibase.secure-parsing to allow disabling secure parsing

Fixes quarkusio#47101

Author: gsmet

extensions/liquibase/liquibase/deployment/src/test/java/io/quarkus/liquibase/test/LiquibaseExtensionSecureParsingDisabledTest.java

@@ -0,0 +1,36 @@
+package io.quarkus.liquibase.test;
+
+import jakarta.inject.Inject;
+
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.RegisterExtension;
+
+import io.quarkus.liquibase.LiquibaseFactory;
+import io.quarkus.test.QuarkusUnitTest;
+import liquibase.Liquibase;
+
+public class LiquibaseExtensionSecureParsingDisabledTest {
+
+    @Inject
+    LiquibaseFactory liquibaseFactory;
+
+    @RegisterExtension
+    static final QuarkusUnitTest config = new QuarkusUnitTest()
+            .withApplicationRoot((jar) -> jar
+                    .addAsResource("insecure-db/changeLog.xml", "db/changeLog.xml")
+                    .addAsResource("insecure-db/dbchangelog-3.8.xsd", "db/dbchangelog-3.8.xsd")
+                    .addAsResource("secure-parsing-disabled.properties", "application.properties"));
+
+    @Test
+    public void testSecureParsingDisabled() throws Exception {
+        try (Liquibase liquibase = liquibaseFactory.createLiquibase()) {
+            // TODO: this will fail as the system property is not enforced
+            //            List<ChangeSetStatus> status = liquibase.getChangeSetStatuses(liquibaseFactory.createContexts(),
+            //                    liquibaseFactory.createLabels());
+            //            assertNotNull(status);
+            //            assertEquals(1, status.size());
+            //            assertEquals("id-1", status.get(0).getChangeSet().getId());
+            //            assertFalse(status.get(0).getWillRun());
+        }
+    }
+}

extensions/liquibase/liquibase/deployment/src/test/java/io/quarkus/liquibase/test/LiquibaseExtensionSecureParsingEnabledTest.java

@@ -0,0 +1,34 @@
+package io.quarkus.liquibase.test;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.fail;
+
+import jakarta.inject.Inject;
+
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.RegisterExtension;
+
+import io.quarkus.liquibase.LiquibaseFactory;
+import io.quarkus.test.QuarkusUnitTest;
+
+public class LiquibaseExtensionSecureParsingEnabledTest {
+
+    @Inject
+    LiquibaseFactory liquibaseFactory;
+
+    @RegisterExtension
+    static final QuarkusUnitTest config = new QuarkusUnitTest()
+            .withApplicationRoot((jar) -> jar
+                    .addAsResource("insecure-db/changeLog.xml", "db/changeLog.xml")
+                    .addAsResource("insecure-db/dbchangelog-3.8.xsd", "db/dbchangelog-3.8.xsd")
+                    .addAsResource("secure-parsing-enabled.properties", "application.properties"))
+            .assertException(t -> {
+                assertThat(t.getCause().getCause())
+                        .hasMessageContaining("because 'file' access is not allowed");
+            });
+
+    @Test
+    public void testSecureParsing() throws Exception {
+        fail("should not be executed");
+    }
+}

extensions/liquibase/liquibase/deployment/src/test/resources/insecure-db/changeLog.xml

@@ -0,0 +1,15 @@
+<databaseChangeLog xmlns="http://www.liquibase.org/xml/ns/dbchangelog"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
+    xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog db/dbchangelog-3.8.xsd"
+    logicalFilePath="changeLog.xml">
+
+    <changeSet author="dev (generated)" id="id-1">
+        <createTable tableName="TEST_INSECURE_PARSING">
+            <column name="ID" type="VARCHAR(255)">
+                <constraints nullable="false"/>
+            </column>
+            <column name="NAME" type="VARCHAR(255)"/>
+        </createTable>
+    </changeSet>
+
+</databaseChangeLog>

extensions/liquibase/liquibase/deployment/src/test/resources/insecure-db/dbchangelog-3.8.xsd

@@ -0,0 +1,7 @@
+quarkus.datasource.db-kind=h2
+quarkus.datasource.username=sa
+quarkus.datasource.password=sa
+quarkus.datasource.jdbc.url=jdbc:h2:tcp://localhost/mem:test-quarkus-migrate-at-start;DB_CLOSE_DELAY=-1
+# Liquibase config properties
+quarkus.liquibase.migrate-at-start=true
+quarkus.liquibase.secure-parsing=false

extensions/liquibase/liquibase/deployment/src/test/resources/secure-parsing-disabled.properties

