demo/validator
1
0
Fork 0
mirror of https://github.com/itplr-kosit/validator.git synced 2026-05-25 16:55:39 +00:00
Code Issues Projects Releases Packages Wiki Activity

Merge branch 'branch-1.1.x'

Browse source 
# Conflicts:
#	src/test/java/de/kosit/validationtool/impl/SaxonSecurityTest.java
This commit is contained in:
Andreas Penski (init) 2020-02-17 16:50:49 +01:00
commit 1807c78c51
3 changed files with 85 additions and 57 deletions
Download patch file Download diff file Expand all files Collapse all files

22
src/test/java/de/kosit/validationtool/impl/SaxonSecurityTest.java
View file

@ -19,10 +19,12 @@
package de.kosit.validationtool.impl;
import static org.assertj.core.api.Assertions.assertThat;
import static org.junit.Assert.fail;
import java.io.IOException;
import java.net.URL;
import java.util.stream.Collectors;
import javax.xml.transform.dom.DOMSource;
import javax.xml.transform.stream.StreamSource;
@ -41,6 +43,14 @@ import net.sf.saxon.s9api.SaxonApiException;
import net.sf.saxon.s9api.XsltCompiler;
import net.sf.saxon.s9api.XsltExecutable;
import net.sf.saxon.s9api.XsltTransformer;
import de.kosit.validationtool.api.InputFactory;
import de.kosit.validationtool.impl.model.Result;
import de.kosit.validationtool.impl.tasks.DocumentParseAction;
import de.kosit.validationtool.model.reportInput.XMLSyntaxError;
import net.sf.saxon.s9api.XdmNode;
/**
* Testet verschiedene Saxon Security Einstellungen.
@ -76,8 +86,18 @@ public class SaxonSecurityTest {
}
} catch (final SaxonApiException | RuntimeException e) {
log.info("Expected exception detected", e.getMessage());
log.info("Expected exception detected {}", e.getMessage(), e);
}
}
}
@Test
public void testXxe() {
final URL resource = SaxonSecurityTest.class.getResource("/evil/xxe.xml");
final Result<XdmNode, XMLSyntaxError> result = DocumentParseAction.parseDocument(InputFactory.read(resource));
assertThat(result.isValid()).isFalse();
assertThat(result.getObject()).isNull();
assertThat(result.getErrors().stream().map(XMLSyntaxError::getMessage).collect(Collectors.joining()))
.contains("http://apache.org/xml/features/disallow-doctype-dec");
}
}

4
src/test/resources/evil/xxe.xml Normal file
View file

@ -0,0 +1,4 @@
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "ref.txt" >]><foo>&xxe;</foo>