Add quarkus.liquibase.secure-parsing to allow disabling secure parsing

Fixes #47101

Author: gsmet

extensions/liquibase/liquibase/deployment/src/test/java/io/quarkus/liquibase/test/LiquibaseExtensionSecureParsingDisabledTest.java

@@ -0,0 +1,36 @@
+package io.quarkus.liquibase.test;
+
+import jakarta.inject.Inject;
+
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.RegisterExtension;
+
+import io.quarkus.liquibase.LiquibaseFactory;
+import io.quarkus.test.QuarkusUnitTest;
+import liquibase.Liquibase;
+
+public class LiquibaseExtensionSecureParsingDisabledTest {
+
+    @Inject
+    LiquibaseFactory liquibaseFactory;
+
+    @RegisterExtension
+    static final QuarkusUnitTest config = new QuarkusUnitTest()
+            .withApplicationRoot((jar) -> jar
+                    .addAsResource("insecure-db/changeLog.xml", "db/changeLog.xml")
+                    .addAsResource("insecure-db/dbchangelog-3.8.xsd", "db/dbchangelog-3.8.xsd")
+                    .addAsResource("secure-parsing-disabled.properties", "application.properties"));
+
+    @Test
+    public void testSecureParsingDisabled() throws Exception {
+        try (Liquibase liquibase = liquibaseFactory.createLiquibase()) {
+            // TODO: this will fail as the system property is not enforced
+            //            List<ChangeSetStatus> status = liquibase.getChangeSetStatuses(liquibaseFactory.createContexts(),
+            //                    liquibaseFactory.createLabels());
+            //            assertNotNull(status);
+            //            assertEquals(1, status.size());
+            //            assertEquals("id-1", status.get(0).getChangeSet().getId());
+            //            assertFalse(status.get(0).getWillRun());
+        }
+    }
+}

extensions/liquibase/liquibase/deployment/src/test/java/io/quarkus/liquibase/test/LiquibaseExtensionSecureParsingEnabledTest.java

@@ -0,0 +1,34 @@
+package io.quarkus.liquibase.test;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.fail;
+
+import jakarta.inject.Inject;
+
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.RegisterExtension;
+
+import io.quarkus.liquibase.LiquibaseFactory;
+import io.quarkus.test.QuarkusUnitTest;
+
+public class LiquibaseExtensionSecureParsingEnabledTest {
+
+    @Inject
+    LiquibaseFactory liquibaseFactory;
+
+    @RegisterExtension
+    static final QuarkusUnitTest config = new QuarkusUnitTest()
+            .withApplicationRoot((jar) -> jar
+                    .addAsResource("insecure-db/changeLog.xml", "db/changeLog.xml")
+                    .addAsResource("insecure-db/dbchangelog-3.8.xsd", "db/dbchangelog-3.8.xsd")
+                    .addAsResource("secure-parsing-enabled.properties", "application.properties"))
+            .assertException(t -> {
+                assertThat(t.getCause().getCause())
+                        .hasMessageContaining("because 'file' access is not allowed");
+            });
+
+    @Test
+    public void testSecureParsing() throws Exception {
+        fail("should not be executed");
+    }
+}

extensions/liquibase/liquibase/deployment/src/test/resources/insecure-db/changeLog.xml

@@ -0,0 +1,15 @@
+<databaseChangeLog xmlns="http://www.liquibase.org/xml/ns/dbchangelog"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
+    xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog db/dbchangelog-3.8.xsd"
+    logicalFilePath="changeLog.xml">
+
+    <changeSet author="dev (generated)" id="id-1">
+        <createTable tableName="TEST_INSECURE_PARSING">
+            <column name="ID" type="VARCHAR(255)">
+                <constraints nullable="false"/>
+            </column>
+            <column name="NAME" type="VARCHAR(255)"/>
+        </createTable>
+    </changeSet>
+
+</databaseChangeLog>

extensions/liquibase/liquibase/deployment/src/test/resources/insecure-db/dbchangelog-3.8.xsd

