demo/validator
1
0
Fork 0
mirror of https://github.com/itplr-kosit/validator.git synced 2026-05-25 16:55:39 +00:00
Code Issues Projects Releases Packages Wiki Activity

(fix) correctly disable xxe with saxon api

Browse source
This commit is contained in:
Andreas Penski (init) 2020-02-17 16:49:26 +01:00
parent b6141bce23
commit ed3f37eb3f
3 changed files with 93 additions and 62 deletions
Download patch file Download diff file Expand all files Collapse all files

35
src/test/java/de/kosit/validationtool/impl/SaxonSecurityTest.java
View file

@ -19,10 +19,12 @@
package de.kosit.validationtool.impl;
import static org.assertj.core.api.Assertions.assertThat;
import static org.junit.Assert.fail;
import java.io.IOException;
import java.net.URL;
import java.util.stream.Collectors;
import javax.xml.transform.dom.DOMSource;
import javax.xml.transform.stream.StreamSource;
@ -33,7 +35,18 @@ import org.w3c.dom.Document;
import lombok.extern.slf4j.Slf4j;
import net.sf.saxon.s9api.*;
import de.kosit.validationtool.api.InputFactory;
import de.kosit.validationtool.impl.model.Result;
import de.kosit.validationtool.impl.tasks.DocumentParseAction;
import de.kosit.validationtool.model.reportInput.XMLSyntaxError;
import net.sf.saxon.s9api.DOMDestination;
import net.sf.saxon.s9api.Processor;
import net.sf.saxon.s9api.SaxonApiException;
import net.sf.saxon.s9api.XdmNode;
import net.sf.saxon.s9api.XsltCompiler;
import net.sf.saxon.s9api.XsltExecutable;
import net.sf.saxon.s9api.XsltTransformer;
/**
* Testet verschiedene Saxon Security Einstellungen.
@ -45,10 +58,10 @@ public class SaxonSecurityTest {
@Test
public void testEvilStylesheets() throws IOException {
Processor p = ObjectFactory.createProcessor();
final Processor p = ObjectFactory.createProcessor();
for (int i = 1; i <= 5; i++) {
try {
URL resource = SaxonSecurityTest.class.getResource(String.format("/evil/evil%s.xsl", i));
final URL resource = SaxonSecurityTest.class.getResource(String.format("/evil/evil%s.xsl", i));
final XsltCompiler compiler = p.newXsltCompiler();
final RelativeUriResolver resolver = new RelativeUriResolver(Helper.REPOSITORY);
compiler.setURIResolver(resolver);
@ -56,7 +69,7 @@ public class SaxonSecurityTest {
final XsltTransformer transformer = exetuable.load();
final Document document = ObjectFactory.createDocumentBuilder(false).newDocument();
document.createElement("root");
Document result = ObjectFactory.createDocumentBuilder(false).newDocument();
final Document result = ObjectFactory.createDocumentBuilder(false).newDocument();
transformer.getUnderlyingController().setUnparsedTextURIResolver(resolver);
transformer.setURIResolver(resolver);
transformer.setSource(new DOMSource(document));
@ -68,9 +81,19 @@ public class SaxonSecurityTest {
fail(String.format("Saxon configuration should prevent expansion within %s", resource));
}
} catch (SaxonApiException | RuntimeException e) {
log.info("Expected exception detected", e.getMessage());
} catch (final SaxonApiException | RuntimeException e) {
log.info("Expected exception detected {}", e.getMessage(), e);
}
}
}
@Test
public void testXxe() {
final URL resource = SaxonSecurityTest.class.getResource("/evil/xxe.xml");
final Result<XdmNode, XMLSyntaxError> result = DocumentParseAction.parseDocument(InputFactory.read(resource));
assertThat(result.isValid()).isFalse();
assertThat(result.getObject()).isNull();
assertThat(result.getErrors().stream().map(XMLSyntaxError::getMessage).collect(Collectors.joining()))
.contains("http://apache.org/xml/features/disallow-doctype-dec");
}
}

4
src/test/resources/evil/xxe.xml Normal file
View file

@ -0,0 +1,4 @@
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "ref.txt" >]><foo>&xxe;</foo>