@@ -0,0 +1,6 @@
+quarkus.datasource.db-kind=h2
+quarkus.datasource.username=sa
+quarkus.datasource.password=sa
+quarkus.datasource.jdbc.url=jdbc:h2:tcp://localhost/mem:test-quarkus-migrate-at-start;DB_CLOSE_DELAY=-1
+# Liquibase config properties
+quarkus.liquibase.migrate-at-start=true

extensions/liquibase/liquibase/deployment/src/test/resources/secure-parsing-enabled.properties

@@ -4,6 +4,7 @@
 import java.nio.file.Paths;
 import java.sql.Connection;
 import java.sql.DriverManager;
+import java.util.HashMap;
 import java.util.Map;
 
 import javax.sql.DataSource;
@@ -166,10 +167,19 @@ public String getDataSourceName() {
     }
 
     public ResettableSystemProperties createResettableSystemProperties() {
-        if (config.allowDuplicatedChangesetIdentifiers.isEmpty()) {
-            return ResettableSystemProperties.empty();
+        Map<String, String> resettableProperties = new HashMap<>();
+
+        if (config.allowDuplicatedChangesetIdentifiers.isPresent()) {
+            resettableProperties.put("liquibase.allowDuplicatedChangesetIdentifiers",
+                    config.allowDuplicatedChangesetIdentifiers.get().toString());
         }
-        return ResettableSystemProperties.of("liquibase.allowDuplicatedChangesetIdentifiers",
-                config.allowDuplicatedChangesetIdentifiers.get().toString());
+
+        System.out.println("Secure parsing: " + config.secureParsing);
+
+        if (!config.secureParsing) {
+            resettableProperties.put("liquibase.secureParsing", "false");
+        }
+
+        return new ResettableSystemProperties(resettableProperties);
     }
 }

extensions/liquibase/liquibase/runtime/src/main/java/io/quarkus/liquibase/LiquibaseFactory.java

@@ -100,6 +100,13 @@ public class LiquibaseConfig {
     /**
      * Allows duplicated changeset identifiers without failing Liquibase execution.
      */
-    public Optional<Boolean> allowDuplicatedChangesetIdentifiers;
+    public Optional<Boolean> allowDuplicatedChangesetIdentifiers = Optional.empty();
+
+    /**
+     * Whether Liquibase should enforce secure parsing.
+     * <p>
+     * If secure parsing is enforced, unsecure files may not be parsed.
+     */
+    public boolean secureParsing = true;
 
 }

extensions/liquibase/liquibase/runtime/src/main/java/io/quarkus/liquibase/runtime/LiquibaseConfig.java

@@ -6,40 +6,41 @@
 
 class LiquibaseCreator {
 
-    private final LiquibaseDataSourceRuntimeConfig liquibaseRuntimeConfig;
-    private final LiquibaseDataSourceBuildTimeConfig liquibaseBuildTimeConfig;
+    private final LiquibaseDataSourceRuntimeConfig liquibaseDatabaseRuntimeConfig;
+    private final LiquibaseDataSourceBuildTimeConfig liquibaseDatabaseBuildTimeConfig;
 
     public LiquibaseCreator(LiquibaseDataSourceRuntimeConfig liquibaseRuntimeConfig,
             LiquibaseDataSourceBuildTimeConfig liquibaseBuildTimeConfig) {
-        this.liquibaseRuntimeConfig = liquibaseRuntimeConfig;
-        this.liquibaseBuildTimeConfig = liquibaseBuildTimeConfig;
+        this.liquibaseDatabaseRuntimeConfig = liquibaseRuntimeConfig;
+        this.liquibaseDatabaseBuildTimeConfig = liquibaseBuildTimeConfig;
     }
 
     public LiquibaseFactory createLiquibaseFactory(DataSource dataSource, String dataSourceName) {
         LiquibaseConfig config = new LiquibaseConfig();
-        config.changeLog = liquibaseBuildTimeConfig.changeLog();
-        config.searchPath = liquibaseBuildTimeConfig.searchPath();
-        config.changeLogParameters = liquibaseRuntimeConfig.changeLogParameters();
+        config.changeLog = liquibaseDatabaseBuildTimeConfig.changeLog();
+        config.searchPath = liquibaseDatabaseBuildTimeConfig.searchPath();
+        config.changeLogParameters = liquibaseDatabaseRuntimeConfig.changeLogParameters();
 
