Permalink
Browse files

Make sure DocTypes are disallowed

  • Loading branch information...
coheigea committed Mar 7, 2018
1 parent 84b4d31 commit b6ed9865d0614332fa419fe4b6d0fe81bc2e660d
@@ -62,14 +62,15 @@
*/
public final class DOMUtils {
private static final Logger LOG = LoggerFactory.getLogger(DOMUtils.class);
private static final String XMLNAMESPACE = "xmlns";
private static final DocumentBuilderFactory DBF = DocumentBuilderFactory.newInstance();
static {
try {
DBF.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
DBF.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
DBF.setValidating(false);
DBF.setIgnoringComments(false);
@@ -433,6 +433,47 @@ public void testEntityExpansionWReq() throws Exception {
webClient.close();
}
// Send an entity expansion attack for the wreq value
@org.junit.Test
public void testEntityExpansionWReq2() throws Exception {
String url = "https://localhost:" + getIdpHttpsPort() + "/fediz-idp/federation?";
url += "wa=wsignin1.0";
url += "&whr=urn:org:apache:cxf:fediz:idp:realm-A";
url += "&wtrealm=urn:org:apache:cxf:fediz:fedizhelloworld";
String wreply = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName() + "/secure/fedservlet";
url += "&wreply=" + wreply;
InputStream is = this.getClass().getClassLoader().getResource("entity_wreq2.xml").openStream();
String entity = IOUtils.toString(is, "UTF-8");
is.close();
String validWreq =
"<RequestSecurityToken xmlns=\"http://docs.oasis-open.org/ws-sx/ws-trust/200512\">"
+ "<TokenType>&m;http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</TokenType>"
+ "</RequestSecurityToken>";
url += "&wreq=" + URLEncoder.encode(entity + validWreq, "UTF-8");
String user = "alice";
String password = "ecila";
final WebClient webClient = new WebClient();
webClient.getOptions().setUseInsecureSSL(true);
webClient.getCredentialsProvider().setCredentials(
new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())),
new UsernamePasswordCredentials(user, password));
webClient.getOptions().setJavaScriptEnabled(false);
try {
webClient.getPage(url);
Assert.fail("Failure expected on a bad wreq value");
} catch (FailingHttpStatusCodeException ex) {
Assert.assertEquals(ex.getStatusCode(), 400);
}
webClient.close();
}
// Send an malformed wreq value
@org.junit.Test
public void testMalformedWReq() throws Exception {
@@ -0,0 +1 @@
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE RequestSecurityTokenResponseCollection [<!ENTITY m SYSTEM "/etc/hosts">]>

0 comments on commit b6ed986

Please sign in to comment.