aboutsummaryrefslogtreecommitdiffstats
path: root/activesupport/test/xml_mini/jdom_engine_test.rb
blob: ae78a0e54783ea877843297266069926e5dbb7db (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
# frozen_string_literal: true
require_relative "xml_mini_engine_test"

XMLMiniEngineTest.run_with_platform("java") do
  class JDOMEngineTest < XMLMiniEngineTest
    FILES_DIR = File.expand_path("../fixtures/xml", __dir__)

    def test_not_allowed_to_expand_entities_to_files
      attack_xml = <<-EOT
      <!DOCTYPE member [
        <!ENTITY a SYSTEM "file://#{FILES_DIR}/jdom_include.txt">
      ]>
      <member>x&a;</member>
      EOT
      assert_equal "x", Hash.from_xml(attack_xml)["member"]
    end

    def test_not_allowed_to_expand_parameter_entities_to_files
      attack_xml = <<-EOT
      <!DOCTYPE member [
        <!ENTITY % b SYSTEM "file://#{FILES_DIR}/jdom_entities.txt">
        %b;
      ]>
      <member>x&a;</member>
      EOT
      assert_raise Java::OrgXmlSax::SAXParseException do
        assert_equal "x", Hash.from_xml(attack_xml)["member"]
      end
    end

    def test_not_allowed_to_load_external_doctypes
      attack_xml = <<-EOT
      <!DOCTYPE member SYSTEM "file://#{FILES_DIR}/jdom_doctype.dtd">
      <member>x&a;</member>
      EOT
      assert_equal "x", Hash.from_xml(attack_xml)["member"]
    end

    private
      def engine
        "JDOM"
      end

      def expansion_attack_error
        Java::OrgXmlSax::SAXParseException
      end

      def extended_engine?
        false
      end
  end
end