You are viewing a plain text version of this content. The canonical link for it is here.
Posted to derby-commits@db.apache.org by bp...@apache.org on 2015/06/13 21:45:36 UTC

svn commit: r1685313 - /db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/XMLXXETest.java

Author: bpendleton
Date: Sat Jun 13 19:45:36 2015
New Revision: 1685313

URL: http://svn.apache.org/r1685313
Log:
DERBY-6810: Add regression tests for XXE vulnerability

This change adds the so-called "billion laughs" XML attack to the
XMLXXETest suite of XXE test cases. See:

    https://en.wikipedia.org/wiki/Billion_laughs

Note that even though this suite runs with no security manager, the default
limit of 64,000 entity expansions still applies, as documented in the Java
documentation here:

    http://docs.oracle.com/javase/1.5.0/docs/guide/xml/jaxp/JAXP-Compatibility_150.html#JAXP_security

And thus Derby, even with no security manager, is not vulnerable to the
billion laughs attack, at least since J2SE version 5.

Even though this test case does not demonstrate any error in Derby behavior,
so far as I can tell, it is still a worthwhile test to have in the suite.


Modified:
    db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/XMLXXETest.java

Modified: db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/XMLXXETest.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/XMLXXETest.java?rev=1685313&r1=1685312&r2=1685313&view=diff
==============================================================================
--- db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/XMLXXETest.java (original)
+++ db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/XMLXXETest.java Sat Jun 13 19:45:36 2015
@@ -118,4 +118,33 @@ public final class XMLXXETest extends Ba
         password.delete();
     }
 
+    public void testDerby6807BillionLaughs() throws SQLException
+    {
+        Statement st = createStatement();
+        st.executeUpdate("create table xml_billion_laughs( xml_col xml )");
+
+String xmlBillionLaughs = "insert into xml_billion_laughs( xml_col ) values(" +
+                         " xmlparse(document '" +
+"<!DOCTYPE lolz [" +
+" <!ENTITY lol \"lol\">" +
+" <!ELEMENT lolz (#PCDATA)>" +
+" <!ENTITY lol1 \"&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;\">" +
+" <!ENTITY lol2 \"&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;\">" +
+" <!ENTITY lol3 \"&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;\">" +
+" <!ENTITY lol4 \"&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;\">" +
+" <!ENTITY lol5 \"&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;\">" +
+" <!ENTITY lol6 \"&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;\">" +
+" <!ENTITY lol7 \"&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;\">" +
+" <!ENTITY lol8 \"&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;\">" +
+" <!ENTITY lol9 \"&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;\">" +
+"]>" +
+"<lolz>&lol9;</lolz>' PRESERVE WHITESPACE))";
+
+	assertStatementError( "2200M", st, xmlBillionLaughs );
+
+	// Since we can't even parse the document, we never get to the point
+	// where we might try to serialize it back out.
+        //    "select xmlserialize(xml_col as clob) from xml_billion_laughs");
+    }
+
 }