Disable DTD when parsing untrusted XML input
Issue: SPR-13136
This commit is contained in:
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2014 the original author or authors.
|
||||
* Copyright 2002-2015 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -16,10 +16,13 @@
|
||||
|
||||
package org.springframework.http.converter.xml;
|
||||
|
||||
import static org.junit.Assert.*;
|
||||
|
||||
import java.lang.reflect.Type;
|
||||
import java.util.Collection;
|
||||
import java.util.List;
|
||||
import java.util.Set;
|
||||
|
||||
import javax.xml.bind.annotation.XmlAttribute;
|
||||
import javax.xml.bind.annotation.XmlElement;
|
||||
import javax.xml.bind.annotation.XmlRootElement;
|
||||
@@ -27,20 +30,22 @@ import javax.xml.bind.annotation.XmlType;
|
||||
import javax.xml.stream.XMLInputFactory;
|
||||
|
||||
import org.junit.Before;
|
||||
import org.junit.Rule;
|
||||
import org.junit.Test;
|
||||
import org.junit.rules.ExpectedException;
|
||||
|
||||
import org.springframework.core.ParameterizedTypeReference;
|
||||
import org.springframework.core.io.ClassPathResource;
|
||||
import org.springframework.core.io.Resource;
|
||||
import org.springframework.http.MockHttpInputMessage;
|
||||
|
||||
import static org.junit.Assert.*;
|
||||
import org.springframework.http.converter.HttpMessageNotReadableException;
|
||||
|
||||
/**
|
||||
* Test fixture for {@link Jaxb2CollectionHttpMessageConverter}.
|
||||
*
|
||||
* @author Arjen Poutsma
|
||||
*/
|
||||
@SuppressWarnings("unused")
|
||||
public class Jaxb2CollectionHttpMessageConverterTests {
|
||||
|
||||
private Jaxb2CollectionHttpMessageConverter<?> converter;
|
||||
@@ -53,6 +58,9 @@ public class Jaxb2CollectionHttpMessageConverterTests {
|
||||
|
||||
private Type typeSetType;
|
||||
|
||||
@Rule
|
||||
public ExpectedException thrown = ExpectedException.none();
|
||||
|
||||
|
||||
@Before
|
||||
public void setUp() {
|
||||
@@ -133,6 +141,16 @@ public class Jaxb2CollectionHttpMessageConverterTests {
|
||||
" <list><rootElement><type s=\"1\"/><external>&ext;</external></rootElement></list>";
|
||||
MockHttpInputMessage inputMessage = new MockHttpInputMessage(content.getBytes("UTF-8"));
|
||||
|
||||
converter = new Jaxb2CollectionHttpMessageConverter<Collection<Object>>() {
|
||||
|
||||
@Override
|
||||
protected XMLInputFactory createXmlInputFactory() {
|
||||
XMLInputFactory inputFactory = super.createXmlInputFactory();
|
||||
inputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, true);
|
||||
return inputFactory;
|
||||
}
|
||||
};
|
||||
|
||||
Collection<RootElement> result = converter.read(rootElementListType, null, inputMessage);
|
||||
assertEquals(1, result.size());
|
||||
assertEquals("", result.iterator().next().external);
|
||||
@@ -163,6 +181,30 @@ public class Jaxb2CollectionHttpMessageConverterTests {
|
||||
assertEquals("Foo Bar", result.iterator().next().external);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testXmlBomb() throws Exception {
|
||||
// https://en.wikipedia.org/wiki/Billion_laughs
|
||||
// https://msdn.microsoft.com/en-us/magazine/ee335713.aspx
|
||||
String content = "<?xml version=\"1.0\"?>\n" +
|
||||
"<!DOCTYPE lolz [\n" +
|
||||
" <!ENTITY lol \"lol\">\n" +
|
||||
" <!ELEMENT lolz (#PCDATA)>\n" +
|
||||
" <!ENTITY lol1 \"&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;\">\n" +
|
||||
" <!ENTITY lol2 \"&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;\">\n" +
|
||||
" <!ENTITY lol3 \"&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;\">\n" +
|
||||
" <!ENTITY lol4 \"&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;\">\n" +
|
||||
" <!ENTITY lol5 \"&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;\">\n" +
|
||||
" <!ENTITY lol6 \"&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;\">\n" +
|
||||
" <!ENTITY lol7 \"&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;\">\n" +