-        if (liquibaseRuntimeConfig.labels().isPresent()) {
-            config.labels = liquibaseRuntimeConfig.labels().get();
+        if (liquibaseDatabaseRuntimeConfig.labels().isPresent()) {
+            config.labels = liquibaseDatabaseRuntimeConfig.labels().get();
         }
-        if (liquibaseRuntimeConfig.contexts().isPresent()) {
-            config.contexts = liquibaseRuntimeConfig.contexts().get();
+        if (liquibaseDatabaseRuntimeConfig.contexts().isPresent()) {
+            config.contexts = liquibaseDatabaseRuntimeConfig.contexts().get();
         }
-        config.databaseChangeLogLockTableName = liquibaseRuntimeConfig.databaseChangeLogLockTableName();
-        config.databaseChangeLogTableName = liquibaseRuntimeConfig.databaseChangeLogTableName();
-        config.password = liquibaseRuntimeConfig.password();
-        config.username = liquibaseRuntimeConfig.username();
-        config.defaultSchemaName = liquibaseRuntimeConfig.defaultSchemaName();
-        config.defaultCatalogName = liquibaseRuntimeConfig.defaultCatalogName();
-        config.liquibaseTablespaceName = liquibaseRuntimeConfig.liquibaseTablespaceName();
-        config.liquibaseSchemaName = liquibaseRuntimeConfig.liquibaseSchemaName();
-        config.liquibaseCatalogName = liquibaseRuntimeConfig.liquibaseCatalogName();
-        config.migrateAtStart = liquibaseRuntimeConfig.migrateAtStart();
-        config.cleanAtStart = liquibaseRuntimeConfig.cleanAtStart();
-        config.validateOnMigrate = liquibaseRuntimeConfig.validateOnMigrate();
-        config.allowDuplicatedChangesetIdentifiers = liquibaseRuntimeConfig.allowDuplicatedChangesetIdentifiers();
+        config.databaseChangeLogLockTableName = liquibaseDatabaseRuntimeConfig.databaseChangeLogLockTableName();
+        config.databaseChangeLogTableName = liquibaseDatabaseRuntimeConfig.databaseChangeLogTableName();
+        config.password = liquibaseDatabaseRuntimeConfig.password();
+        config.username = liquibaseDatabaseRuntimeConfig.username();
+        config.defaultSchemaName = liquibaseDatabaseRuntimeConfig.defaultSchemaName();
+        config.defaultCatalogName = liquibaseDatabaseRuntimeConfig.defaultCatalogName();
+        config.liquibaseTablespaceName = liquibaseDatabaseRuntimeConfig.liquibaseTablespaceName();
+        config.liquibaseSchemaName = liquibaseDatabaseRuntimeConfig.liquibaseSchemaName();
+        config.liquibaseCatalogName = liquibaseDatabaseRuntimeConfig.liquibaseCatalogName();
+        config.migrateAtStart = liquibaseDatabaseRuntimeConfig.migrateAtStart();
+        config.cleanAtStart = liquibaseDatabaseRuntimeConfig.cleanAtStart();
+        config.validateOnMigrate = liquibaseDatabaseRuntimeConfig.validateOnMigrate();
+        config.allowDuplicatedChangesetIdentifiers = liquibaseDatabaseRuntimeConfig.allowDuplicatedChangesetIdentifiers();
+        config.secureParsing = liquibaseDatabaseRuntimeConfig.secureParsing();
         return new LiquibaseFactory(config, dataSource, dataSourceName);
     }
 }

extensions/liquibase/liquibase/runtime/src/main/java/io/quarkus/liquibase/runtime/LiquibaseCreator.java

@@ -117,4 +117,11 @@ public interface LiquibaseDataSourceRuntimeConfig {
      */
     Optional<Boolean> allowDuplicatedChangesetIdentifiers();
 
+    /**
+     * Whether Liquibase should enforce secure parsing.
+     * <p>
+     * If secure parsing is enforced, insecure files may not be parsed.
+     */
+    @WithDefault("true")
+    boolean secureParsing();
 }