You are viewing a plain text version of this content. The canonical link for it is here.
Posted to derby-commits@db.apache.org by bp...@apache.org on 2015/06/11 04:26:12 UTC
svn commit: r1684807 - in /db/derby/code/trunk/java: build/org/apache/derbyBuild/lastgoodjarcontents/sane.derbyTesting.jar.lastcontents testing/org/apache/derbyTesting/functionTests/tests/lang/XMLXXETest.java

Author: bpendleton
Date: Thu Jun 11 02:26:12 2015
New Revision: 1684807

URL: http://svn.apache.org/r1684807
Log:
DERBY-6810: Add regression tests for XXE vulnerability.

This patch was contributed by Abhinav Gupta (abhinavgupta2004 at gmail dot com)

This change adds a new regression test suite to hold tests for XXE
vulnerabilities in XML data type processing.

The new test case is in a suite by its own because we want to control the
overall security configuration (e.g., we want to ensure that no security
manager is installed).

Over time, as other types of XXE vulnerabilities are studied, we can add
additional test cases to this test suite.

Note that this test case demonstrates incorrect behavior, we believe. When
DERBY-6807 is fixed, this test case will need to be changed accordingly.

Added:
    db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/XMLXXETest.java   (with props)
Modified:
    db/derby/code/trunk/java/build/org/apache/derbyBuild/lastgoodjarcontents/sane.derbyTesting.jar.lastcontents

Modified: db/derby/code/trunk/java/build/org/apache/derbyBuild/lastgoodjarcontents/sane.derbyTesting.jar.lastcontents
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/build/org/apache/derbyBuild/lastgoodjarcontents/sane.derbyTesting.jar.lastcontents?rev=1684807&r1=1684806&r2=1684807&view=diff
==============================================================================
--- db/derby/code/trunk/java/build/org/apache/derbyBuild/lastgoodjarcontents/sane.derbyTesting.jar.lastcontents (original)
+++ db/derby/code/trunk/java/build/org/apache/derbyBuild/lastgoodjarcontents/sane.derbyTesting.jar.lastcontents Thu Jun 11 02:26:12 2015
@@ -471,6 +471,7 @@ org.apache.derbyTesting.functionTests.te
 org.apache.derbyTesting.functionTests.tests.lang.XMLMissingClassesTest.class
 org.apache.derbyTesting.functionTests.tests.lang.XMLOptimizerTraceTest.class
 org.apache.derbyTesting.functionTests.tests.lang.XMLTypeAndOpsTest.class
+org.apache.derbyTesting.functionTests.tests.lang.XMLXXETest.class
 org.apache.derbyTesting.functionTests.tests.lang.XplainStatisticsTest.class
 org.apache.derbyTesting.functionTests.tests.lang._Suite.class
 org.apache.derbyTesting.functionTests.tests.lang.concateTests.class

Added: db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/XMLXXETest.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/XMLXXETest.java?rev=1684807&view=auto
==============================================================================
--- db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/XMLXXETest.java (added)
+++ db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/XMLXXETest.java Thu Jun 11 02:26:12 2015
@@ -0,0 +1,121 @@
+/*
+ *
+ * Derby - Class org.apache.derbyTesting.functionTests.tests.lang.XMLXXETest.java
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, 
+ * software distributed under the License is distributed on an 
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, 
+ * either express or implied. See the License for the specific 
+ * language governing permissions and limitations under the License.
+ */
+package org.apache.derbyTesting.functionTests.tests.lang;
+
+import java.io.File;
+import java.io.PrintWriter;
+
+import java.sql.CallableStatement;
+import java.sql.Connection;
+import java.sql.PreparedStatement;
+import java.sql.ResultSet;
+import java.sql.ResultSetMetaData;
+import java.sql.SQLException;
+import java.sql.SQLWarning;
+import java.sql.Statement;
+import java.sql.Types;
+
+import junit.framework.Test;
+
+import org.apache.derbyTesting.junit.BaseJDBCTestCase;
+import org.apache.derbyTesting.junit.BaseJDBCTestSetup;
+import org.apache.derbyTesting.junit.BaseTestSuite;
+import org.apache.derbyTesting.junit.JDBC;
+import org.apache.derbyTesting.junit.SecurityManagerSetup;
+import org.apache.derbyTesting.junit.TestConfiguration;
+import org.apache.derbyTesting.junit.XML;
+
+/**
+ * XMLXXETest this test suite runs with NO SECURITY MANAGER. It is designed
+ * to explore the so-called XXE family of vulnerabilities. For more
+ * information, try:
+ *
+ * http://h3xstream.github.io/find-sec-bugs/bugs.htm#XXE_DOCUMENT
+ * https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing
+ * http://www.ws-attacks.org/index.php/XML_Entity_Expansion
+ * http://www.ws-attacks.org/index.php/XML_External_Entity_DOS
+ * http://www.ws-attacks.org/index.php/XML_Entity_Reference_Attack
+ */
+public final class XMLXXETest extends BaseJDBCTestCase {
+    
+    public XMLXXETest(String name)
+    {
+        super(name);
+    }
+
+    /**
+     * Only return a suite IF the testing classpath has the
+     * required XML classes.  Otherwise just return an empty suite.
+     */
+    public static Test suite()
+    {
+        BaseTestSuite suite =
+            new BaseTestSuite("XML XXE Vulnerability tests\n");
+
+        if (!XML.classpathMeetsXMLReqs())
+            return suite;
+
+        suite.addTest(TestConfiguration.defaultSuite(XMLXXETest.class));
+
+        return SecurityManagerSetup.noSecurityManager(suite);
+    }
+ 
+    /**
+     * Test for Derby-6807. We create a file with some (presumably sensitive)
+     * data in it, and check whether an XML query can be tricked into reading
+     * the data from that file. If it can, a security leak has occurred.
+     */
+
+    public void testDerby6807FileAccess ()
+			throws Exception
+    {
+        File password = null;
+        String path;
+
+        password = new File("test6807.txt");
+        PrintWriter writer = new PrintWriter("test6807.txt", "UTF-8");
+        writer.print("HelloWorld");
+        writer.close();
+        path = password.getAbsolutePath();
+        
+        Statement s = createStatement();
+        
+        s.execute("CREATE TABLE xml_data(xml_col XML)");
+
+        s.execute("INSERT INTO xml_data(xml_col) VALUES(XMLPARSE(DOCUMENT" 
+                + "'<!DOCTYPE foo [<!ENTITY xxe SYSTEM \"file:"
+	        + File.separator    
+                + path +"\" >]><yolo>&xxe;</yolo>'"
+                + "PRESERVE WHITESPACE))");
+
+	// XXX: The next result is wrong. The expected behavior is that the
+	// query should be rejected as a security violation. See DERBY-6807
+	// for more details; when that issue is resolved, this test will need
+	// to be changed.
+
+        JDBC.assertSingleValueResultSet(
+                s.executeQuery(
+	            "SELECT XMLSERIALIZE(xml_col AS CLOB) FROM xml_data"),
+	            "<yolo>HelloWorld</yolo>");
+
+        password.delete();
+    }
+
+}

Propchange: db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/XMLXXETest.java
------------------------------------------------------------------------------
    svn:eol-style = native