|
||||
" <!ENTITY lol8 \"&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;\">\n" +
|
||||
" <!ENTITY lol9 \"&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;\">\n" +
|
||||
"]>\n" +
|
||||
"<list><rootElement><external>&lol9;</external></rootElement></list>";
|
||||
MockHttpInputMessage inputMessage = new MockHttpInputMessage(content.getBytes("UTF-8"));
|
||||
this.thrown.expect(HttpMessageNotReadableException.class);
|
||||
this.thrown.expectMessage("\"lol9\"");
|
||||
this.converter.read(this.rootElementListType, null, inputMessage);
|
||||
}
|
||||
|
||||
@XmlRootElement
|
||||
public static class RootElement {
|
||||
|
||||
@@ -16,7 +16,13 @@
|
||||
|
||||
package org.springframework.http.converter.xml;
|
||||
|
||||
import static org.custommonkey.xmlunit.XMLAssert.*;
|
||||
import static org.junit.Assert.assertEquals;
|
||||
import static org.junit.Assert.assertFalse;
|
||||
import static org.junit.Assert.assertTrue;
|
||||
|
||||
import java.nio.charset.Charset;
|
||||
|
||||
import javax.xml.bind.Marshaller;
|
||||
import javax.xml.bind.Unmarshaller;
|
||||
import javax.xml.bind.annotation.XmlAttribute;
|
||||
@@ -27,7 +33,9 @@ import javax.xml.bind.annotation.adapters.XmlAdapter;
|
||||
import javax.xml.bind.annotation.adapters.XmlJavaTypeAdapter;
|
||||
|
||||
import org.junit.Before;
|
||||
import org.junit.Rule;
|
||||
import org.junit.Test;
|
||||
import org.junit.rules.ExpectedException;
|
||||
|
||||
import org.springframework.aop.framework.AdvisedSupport;
|
||||
import org.springframework.aop.framework.AopProxy;
|
||||
@@ -37,11 +45,7 @@ import org.springframework.core.io.Resource;
|
||||
import org.springframework.http.MediaType;
|
||||
import org.springframework.http.MockHttpInputMessage;
|
||||
import org.springframework.http.MockHttpOutputMessage;
|
||||
|
||||
import static org.custommonkey.xmlunit.XMLAssert.*;
|
||||
import static org.junit.Assert.assertEquals;
|
||||
import static org.junit.Assert.assertFalse;
|
||||
import static org.junit.Assert.assertTrue;
|
||||
import org.springframework.http.converter.HttpMessageNotReadableException;
|
||||
|
||||
/**
|
||||
* Tests for {@link Jaxb2RootElementHttpMessageConverter}.
|
||||
@@ -49,6 +53,7 @@ import static org.junit.Assert.assertTrue;
|
||||
* @author Arjen Poutsma
|
||||
* @author Sebastien Deleuze
|
||||
*/
|
||||
@SuppressWarnings("unused")
|
||||
public class Jaxb2RootElementHttpMessageConverterTests {
|
||||
|
||||
private Jaxb2RootElementHttpMessageConverter converter;
|
||||
@@ -57,6 +62,10 @@ public class Jaxb2RootElementHttpMessageConverterTests {
|
||||
|
||||
private RootElement rootElementCglib;
|
||||
|
||||
@Rule
|
||||
public ExpectedException thrown = ExpectedException.none();
|
||||
|
||||
|
||||
@Before
|
||||
public void setUp() {
|
||||
converter = new Jaxb2RootElementHttpMessageConverter();
|
||||
@@ -115,6 +124,7 @@ public class Jaxb2RootElementHttpMessageConverterTests {
|
||||
" <!ENTITY ext SYSTEM \"" + external.getURI() + "\" >]>" +
|
||||
" <rootElement><external>&ext;</external></rootElement>";
|
||||
MockHttpInputMessage inputMessage = new MockHttpInputMessage(content.getBytes("UTF-8"));
|
||||
converter.setSupportDtd(true);
|
||||
RootElement rootElement = (RootElement) converter.read(RootElement.class, inputMessage);
|
||||
|
||||
assertEquals("", rootElement.external);
|
||||
@@ -134,6 +144,31 @@ public class Jaxb2RootElementHttpMessageConverterTests {
|
||||
assertEquals("Foo Bar", rootElement.external);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testXmlBomb() throws Exception {
|
||||
// https://en.wikipedia.org/wiki/Billion_laughs
|
||||
// https://msdn.microsoft.com/en-us/magazine/ee335713.aspx
|
||||
String content = "<?xml version=\"1.0\"?>\n" +
|
||||
"<!DOCTYPE lolz [\n" +
|
||||
" <!ENTITY lol \"lol\">\n" +
|
||||
