You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jmeter.apache.org by pm...@apache.org on 2019/10/01 09:23:58 UTC
[jmeter] 03/04: Add test for unsecure XML loading
This is an automated email from the ASF dual-hosted git repository.
pmouawad pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/jmeter.git
commit bccc3e05760930ab210da78feccb68f8830da6c9
Author: pmouawad <p....@ubik-ingenierie.com>
AuthorDate: Tue Oct 1 11:23:29 2019 +0200
Add test for unsecure XML loading
---
.../java/org/apache/jmeter/assertions/XMLAssertion.java | 4 +---
.../org/apache/jmeter/assertions/XmlAssertionTest.java | 14 ++++++++++++++
2 files changed, 15 insertions(+), 3 deletions(-)
diff --git a/src/components/src/main/java/org/apache/jmeter/assertions/XMLAssertion.java b/src/components/src/main/java/org/apache/jmeter/assertions/XMLAssertion.java
index 4eb9554..b5dbbc1 100644
--- a/src/components/src/main/java/org/apache/jmeter/assertions/XMLAssertion.java
+++ b/src/components/src/main/java/org/apache/jmeter/assertions/XMLAssertion.java
@@ -22,8 +22,6 @@ import java.io.IOException;
import java.io.Serializable;
import java.io.StringReader;
-import javax.xml.XMLConstants;
-
import org.apache.jmeter.samplers.SampleResult;
import org.apache.jmeter.testelement.AbstractTestElement;
import org.apache.jmeter.testelement.ThreadListener;
@@ -49,7 +47,7 @@ public class XMLAssertion extends AbstractTestElement implements Serializable, A
protected XMLReader initialValue() {
try {
XMLReader reader = XMLReaderFactory.createXMLReader();
- reader.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+ reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
return reader;
} catch (SAXException e) {
log.error("Error initializing XMLReader in XMLAssertion", e);
diff --git a/src/components/src/test/java/org/apache/jmeter/assertions/XmlAssertionTest.java b/src/components/src/test/java/org/apache/jmeter/assertions/XmlAssertionTest.java
index cd142bd..951a877 100644
--- a/src/components/src/test/java/org/apache/jmeter/assertions/XmlAssertionTest.java
+++ b/src/components/src/test/java/org/apache/jmeter/assertions/XmlAssertionTest.java
@@ -35,6 +35,10 @@ public class XmlAssertionTest extends JMeterTestCase {
private final String invalidXml = "<note><to>Tove</to><from>Jani</from><heading>Reminder</heading><body>Don't forget me this weekend!</body></note1>";
private final String validXml = "<note><to>Tove</to><from>Jani</from><heading>Reminder</heading><body>Don't forget me this weekend!</body></note>";
private final String noXml = "response Data";
+ private final String unsecureXML = "<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?>\n" +
+ "<!DOCTYPE foo [\n" +
+ " <!ENTITY xxe SYSTEM \"file:///etc/passwd\" > ]>\n" +
+ "<foo>&xxe;</foo>";
@Before
public void setUp() {
@@ -47,6 +51,16 @@ public class XmlAssertionTest extends JMeterTestCase {
}
@Test
+ public void testUnsecureX() throws Exception {
+ sampleResult.setResponseData(unsecureXML, null);
+ result = assertion.getResult(sampleResult);
+ Assert.assertTrue(result.isFailure());
+ Assert.assertTrue(result.isError());
+ Assert.assertEquals("DOCTYPE is disallowed when the feature \"http://apache.org/xml/features/disallow-doctype-decl\" set to true.",
+ result.getFailureMessage());
+ }
+
+ @Test
public void testValidXML() throws Exception {
sampleResult.setResponseData(validXml, null);
result = assertion.getResult(sampleResult);