fi.solita.datatree.xml.XmlVulnerabilitiesTest.java Source code

Java tutorial

  1. HOME
  2. Java
  3. fi.solita.datatree.xml.XmlVulnerabilitiesTest.java

Introduction

Here is the source code for fi.solita.datatree.xml.XmlVulnerabilitiesTest.java

Source

// Copyright  2013-2014 Solita Oy <www.solita.fi>
// This software is released under the MIT License.
// The license text is at http://opensource.org/licenses/MIT

package fi.solita.datatree.xml;

import org.apache.commons.io.IOUtils;
import org.junit.*;
import org.junit.rules.ExpectedException;

public class XmlVulnerabilitiesTest {

    @Rule
    public final ExpectedException thrown = ExpectedException.none();

    @Test
    public void safe_XML_passes_the_check() {
        String xml = "<?xml version=\"1.0\"?>" + "<foo></foo>";

        XmlVulnerabilities.check(IOUtils.toInputStream(xml));
    }

    @Test
    public void notices_XXE_attacks() {
        // See https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
        String xml = "<?xml version=\"1.0\"?>" + "<!DOCTYPE foo [" + "  <!ELEMENT foo ANY >"
                + "  <!ENTITY xxe SYSTEM \"file:///secret.txt\" >" + "]>" + "<foo>&xxe;</foo>";

        thrown.expect(IllegalArgumentException.class);
        thrown.expectMessage("DOCTYPE is disallowed");
        XmlVulnerabilities.check(IOUtils.toInputStream(xml));
    }

    @Test
    public void notices_XML_bombs() {
        // See http://msdn.microsoft.com/en-us/magazine/ee335713.aspx
        String xml = "<?xml version=\"1.0\"?>" + "<!DOCTYPE foo [" + "  <!ENTITY a \"aaaaaaaaaaaaaaaaaa\">" + "]>"
                + "<foo>&a;&a;&a;&a;&a;&a;&a;&a;&a;</foo>";

        // this would use gigabytes of memory:
        //        attacker = "<?xml version=\"1.0\"?>\n" +
        //                "<!DOCTYPE lolz [\n" +
        //                "  <!ENTITY lol \"lol\">\n" +
        //                "  <!ENTITY lol2 \"&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;\">\n" +
        //                "  <!ENTITY lol3 \"&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;\">\n" +
        //                "  <!ENTITY lol4 \"&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;\">\n" +
        //                "  <!ENTITY lol5 \"&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;\">\n" +
        //                "  <!ENTITY lol6 \"&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;\">\n" +
        //                "  <!ENTITY lol7 \"&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;\">\n" +
        //                "  <!ENTITY lol8 \"&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;\">\n" +
        //                "  <!ENTITY lol9 \"&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;\">\n" +
        //                "]>\n" +
        //                "<lolz>&lol9;</lolz>";

        thrown.expect(IllegalArgumentException.class);
        thrown.expectMessage("DOCTYPE is disallowed");
        XmlVulnerabilities.check(IOUtils.toInputStream(xml));
    }
}