/
LDEV3110.cfc
125 lines (105 loc) · 3.5 KB
/
LDEV3110.cfc
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
component extends = "org.lucee.cfml.test.LuceeTestCase" labels="xml" {
function beforeAll(){
variables.doctypeXml = '<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE hibernate-mapping PUBLIC "-//Hibernate/Hibernate Mapping DTD 3.0//EN" "http://www.hibernate.org/dtd/hibernate-mapping-3.0.dtd">
<hibernate-mapping></hibernate-mapping>';
variables.entityXml = '<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "http://update.lucee.org/rest/update/provider/echoGet/cgi" >
]>
<foo>&xxe;</foo>'; // that url 404s
application action="update" xmlFeatures={
"secure": true,
"disallowDoctypeDecl": true,
"externalGeneralEntities": false
};
}
function afterAll() {
application action="update" xmlFeatures={
"secure": true,
"disallowDoctypeDecl": true,
"externalGeneralEntities": false
};
}
function run( testresults , testbox ) {
describe( "testcase for LDEV-3110, xml features support for xmlparse", function () {
it ( "xmlparse enabled doctype protections", function(){
expect( function(){
xmlParse( doctypeXml );
}).toThrow();
});
it ( "xmlparse disabled doctype protections", function(){
expect( function(){
xmlParse(doctypeXml, false, {
"externalGeneralEntities": true,
"secure": false,
"disallowDoctypeDecl": false
})
}).notToThrow();
});
it ( "xmlparse enabled XXE protections", function(){
expect( function(){
xmlParse( entityXml );
}).toThrow();
});
it ( "xmlparse disabled XXE protections", function(){
expect (function(){
xmlParse( entityXml, false, {
"externalGeneralEntities": true,
"secure": false,
"disallowDoctypeDecl": false
})
}).ToThrow("java.io.FileNotFoundException"); // as http://update.lucee.org/rest/update/provider/echoGet/cgi 404s
});
});
describe( "testcase for LDEV-3110, xml features support for isXml", function () {
it ( "isXml enabled doctype protections", function(){
expect( isXml( doctypeXml ) ).toBeFalse();
});
it ( "isXml disabled doctype protections", function(){
expect( isXml(doctypeXml, {
"externalGeneralEntities": true,
"secure": false,
"disallowDoctypeDecl": false
})).toBeTrue();
});
it ( "isXMl enabled XXE protections", function(){
expect( isXml( entityXml ) ).toBeFalse();
});
it ( "isXml disabled XXE protections", function(){
expect ( isXml( entityXml, {
"externalGeneralEntities": true,
"secure": false,
"disallowDoctypeDecl": false
})).toBeFalse();
});
});
describe( "testcase for LDEV-3110, xml features support for adobe allowExternalEntities alias", function () {
it ( "isXml conflicting Entities directives should fail", function(){
expect ( function() {
xmlParse( entityXml, false, {
"externalGeneralEntities": true, // should be the same!
"allowExternalEntities": false, // should be the same!
"secure": false,
"disallowDoctypeDecl": false
});
}).toThrow("java.lang.RuntimeException");
});
it ( "isXml enabled XXE protections, adobe syntax", function(){
expect( isXml( entityXml, {
"allowExternalEntities": true,
"secure": false,
"disallowDoctypeDecl": false
})).toBeFalse();
});
it ( "isXml disabled XXE protections, adobe syntax", function(){
expect( isXml( entityXml, {
"allowExternalEntities": false,
"secure": false,
"disallowDoctypeDecl": false
})).toBeTrue()
});
});
}
}