" <!ELEMENT lolz (#PCDATA)>\n" +
|
||||
" <!ENTITY lol1 \"&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;\">\n" +
|
||||
" <!ENTITY lol2 \"&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;\">\n" +
|
||||
" <!ENTITY lol3 \"&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;\">\n" +
|
||||
" <!ENTITY lol4 \"&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;\">\n" +
|
||||
" <!ENTITY lol5 \"&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;\">\n" +
|
||||
" <!ENTITY lol6 \"&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;\">\n" +
|
||||
" <!ENTITY lol7 \"&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;\">\n" +
|
||||
" <!ENTITY lol8 \"&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;\">\n" +
|
||||
" <!ENTITY lol9 \"&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;\">\n" +
|
||||
"]>\n" +
|
||||
"<rootElement><external>&lol9;</external></rootElement>";
|
||||
MockHttpInputMessage inputMessage = new MockHttpInputMessage(content.getBytes("UTF-8"));
|
||||
this.thrown.expect(HttpMessageNotReadableException.class);
|
||||
this.thrown.expectMessage("DOCTYPE is disallowed");
|
||||
this.converter.read(RootElement.class, inputMessage);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void writeXmlRootElement() throws Exception {
|
||||
MockHttpOutputMessage outputMessage = new MockHttpOutputMessage();
|
||||
|
||||
@@ -23,8 +23,13 @@ import java.nio.charset.Charset;
|
||||
|
||||
import com.fasterxml.jackson.annotation.JsonView;
|
||||
import com.fasterxml.jackson.dataformat.xml.XmlMapper;
|
||||
import org.junit.Rule;
|
||||
import org.junit.Test;
|
||||
import org.junit.rules.ExpectedException;
|
||||
import org.xml.sax.SAXException;
|
||||
|
||||
import org.springframework.core.io.ClassPathResource;
|
||||
import org.springframework.core.io.Resource;
|
||||
import org.springframework.http.HttpOutputMessage;
|
||||
import org.springframework.http.MediaType;
|
||||
import org.springframework.http.MockHttpInputMessage;
|
||||
@@ -45,6 +50,9 @@ public class MappingJackson2XmlHttpMessageConverterTests {
|
||||
|
||||
private final MappingJackson2XmlHttpMessageConverter converter = new MappingJackson2XmlHttpMessageConverter();
|
||||
|
||||
@Rule
|
||||
public ExpectedException thrown = ExpectedException.none();
|
||||
|
||||
|
||||
@Test
|
||||
public void canRead() {
|
||||
@@ -70,9 +78,9 @@ public class MappingJackson2XmlHttpMessageConverterTests {
|
||||
assertEquals("Foo", result.getString());
|
||||
assertEquals(42, result.getNumber());
|
||||
assertEquals(42F, result.getFraction(), 0F);
|
||||
assertArrayEquals(new String[]{"Foo", "Bar"}, result.getArray());
|
||||
assertArrayEquals(new String[] {"Foo", "Bar"}, result.getArray());
|
||||
assertTrue(result.isBool());
|
||||
assertArrayEquals(new byte[]{0x1, 0x2}, result.getBytes());
|
||||
assertArrayEquals(new byte[] {0x1, 0x2}, result.getBytes());
|
||||
}
|
||||
|
||||
@Test
|
||||
@@ -139,6 +147,55 @@ public class MappingJackson2XmlHttpMessageConverterTests {
|
||||
// Assert no exception is thrown
|
||||
}
|
||||
|
||||
@Test
|
||||
public void readWithExternalReference() throws IOException {
|
||||
|
||||
String body = "<!DOCTYPE MyBean SYSTEM \"http://192.168.28.42/1.jsp\" [" +
|
||||
" <!ELEMENT root ANY >\n" +
|
||||
" <!ENTITY ext SYSTEM \"" +
|
||||
new ClassPathResource("external.txt", getClass()).getURI() +
|
||||
"\" >]><MyBean><string>&ext;</string></MyBean>";
|
||||
|
||||
MockHttpInputMessage inputMessage = new MockHttpInputMessage(body.getBytes("UTF-8"));
|
||||
inputMessage.getHeaders().setContentType(new MediaType("application", "xml"));
|
||||
|
||||
this.thrown.expect(HttpMessageNotReadableException.class);
|
||||
this.thrown.expectMessage("entity \"ext\"");
|
||||
|
||||
this.converter.read(MyBean.class, inputMessage);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void readWithXmlBomb() throws IOException {
