Escaping Characters for SOAP XML: Late But Here

It’s a known bug in VI Java API that it did not escape strings to be included within a XML tag. The potential risk, although very very rare, is that it can blow the de-serialization of a request on the server side. I did get one or two reports on failing on login, which turned out to be caused by special characters like < or > in passwords. As a quick fix, an escaping logic has been added to escape the special characters in passwords.

This is of course just a workaround, not really meant to be future proof. I think the chance of getting into similar trouble is so small that it may not worth the effort to make it right until a recent bug report on the OVF importing. The method call ResourcePool.importVApp() returns with InvalidRequest exception as follows:

Bothered by SLOW Web UI to manage vSphere? Want to manage ALL your VMware vCenters, AWS, Azure, Openstack, container behind a SINGLE pane of glass? Want to search, analyze, report, visualize VMs, hosts, networks, datastores, events as easily as Google the Web? Find out more about vSearch 3.0: the search engine for all your private and public clouds.

com.vmware.vim25.InvalidRequest: null
...
at com.vmware.vim25.ws.XmlGen.fromXml(XmlGen.java:201) ~[vijava3.jar:na]
at com.vmware.vim25.ws.XmlGen.parseSoapFault(XmlGen.java:80) ~[vijava3.jar:na]
at com.vmware.vim25.ws.WSClient.invoke(WSClient.java:133) ~[vijava3.jar:na]
at com.vmware.vim25.ws.VimStub.importVApp(VimStub.java:1418) ~[vijava3.jar:na]
at com.vmware.vim25.mo.ResourcePool.importVApp(ResourcePool.java:102) ~[vijava3.jar:na]

After being debugged it turned out to be related to a field of string type holding XML content, therefore breaks the server side.

We can patch it up with the same approach as with password, but decided to get it right this time as the possibility of running into this issue is higher in vSphere 5.

The fix should be fairly simple- that is to escape in the serialization engine. Whenever there is a string value, escape it with the following code.

private static String escapeForXML(String str)
{
  StringBuilder sb = new StringBuilder(str.length());

  for(int i=0; i<str.length(); i++)
  {
    char c = str.charAt(i);

    if(c=='&')
    {
      sb.append("&amp;");
    }
    else if(c=='<')
    {
      sb.append("&lt;");
    }
    else if(c=='>')
    {
      sb.append("&gt;");
    }
    else if(c=='"')
    {
      sb.append("&quot;");
    }
    else if(c=='\'')
    {
      sb.append("&apos;");
    }
    else
    {
      sb.append(c);
    }
  }
  return sb.toString();
}

One of the reasons that I was slow to get it right was concern on performance. After testing it, it’s not bad at all. At least I cannot tell much difference in performance. After all, the string typed parameters are mostly pretty small in size. Also, using StringBuilder instead of StringBuffer might also have helped.

The fix will be in 5.0 GA build. From there, we will have a piece of mind that it won’t be a potential problem any more. Also changed is the importing vApp sample included in VI Java API.

This entry was posted in vSphere API and tagged , , . Bookmark the permalink. Post a comment or leave a trackback: Trackback URL.

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*

You may use these HTML tags and attributes <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

  • NEED HELP?


    My company has created products like vSearch ("Super vCenter"), vijavaNG APIs, EAM APIs, ICE tool. We also help clients with virtualization and cloud computing on customized development, training. Should you, or someone you know, need these products and services, please feel free to contact me: steve __AT__ doublecloud.org.

    Me: Steve Jin, VMware vExpert who authored the VMware VI and vSphere SDK by Prentice Hall, and created the de factor open source vSphere Java API while working at VMware engineering. Companies like Cisco, EMC, NetApp, HP, Dell, VMware, are among the users of the API and other tools I developed for their products, internal IT orchestration, and test automation.