@@ -0,0 +1,7 @@
+quarkus.datasource.db-kind=h2
+quarkus.datasource.username=sa
+quarkus.datasource.password=sa
+quarkus.datasource.jdbc.url=jdbc:h2:tcp://localhost/mem:test-quarkus-migrate-at-start;DB_CLOSE_DELAY=-1
+# Liquibase config properties
+quarkus.liquibase.migrate-at-start=true
+quarkus.liquibase.secure-parsing=false

extensions/liquibase/liquibase/deployment/src/test/resources/secure-parsing-disabled.properties

@@ -0,0 +1,6 @@
+quarkus.datasource.db-kind=h2
+quarkus.datasource.username=sa
+quarkus.datasource.password=sa
+quarkus.datasource.jdbc.url=jdbc:h2:tcp://localhost/mem:test-quarkus-migrate-at-start;DB_CLOSE_DELAY=-1
+# Liquibase config properties
+quarkus.liquibase.migrate-at-start=true

extensions/liquibase/liquibase/deployment/src/test/resources/secure-parsing-enabled.properties

@@ -4,6 +4,7 @@
 import java.nio.file.Paths;
 import java.sql.Connection;
 import java.sql.DriverManager;
+import java.util.HashMap;
 import java.util.Map;
 
 import javax.sql.DataSource;
@@ -166,10 +167,17 @@ public String getDataSourceName() {
     }
 
     public ResettableSystemProperties createResettableSystemProperties() {
-        if (config.allowDuplicatedChangesetIdentifiers.isEmpty()) {
-            return ResettableSystemProperties.empty();
+        Map<String, String> resettableProperties = new HashMap<>();
+
+        if (config.allowDuplicatedChangesetIdentifiers.isPresent()) {
+            resettableProperties.put("liquibase.allowDuplicatedChangesetIdentifiers",
+                    config.allowDuplicatedChangesetIdentifiers.get().toString());
+        }
+
+        if (!config.secureParsing) {
+            resettableProperties.put("liquibase.secureParsing", "false");
         }
-        return ResettableSystemProperties.of("liquibase.allowDuplicatedChangesetIdentifiers",
-                config.allowDuplicatedChangesetIdentifiers.get().toString());
+
+        return new ResettableSystemProperties(resettableProperties);
     }
 }

extensions/liquibase/liquibase/runtime/src/main/java/io/quarkus/liquibase/LiquibaseFactory.java

@@ -100,6 +100,13 @@ public class LiquibaseConfig {
     /**
      * Allows duplicated changeset identifiers without failing Liquibase execution.
      */
-    public Optional<Boolean> allowDuplicatedChangesetIdentifiers;
+    public Optional<Boolean> allowDuplicatedChangesetIdentifiers = Optional.empty();
+
+    /**
+     * Whether Liquibase should enforce secure parsing.
+     * <p>
+     * If secure parsing is enforced, unsecure files may not be parsed.
+     */
+    public boolean secureParsing = true;
 
 }

extensions/liquibase/liquibase/runtime/src/main/java/io/quarkus/liquibase/runtime/LiquibaseConfig.java

@@ -40,6 +40,7 @@ public LiquibaseFactory createLiquibaseFactory(DataSource dataSource, String dat
         config.cleanAtStart = liquibaseRuntimeConfig.cleanAtStart();
         config.validateOnMigrate = liquibaseRuntimeConfig.validateOnMigrate();
         config.allowDuplicatedChangesetIdentifiers = liquibaseRuntimeConfig.allowDuplicatedChangesetIdentifiers();
+        config.secureParsing = liquibaseRuntimeConfig.secureParsing();
         return new LiquibaseFactory(config, dataSource, dataSourceName);
     }
 }

extensions/liquibase/liquibase/runtime/src/main/java/io/quarkus/liquibase/runtime/LiquibaseCreator.java

@@ -117,4 +117,11 @@ public interface LiquibaseDataSourceRuntimeConfig {
      */
     Optional<Boolean> allowDuplicatedChangesetIdentifiers();
 
+    /**
+     * Whether Liquibase should enforce secure parsing.
+     * <p>
+     * If secure parsing is enforced, insecure files may not be parsed.
+     */
+    @WithDefault("true")
+    boolean secureParsing();
 }