|
||||
|
||||
// https://en.wikipedia.org/wiki/Billion_laughs
|
||||
// https://msdn.microsoft.com/en-us/magazine/ee335713.aspx
|
||||
String body = "<?xml version=\"1.0\"?>\n" +
|
||||
"<!DOCTYPE lolz [\n" +
|
||||
" <!ENTITY lol \"lol\">\n" +
|
||||
" <!ELEMENT lolz (#PCDATA)>\n" +
|
||||
" <!ENTITY lol1 \"&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;\">\n" +
|
||||
" <!ENTITY lol2 \"&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;\">\n" +
|
||||
" <!ENTITY lol3 \"&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;\">\n" +
|
||||
" <!ENTITY lol4 \"&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;\">\n" +
|
||||
" <!ENTITY lol5 \"&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;\">\n" +
|
||||
" <!ENTITY lol6 \"&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;\">\n" +
|
||||
" <!ENTITY lol7 \"&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;\">\n" +
|
||||
" <!ENTITY lol8 \"&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;\">\n" +
|
||||
" <!ENTITY lol9 \"&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;\">\n" +
|
||||
"]>\n" +
|
||||
"<MyBean>&lol9;</MyBean>";
|
||||
|
||||
MockHttpInputMessage inputMessage = new MockHttpInputMessage(body.getBytes("UTF-8"));
|
||||
inputMessage.getHeaders().setContentType(new MediaType("application", "xml"));
|
||||
|
||||
this.thrown.expect(HttpMessageNotReadableException.class);
|
||||
this.thrown.expectMessage("entity \"lol9\"");
|
||||
|
||||
this.converter.read(MyBean.class, inputMessage);
|
||||
}
|
||||
|
||||
|
||||
private void writeInternal(Object object, HttpOutputMessage outputMessage)
|
||||
throws NoSuchMethodException, InvocationTargetException,
|
||||
IllegalAccessException {
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2014 the original author or authors.
|
||||
* Copyright 2002-2015 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -16,10 +16,16 @@
|
||||
|
||||
package org.springframework.http.converter.xml;
|
||||
|
||||
import static org.custommonkey.xmlunit.XMLAssert.*;
|
||||
import static org.junit.Assert.assertEquals;
|
||||
import static org.junit.Assert.*;
|
||||
import static org.junit.Assert.assertTrue;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.io.InputStreamReader;
|
||||
import java.io.StringReader;
|
||||
import java.nio.charset.Charset;
|
||||
|
||||
import javax.xml.parsers.DocumentBuilderFactory;
|
||||
import javax.xml.stream.XMLStreamReader;
|
||||
import javax.xml.transform.Source;
|
||||
@@ -29,7 +35,9 @@ import javax.xml.transform.stax.StAXSource;
|
||||
import javax.xml.transform.stream.StreamSource;
|
||||
|
||||
import org.junit.Before;
|
||||
import org.junit.Rule;
|
||||
import org.junit.Test;
|
||||
import org.junit.rules.ExpectedException;
|
||||
import org.w3c.dom.Document;
|
||||
import org.w3c.dom.Element;
|
||||
import org.xml.sax.InputSource;
|
||||
@@ -42,13 +50,10 @@ import org.springframework.core.io.Resource;
|
||||
import org.springframework.http.MediaType;
|
||||
import org.springframework.http.MockHttpInputMessage;
|
||||
import org.springframework.http.MockHttpOutputMessage;
|
||||
import org.springframework.http.converter.HttpMessageNotReadableException;
|
||||
import org.springframework.util.FileCopyUtils;
|
||||
|
||||
import static org.custommonkey.xmlunit.XMLAssert.*;
|
||||
// Do NOT statically import org.junit.Assert.*, since XMLAssert extends junit.framework.Assert
|
||||
import static org.junit.Assert.assertEquals;
|
||||
import static org.junit.Assert.assertNotEquals;
|
||||
import static org.junit.Assert.assertTrue;
|
||||
|
||||
/**
|
||||
* @author Arjen Poutsma
|
||||
@@ -61,6 +66,10 @@ public class SourceHttpMessageConverterTests {
|
||||
|
||||
private String bodyExternal;
|
||||
|
||||
@Rule
|
||||
public ExpectedException thrown = ExpectedException.none();
|
||||
|
||||
|
||||
