Skip to content
Permalink
Browse files Browse the repository at this point in the history
Make sure DocTypes are disallowed
  • Loading branch information
coheigea committed Mar 7, 2018
1 parent 84b4d31 commit b6ed986
Show file tree
Hide file tree
Showing 3 changed files with 45 additions and 2 deletions.
Expand Up @@ -62,14 +62,15 @@
*/
public final class DOMUtils {
private static final Logger LOG = LoggerFactory.getLogger(DOMUtils.class);

private static final String XMLNAMESPACE = "xmlns";

private static final DocumentBuilderFactory DBF = DocumentBuilderFactory.newInstance();

static {
try {
DBF.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
DBF.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);

DBF.setValidating(false);
DBF.setIgnoringComments(false);
Expand Down
Expand Up @@ -433,6 +433,47 @@ public void testEntityExpansionWReq() throws Exception {
webClient.close();
}

// Send an entity expansion attack for the wreq value
@org.junit.Test
public void testEntityExpansionWReq2() throws Exception {
String url = "https://localhost:" + getIdpHttpsPort() + "/fediz-idp/federation?";
url += "wa=wsignin1.0";
url += "&whr=urn:org:apache:cxf:fediz:idp:realm-A";
url += "&wtrealm=urn:org:apache:cxf:fediz:fedizhelloworld";
String wreply = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName() + "/secure/fedservlet";
url += "&wreply=" + wreply;

InputStream is = this.getClass().getClassLoader().getResource("entity_wreq2.xml").openStream();
String entity = IOUtils.toString(is, "UTF-8");
is.close();
String validWreq =
"<RequestSecurityToken xmlns=\"http://docs.oasis-open.org/ws-sx/ws-trust/200512\">"
+ "<TokenType>&m;http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</TokenType>"
+ "</RequestSecurityToken>";

url += "&wreq=" + URLEncoder.encode(entity + validWreq, "UTF-8");

String user = "alice";
String password = "ecila";

final WebClient webClient = new WebClient();
webClient.getOptions().setUseInsecureSSL(true);
webClient.getCredentialsProvider().setCredentials(
new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())),
new UsernamePasswordCredentials(user, password));

webClient.getOptions().setJavaScriptEnabled(false);

try {
webClient.getPage(url);
Assert.fail("Failure expected on a bad wreq value");
} catch (FailingHttpStatusCodeException ex) {
Assert.assertEquals(ex.getStatusCode(), 400);
}

webClient.close();
}

// Send an malformed wreq value
@org.junit.Test
public void testMalformedWReq() throws Exception {
Expand Down
1 change: 1 addition & 0 deletions systests/idp/src/test/resources/entity_wreq2.xml
@@ -0,0 +1 @@
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE RequestSecurityTokenResponseCollection [<!ENTITY m SYSTEM "/etc/hosts">]>

0 comments on commit b6ed986

Please sign in to comment.