You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2018/03/07 17:55:34 UTC
[cxf-fediz] branch 1.4.x-fixes updated: Make sure DocTypes are
disallowed
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch 1.4.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf-fediz.git
The following commit(s) were added to refs/heads/1.4.x-fixes by this push:
new 4c396ac Make sure DocTypes are disallowed
4c396ac is described below
commit 4c396acb42439e61cc63b0452dd22442d720b61b
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Wed Mar 7 17:26:25 2018 +0000
Make sure DocTypes are disallowed
---
.../org/apache/cxf/fediz/core/util/DOMUtils.java | 5 +--
.../org/apache/cxf/fediz/systests/idp/IdpTest.java | 41 ++++++++++++++++++++++
systests/idp/src/test/resources/entity_wreq2.xml | 1 +
3 files changed, 45 insertions(+), 2 deletions(-)
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/util/DOMUtils.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/util/DOMUtils.java
index effd00a..9c533fc 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/util/DOMUtils.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/util/DOMUtils.java
@@ -62,14 +62,15 @@ import org.slf4j.LoggerFactory;
*/
public final class DOMUtils {
private static final Logger LOG = LoggerFactory.getLogger(DOMUtils.class);
-
+
private static final String XMLNAMESPACE = "xmlns";
private static final DocumentBuilderFactory DBF = DocumentBuilderFactory.newInstance();
-
+
static {
try {
DBF.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+ DBF.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
DBF.setValidating(false);
DBF.setIgnoringComments(false);
diff --git a/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java b/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
index d951817..796357a 100644
--- a/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
+++ b/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
@@ -439,6 +439,47 @@ public class IdpTest {
webClient.close();
}
+ // Send an entity expansion attack for the wreq value
+ @org.junit.Test
+ public void testEntityExpansionWReq2() throws Exception {
+ String url = "https://localhost:" + getIdpHttpsPort() + "/fediz-idp/federation?";
+ url += "wa=wsignin1.0";
+ url += "&whr=urn:org:apache:cxf:fediz:idp:realm-A";
+ url += "&wtrealm=urn:org:apache:cxf:fediz:fedizhelloworld";
+ String wreply = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName() + "/secure/fedservlet";
+ url += "&wreply=" + wreply;
+
+ InputStream is = this.getClass().getClassLoader().getResource("entity_wreq2.xml").openStream();
+ String entity = IOUtils.toString(is, "UTF-8");
+ is.close();
+ String validWreq =
+ "<RequestSecurityToken xmlns=\"http://docs.oasis-open.org/ws-sx/ws-trust/200512\">"
+ + "<TokenType>&m;http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</TokenType>"
+ + "</RequestSecurityToken>";
+
+ url += "&wreq=" + URLEncoder.encode(entity + validWreq, "UTF-8");
+
+ String user = "alice";
+ String password = "ecila";
+
+ final WebClient webClient = new WebClient();
+ webClient.getOptions().setUseInsecureSSL(true);
+ webClient.getCredentialsProvider().setCredentials(
+ new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())),
+ new UsernamePasswordCredentials(user, password));
+
+ webClient.getOptions().setJavaScriptEnabled(false);
+
+ try {
+ webClient.getPage(url);
+ Assert.fail("Failure expected on a bad wreq value");
+ } catch (FailingHttpStatusCodeException ex) {
+ Assert.assertEquals(ex.getStatusCode(), 400);
+ }
+
+ webClient.close();
+ }
+
// Send an malformed wreq value
@org.junit.Test
public void testMalformedWReq() throws Exception {
diff --git a/systests/idp/src/test/resources/entity_wreq2.xml b/systests/idp/src/test/resources/entity_wreq2.xml
new file mode 100644
index 0000000..5a8cec5
--- /dev/null
+++ b/systests/idp/src/test/resources/entity_wreq2.xml
@@ -0,0 +1 @@
+<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE RequestSecurityTokenResponseCollection [<!ENTITY m SYSTEM "/etc/hosts">]>
\ No newline at end of file
--
To stop receiving notification emails like this one, please contact
coheigea@apache.org.