t/14_serializer/04_request_xml.t seems buggy

[gregoa]

Building 1.3520 for Debian, I noticed failures in t/14_serializer/04_request_xml.t:

When running t/14_serializer/04_request_xml.t during the package build (so basically make test in a chroot):

Warning: 'ParserOpts' is deprecated, contact the author if you need it at /build/libdancer-perl-1.3520+dfsg/blib/lib/Dancer/Serializer/XML.pm line 99.
Warning: 'ParserOpts' is deprecated, contact the author if you need it at /build/libdancer-perl-1.3520+dfsg/blib/lib/Dancer/Serializer/XML.pm line 99.
Warning: 'ParserOpts' is deprecated, contact the author if you need it at /build/libdancer-perl-1.3520+dfsg/blib/lib/Dancer/Serializer/XML.pm line 99.
Warning: 'ParserOpts' is deprecated, contact the author if you need it at /build/libdancer-perl-1.3520+dfsg/blib/lib/Dancer/Serializer/XML.pm line 99.
Warning: 'ParserOpts' is deprecated, contact the author if you need it at /build/libdancer-perl-1.3520+dfsg/blib/lib/Dancer/Serializer/XML.pm line 99.

#   Failed test 'No XXE SSRF vulnerability in our XML handling'
#   at t/14_serializer/04_request_xml.t line 134.
#          got: '2'
#     expected: '1'
# access_line: Accessed at Tue Jan  3 19:26:43 2023
# access_line: Accessed at Tue Jan  3 19:26:43 2023
# Looks like you failed 1 test of 11.
t/14_serializer/04_request_xml.t ....................
1..11
ok 1
ok 2
ok 3
ok 4
ok 5 - data is correctly deserialized
ok 6 - goodcontent type set in response
ok 7
ok 8
ok 9
ok 10
HTTP::Server::Simple::PSGI: You can connect to your server at http://localhost:42441/
not ok 11 - No XXE SSRF vulnerability in our XML handling
Dubious, test returned 1 (wstat 256, 0x100)
Failed 1/11 subtests

When running t/14_serializer/04_request_xml.t manually after the failure above:

# prove --blib t/14_serializer/04_request_xml.t
t/14_serializer/04_request_xml.t .. 1/11 Warning: 'ParserOpts' is deprecated, contact the author if you need it at /build/libdancer-perl-1.3520+dfsg/blib/lib/Dancer/Serializer/XML.pm line 99.
Warning: 'ParserOpts' is deprecated, contact the author if you need it at /build/libdancer-perl-1.3520+dfsg/blib/lib/Dancer/Serializer/XML.pm line 99.
Warning: 'ParserOpts' is deprecated, contact the author if you need it at /build/libdancer-perl-1.3520+dfsg/blib/lib/Dancer/Serializer/XML.pm line 99.
Warning: 'ParserOpts' is deprecated, contact the author if you need it at /build/libdancer-perl-1.3520+dfsg/blib/lib/Dancer/Serializer/XML.pm line 99.
Warning: 'ParserOpts' is deprecated, contact the author if you need it at /build/libdancer-perl-1.3520+dfsg/blib/lib/Dancer/Serializer/XML.pm line 99.

#   Failed test 'No XXE SSRF vulnerability in our XML handling'
#   at t/14_serializer/04_request_xml.t line 134.
#          got: '0'
#     expected: '1'
# Looks like you failed 1 test of 11.
t/14_serializer/04_request_xml.t .. Dubious, test returned 1 (wstat 256, 0x100)
Failed 1/11 subtests 

Note that got has one time 2 and the other time 0 but never 1.

This can also be seen on CPAN testers:
https://www.cpantesters.org/cpan/report/0e1d41ba-8af0-11ed-957b-f9c6f25c7232 (got: 2)
https://www.cpantesters.org/cpan/report/b97bb9a4-8ad4-11ed-9e3f-bc476c93ce5e (got: 3)
https://www.cpantesters.org/cpan/report/eeb26912-8ad2-11ed-8424-ca7bf01f4358 (got: 3)

The history of t/14_serializer/04_request_xml.t in git is also interesting: It first checks for 1 line, then for 4 (adding a comment and diag output), and then for 1 again (leaving the-now incorrect-comment about the four lines). All examples I've seen are neither 1 nor 4 :)

No idea what's going on there exactly but this test looks not perfect …

Cheers,
gregor

[cromedome]

I pushed a fix that addresses most of these cases. It's not pretty, but should cover any case > 0. I'll release a new version ASAP.

[gregoa]

Thanks, 1.3521 uploaded to Debian/unstable.