From c0d06633f0eafd1ef8cf51b4913894d6c8c9b58f Mon Sep 17 00:00:00 2001 From: Ben Murphy Date: Fri, 8 Feb 2013 02:48:22 +0000 Subject: JDOM XXE Protection [CVE-2013-1856] Conflicts: activesupport/test/xml_mini/jdom_engine_test.rb --- activesupport/test/xml_mini/jdom_engine_test.rb | 39 +++++++++++++++++++++++-- 1 file changed, 36 insertions(+), 3 deletions(-) (limited to 'activesupport/test/xml_mini') diff --git a/activesupport/test/xml_mini/jdom_engine_test.rb b/activesupport/test/xml_mini/jdom_engine_test.rb index 7f809e7898..ec81ada736 100644 --- a/activesupport/test/xml_mini/jdom_engine_test.rb +++ b/activesupport/test/xml_mini/jdom_engine_test.rb @@ -3,9 +3,11 @@ if RUBY_PLATFORM =~ /java/ require 'active_support/xml_mini' require 'active_support/core_ext/hash/conversions' - class JDOMEngineTest < Test::Unit::TestCase + class JDOMEngineTest < ActiveSupport::TestCase include ActiveSupport + FILES_DIR = File.dirname(__FILE__) + '/../fixtures/xml' + def setup @default_backend = XmlMini.backend XmlMini.backend = 'JDOM' @@ -30,10 +32,41 @@ if RUBY_PLATFORM =~ /java/ assert_equal 'image/png', file.content_type end + def test_not_allowed_to_expand_entities_to_files + attack_xml = <<-EOT + + ]> + x&a; + EOT + assert_equal 'x', Hash.from_xml(attack_xml)["member"] + end + + def test_not_allowed_to_expand_parameter_entities_to_files + attack_xml = <<-EOT + + %b; + ]> + x&a; + EOT + assert_raise Java::OrgXmlSax::SAXParseException do + assert_equal 'x', Hash.from_xml(attack_xml)["member"] + end + end + + + def test_not_allowed_to_load_external_doctypes + attack_xml = <<-EOT + + x&a; + EOT + assert_equal 'x', Hash.from_xml(attack_xml)["member"] + end + def test_exception_thrown_on_expansion_attack - assert_raise NativeException do + assert_raise Java::OrgXmlSax::SAXParseException do attack_xml = <<-EOT - -- cgit v1.2.3