-
Notifications
You must be signed in to change notification settings - Fork 69
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Prevent XXE attacks by disabling external entities resolution in the …
…default parser Signed-off-by: Ryan Senior <ryan.senior@puppetlabs.com>
- Loading branch information
Showing
3 changed files
with
64 additions
and
11 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
; Copyright (c) Rich Hickey. All rights reserved. | ||
; The use and distribution terms for this software are covered by the | ||
; Eclipse Public License 1.0 (http://opensource.org/licenses/eclipse-1.0.php) | ||
; which can be found in the file epl-v10.html at the root of this distribution. | ||
; By using this software in any fashion, you are agreeing to be bound by | ||
; the terms of this license. | ||
; You must not remove this notice, or any other, from this software. | ||
|
||
(ns ^{:doc "Test that external entities are not resolved by default, see https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing" | ||
:author "Carlo Sciolla"} | ||
clojure.data.xml.test-entities | ||
(:use clojure.test | ||
clojure.data.xml) | ||
(:require [clojure.java.io :as io])) | ||
|
||
(defn vulnerable-input | ||
"Creates an XML with an external entity referring to the given URL" | ||
[file-url] | ||
(str "<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?>" | ||
"<!DOCTYPE foo [" | ||
" <!ELEMENT foo ANY >" | ||
" <!ENTITY xxe SYSTEM \"" file-url "\" >]>" | ||
"<foo>&xxe;</foo>")) | ||
|
||
(defn secret-file | ||
"Returns the URL to the secret file containing the server root password" | ||
[] | ||
(io/resource "secret.txt")) | ||
|
||
(defn parse-vulnerable-file | ||
"Parses the vulnerable file, optionally passing the given options to the parser" | ||
([] (parse-str (vulnerable-input (secret-file)))) | ||
([& options] (apply parse-str (vulnerable-input (secret-file)) options))) | ||
|
||
(deftest prevent-xxe-by-default | ||
(testing "To prevent XXE attacks, exernal entities by default resolve to nil" | ||
(let [parsed (parse-vulnerable-file) | ||
expected #clojure.data.xml.Element{:tag :foo | ||
:attrs {} | ||
:content ()}] | ||
(is (= expected parsed))))) | ||
|
||
(deftest allow-external-entities-if-required | ||
(testing "If explicitly enabled, external entities are property resolved" | ||
(let [parsed (parse-vulnerable-file :supporting-external-entities true) | ||
expected #clojure.data.xml.Element{:tag :foo | ||
:attrs {} | ||
:content ("root_password\n")}] | ||
(is (= expected parsed))))) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
root_password |