Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
JDOM XXE Protection [CVE-2013-1856]
Conflicts:
	activesupport/test/xml_mini/jdom_engine_test.rb
  • Loading branch information
benmmurphy authored and tenderlove committed Mar 16, 2013
1 parent ff3b9ca commit c0d0663
Show file tree
Hide file tree
Showing 5 changed files with 45 additions and 3 deletions.
6 changes: 6 additions & 0 deletions activesupport/lib/active_support/xml_mini/jdom.rb
Expand Up @@ -38,6 +38,12 @@ def parse(data)
{}
else
@dbf = DocumentBuilderFactory.new_instance
# secure processing of java xml
# http://www.ibm.com/developerworks/xml/library/x-tipcfsx/index.html
@dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false)
@dbf.setFeature("http://xml.org/sax/features/external-general-entities", false)
@dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false)
@dbf.setFeature(javax.xml.XMLConstants::FEATURE_SECURE_PROCESSING, true)
xml_string_reader = StringReader.new(data)
xml_input_source = InputSource.new(xml_string_reader)
doc = @dbf.new_document_builder.parse(xml_input_source)
Expand Down
1 change: 1 addition & 0 deletions activesupport/test/fixtures/xml/jdom_doctype.dtd
@@ -0,0 +1 @@
<!ENTITY a "external entity">
1 change: 1 addition & 0 deletions activesupport/test/fixtures/xml/jdom_entities.txt
@@ -0,0 +1 @@
<!ENTITY a "hello">
1 change: 1 addition & 0 deletions activesupport/test/fixtures/xml/jdom_include.txt
@@ -0,0 +1 @@
include me
39 changes: 36 additions & 3 deletions activesupport/test/xml_mini/jdom_engine_test.rb
Expand Up @@ -3,9 +3,11 @@
require 'active_support/xml_mini'
require 'active_support/core_ext/hash/conversions'

class JDOMEngineTest < Test::Unit::TestCase
class JDOMEngineTest < ActiveSupport::TestCase
include ActiveSupport

FILES_DIR = File.dirname(__FILE__) + '/../fixtures/xml'

def setup
@default_backend = XmlMini.backend
XmlMini.backend = 'JDOM'
Expand All @@ -30,10 +32,41 @@ def test_file_from_xml
assert_equal 'image/png', file.content_type
end

def test_not_allowed_to_expand_entities_to_files
attack_xml = <<-EOT
<!DOCTYPE member [
<!ENTITY a SYSTEM "file://#{FILES_DIR}/jdom_include.txt">
]>
<member>x&a;</member>
EOT
assert_equal 'x', Hash.from_xml(attack_xml)["member"]
end

def test_not_allowed_to_expand_parameter_entities_to_files
attack_xml = <<-EOT
<!DOCTYPE member [
<!ENTITY % b SYSTEM "file://#{FILES_DIR}/jdom_entities.txt">
%b;
]>
<member>x&a;</member>
EOT
assert_raise Java::OrgXmlSax::SAXParseException do
assert_equal 'x', Hash.from_xml(attack_xml)["member"]
end
end


def test_not_allowed_to_load_external_doctypes
attack_xml = <<-EOT
<!DOCTYPE member SYSTEM "file://#{FILES_DIR}/jdom_doctype.dtd">
<member>x&a;</member>
EOT
assert_equal 'x', Hash.from_xml(attack_xml)["member"]
end

def test_exception_thrown_on_expansion_attack
assert_raise NativeException do
assert_raise Java::OrgXmlSax::SAXParseException do
attack_xml = <<-EOT
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE member [
<!ENTITY a "&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;">
<!ENTITY b "&c;&c;&c;&c;&c;&c;&c;&c;&c;&c;">
Expand Down

0 comments on commit c0d0663

Please sign in to comment.