@Before
|
||||
public void setUp() throws IOException {
|
||||
converter = new SourceHttpMessageConverter<Source>();
|
||||
@@ -97,12 +106,40 @@ public class SourceHttpMessageConverterTests {
|
||||
public void readDOMSourceExternal() throws Exception {
|
||||
MockHttpInputMessage inputMessage = new MockHttpInputMessage(bodyExternal.getBytes("UTF-8"));
|
||||
inputMessage.getHeaders().setContentType(new MediaType("application", "xml"));
|
||||
converter.setSupportDtd(true);
|
||||
DOMSource result = (DOMSource) converter.read(DOMSource.class, inputMessage);
|
||||
Document document = (Document) result.getNode();
|
||||
assertEquals("Invalid result", "root", document.getDocumentElement().getLocalName());
|
||||
assertNotEquals("Invalid result", "Foo Bar", document.getDocumentElement().getTextContent());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void readDomSourceWithXmlBomb() throws Exception {
|
||||
// https://en.wikipedia.org/wiki/Billion_laughs
|
||||
// https://msdn.microsoft.com/en-us/magazine/ee335713.aspx
|
||||
String content = "<?xml version=\"1.0\"?>\n" +
|
||||
"<!DOCTYPE lolz [\n" +
|
||||
" <!ENTITY lol \"lol\">\n" +
|
||||
" <!ELEMENT lolz (#PCDATA)>\n" +
|
||||
" <!ENTITY lol1 \"&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;\">\n" +
|
||||
" <!ENTITY lol2 \"&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;\">\n" +
|
||||
" <!ENTITY lol3 \"&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;\">\n" +
|
||||
" <!ENTITY lol4 \"&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;\">\n" +
|
||||
" <!ENTITY lol5 \"&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;\">\n" +
|
||||
" <!ENTITY lol6 \"&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;\">\n" +
|
||||
" <!ENTITY lol7 \"&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;\">\n" +
|
||||
" <!ENTITY lol8 \"&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;\">\n" +
|
||||
" <!ENTITY lol9 \"&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;\">\n" +
|
||||
"]>\n" +
|
||||
"<root>&lol9;</root>";
|
||||
MockHttpInputMessage inputMessage = new MockHttpInputMessage(content.getBytes("UTF-8"));
|
||||
|
||||
this.thrown.expect(HttpMessageNotReadableException.class);
|
||||
this.thrown.expectMessage("DOCTYPE is disallowed");
|
||||
|
||||
this.converter.read(DOMSource.class, inputMessage);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void readSAXSource() throws Exception {
|
||||
MockHttpInputMessage inputMessage = new MockHttpInputMessage(BODY.getBytes("UTF-8"));
|
||||
@@ -117,6 +154,7 @@ public class SourceHttpMessageConverterTests {
|
||||
public void readSAXSourceExternal() throws Exception {
|
||||
MockHttpInputMessage inputMessage = new MockHttpInputMessage(bodyExternal.getBytes("UTF-8"));
|
||||
inputMessage.getHeaders().setContentType(new MediaType("application", "xml"));
|
||||
converter.setSupportDtd(true);
|
||||
SAXSource result = (SAXSource) converter.read(SAXSource.class, inputMessage);
|
||||
InputSource inputSource = result.getInputSource();
|
||||
XMLReader reader = result.getXMLReader();
|
||||
@@ -130,6 +168,37 @@ public class SourceHttpMessageConverterTests {
|
||||
reader.parse(inputSource);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void readSAXSourceWithXmlBomb() throws Exception {
|
||||
// https://en.wikipedia.org/wiki/Billion_laughs
|
||||
// https://msdn.microsoft.com/en-us/magazine/ee335713.aspx
|
||||
String content = "<?xml version=\"1.0\"?>\n" +
|
||||
"<!DOCTYPE lolz [\n" +
|
||||
" <!ENTITY lol \"lol\">\n" +
|
||||
" <!ELEMENT lolz (#PCDATA)>\n" +
|
||||
" <!ENTITY lol1 \"&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;\">\n" +
|
||||
" <!ENTITY lol2 \"&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;\">\n" +
|
||||
" <!ENTITY lol3 \"&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;\">\n" +
|
||||
