You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2018/03/08 15:48:42 UTC

[cxf-fediz] 01/02: Adding further DocType test for the plugins

This is an automated email from the ASF dual-hosted git repository.

coheigea pushed a commit to branch 1.4.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf-fediz.git

commit 1c6ecf2ffdc233395b2bbaa4418f5c900d432eb1
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Thu Mar 8 14:51:48 2018 +0000

    Adding further DocType test for the plugins
---
 .../core/processor/FederationProcessorImpl.java    |  2 +-
 .../cxf/fediz/integrationtests/AbstractTests.java  | 53 ++++++++++++++++++++++
 systests/tests/src/test/resources/entity2.xml      |  1 +
 3 files changed, 55 insertions(+), 1 deletion(-)

diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FederationProcessorImpl.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FederationProcessorImpl.java
index 5fc4893..80c3dc4 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FederationProcessorImpl.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FederationProcessorImpl.java
@@ -133,7 +133,7 @@ public class FederationProcessorImpl extends AbstractFedizProcessor {
         if ("RequestSecurityTokenResponseCollection".equals(el.getLocalName())) {
             el = DOMUtils.getFirstElement(el);
         }
-        if (!"RequestSecurityTokenResponse".equals(el.getLocalName())) {
+        if (el == null || !"RequestSecurityTokenResponse".equals(el.getLocalName())) {
             LOG.warn("Unexpected root element of wresult: '" + el.getLocalName() + "'");
             throw new ProcessingException(TYPE.INVALID_REQUEST);
         }
diff --git a/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java b/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
index fa300b4..e232e4a 100644
--- a/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
+++ b/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
@@ -728,6 +728,59 @@ public abstract class AbstractTests {
         // webClient.close();
     }
 
+    @Test
+    public void testEntityExpansionAttack2() throws Exception {
+        String url = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName() + "/secure/fedservlet";
+        String user = "alice";
+        String password = "ecila";
+
+        // Get the initial token
+        CookieManager cookieManager = new CookieManager();
+        final WebClient webClient = new WebClient();
+        webClient.setCookieManager(cookieManager);
+        webClient.getOptions().setUseInsecureSSL(true);
+        webClient.getCredentialsProvider().setCredentials(
+            new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())),
+            new UsernamePasswordCredentials(user, password));
+
+        webClient.getOptions().setJavaScriptEnabled(false);
+        final HtmlPage idpPage = webClient.getPage(url);
+        webClient.getOptions().setJavaScriptEnabled(true);
+        Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText());
+
+        // Parse the form to get the token (wresult)
+        DomNodeList<DomElement> results = idpPage.getElementsByTagName("input");
+
+        String entity =
+            IOUtils.toString(this.getClass().getClassLoader().getResource("entity2.xml").openStream(), "UTF-8");
+        String reference = "&m;";
+
+        for (DomElement result : results) {
+            if ("wresult".equals(result.getAttributeNS(null, "name"))) {
+                // Now modify the Signature
+                String value = result.getAttributeNS(null, "value");
+                value = entity + value;
+                value = value.replace("alice", reference);
+                result.setAttributeNS(null, "value", value);
+            }
+        }
+
+        // Invoke back on the RP
+
+        final HtmlForm form = idpPage.getFormByName("signinresponseform");
+        final HtmlSubmitInput button = form.getInputByName("_eventId_submit");
+
+        try {
+            button.click();
+            Assert.fail("Failure expected on an entity expansion attack");
+        } catch (FailingHttpStatusCodeException ex) {
+            // expected
+            Assert.assertTrue(401 == ex.getStatusCode() || 403 == ex.getStatusCode());
+        }
+
+        webClient.close();
+    }
+
     @org.junit.Test
     public void testCSRFAttack() throws Exception {
         String url = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName() + "/secure/fedservlet";
diff --git a/systests/tests/src/test/resources/entity2.xml b/systests/tests/src/test/resources/entity2.xml
new file mode 100644
index 0000000..5a8cec5
--- /dev/null
+++ b/systests/tests/src/test/resources/entity2.xml
@@ -0,0 +1 @@
+<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE RequestSecurityTokenResponseCollection [<!ENTITY m SYSTEM "/etc/hosts">]>
\ No newline at end of file

-- 
To stop receiving notification emails like this one, please contact
coheigea@apache.org.