" <!ENTITY lol4 \"&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;\">\n" +
|
||||
" <!ENTITY lol5 \"&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;\">\n" +
|
||||
" <!ENTITY lol6 \"&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;\">\n" +
|
||||
" <!ENTITY lol7 \"&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;\">\n" +
|
||||
" <!ENTITY lol8 \"&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;\">\n" +
|
||||
" <!ENTITY lol9 \"&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;\">\n" +
|
||||
"]>\n" +
|
||||
"<root>&lol9;</root>";
|
||||
|
||||
MockHttpInputMessage inputMessage = new MockHttpInputMessage(content.getBytes("UTF-8"));
|
||||
SAXSource result = (SAXSource) this.converter.read(SAXSource.class, inputMessage);
|
||||
|
||||
this.thrown.expect(SAXException.class);
|
||||
this.thrown.expectMessage("DOCTYPE is disallowed");
|
||||
|
||||
InputSource inputSource = result.getInputSource();
|
||||
XMLReader reader = result.getXMLReader();
|
||||
reader.parse(inputSource);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void readStAXSource() throws Exception {
|
||||
MockHttpInputMessage inputMessage = new MockHttpInputMessage(BODY.getBytes("UTF-8"));
|
||||
@@ -149,6 +218,7 @@ public class SourceHttpMessageConverterTests {
|
||||
public void readStAXSourceExternal() throws Exception {
|
||||
MockHttpInputMessage inputMessage = new MockHttpInputMessage(bodyExternal.getBytes("UTF-8"));
|
||||
inputMessage.getHeaders().setContentType(new MediaType("application", "xml"));
|
||||
converter.setSupportDtd(true);
|
||||
StAXSource result = (StAXSource) converter.read(StAXSource.class, inputMessage);
|
||||
XMLStreamReader streamReader = result.getXMLStreamReader();
|
||||
assertTrue(streamReader.hasNext());
|
||||
@@ -161,6 +231,39 @@ public class SourceHttpMessageConverterTests {
|
||||
streamReader.close();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void readStAXSourceWithXmlBomb() throws Exception {
|
||||
// https://en.wikipedia.org/wiki/Billion_laughs
|
||||
// https://msdn.microsoft.com/en-us/magazine/ee335713.aspx
|
||||
String content = "<?xml version=\"1.0\"?>\n" +
|
||||
"<!DOCTYPE lolz [\n" +
|
||||
" <!ENTITY lol \"lol\">\n" +
|
||||
" <!ELEMENT lolz (#PCDATA)>\n" +
|
||||
" <!ENTITY lol1 \"&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;\">\n" +
|
||||
" <!ENTITY lol2 \"&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;\">\n" +
|
||||
" <!ENTITY lol3 \"&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;\">\n" +
|
||||
" <!ENTITY lol4 \"&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;\">\n" +
|
||||
" <!ENTITY lol5 \"&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;\">\n" +
|
||||
" <!ENTITY lol6 \"&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;\">\n" +
|
||||
" <!ENTITY lol7 \"&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;\">\n" +
|
||||
" <!ENTITY lol8 \"&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;\">\n" +
|
||||
" <!ENTITY lol9 \"&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;\">\n" +
|
||||
"]>\n" +
|
||||
"<root>&lol9;</root>";
|
||||
MockHttpInputMessage inputMessage = new MockHttpInputMessage(content.getBytes("UTF-8"));
|
||||
StAXSource result = (StAXSource) this.converter.read(StAXSource.class, inputMessage);
|
||||
|
||||
XMLStreamReader streamReader = result.getXMLStreamReader();
|
||||
assertTrue(streamReader.hasNext());
|
||||
streamReader.next();
|
||||
streamReader.next();
|
||||
String s = streamReader.getLocalName();
|
||||
assertEquals("root", s);
|
||||
|
||||
this.thrown.expectMessage("\"lol9\"");
|
||||
s = streamReader.getElementText();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void readStreamSource() throws Exception {
|
||||
MockHttpInputMessage inputMessage = new MockHttpInputMessage(BODY.getBytes("UTF-8"));
|
||||
|
||||
Reference in New Issue
Block a user