olingo-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From sklev...@apache.org
Subject git commit: verify billion laughs protection with junit test
Date Mon, 09 Dec 2013 13:28:22 GMT
Updated Branches:
  refs/heads/master e5a18378f -> 388d2279c


verify billion laughs protection with junit test


Project: http://git-wip-us.apache.org/repos/asf/incubator-olingo-odata2/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-olingo-odata2/commit/388d2279
Tree: http://git-wip-us.apache.org/repos/asf/incubator-olingo-odata2/tree/388d2279
Diff: http://git-wip-us.apache.org/repos/asf/incubator-olingo-odata2/diff/388d2279

Branch: refs/heads/master
Commit: 388d2279cc3b8a4cef02200821b49e06bca00c1e
Parents: e5a1837
Author: Stephan Klevenz <sklevenz@apache.org>
Authored: Mon Dec 9 14:23:52 2013 +0100
Committer: Stephan Klevenz <sklevenz@apache.org>
Committed: Mon Dec 9 14:23:52 2013 +0100

----------------------------------------------------------------------
 .../odata2/core/commons/XmlHelperTest.java      | 48 ++++++++++++++++++++
 1 file changed, 48 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-olingo-odata2/blob/388d2279/odata2-lib/odata-core/src/test/java/org/apache/olingo/odata2/core/commons/XmlHelperTest.java
----------------------------------------------------------------------
diff --git a/odata2-lib/odata-core/src/test/java/org/apache/olingo/odata2/core/commons/XmlHelperTest.java
b/odata2-lib/odata-core/src/test/java/org/apache/olingo/odata2/core/commons/XmlHelperTest.java
index b14a343..0d2c7b2 100644
--- a/odata2-lib/odata-core/src/test/java/org/apache/olingo/odata2/core/commons/XmlHelperTest.java
+++ b/odata2-lib/odata-core/src/test/java/org/apache/olingo/odata2/core/commons/XmlHelperTest.java
@@ -28,6 +28,11 @@ import javax.xml.stream.XMLInputFactory;
 import javax.xml.stream.XMLStreamException;
 import javax.xml.stream.XMLStreamReader;
 
+import org.apache.olingo.odata2.api.edm.EdmEntitySet;
+import org.apache.olingo.odata2.api.ep.EntityProvider;
+import org.apache.olingo.odata2.api.ep.EntityProviderException;
+import org.apache.olingo.odata2.api.ep.EntityProviderReadProperties;
+import org.apache.olingo.odata2.testutil.mock.MockFacade;
 import org.junit.Test;
 
 public class XmlHelperTest {
@@ -47,6 +52,23 @@ public class XmlHelperTest {
           "  <data>&rules;</data>" +
           "</extract>";
 
+  public static String XML_LOL =
+      "<?xml version=\"1.0\"?>" +
+          "    <!DOCTYPE lolz [" +
+          "        <!ENTITY lol \"lol\">" +
+          "        <!ELEMENT lolz (#PCDATA)>" +
+          "        <!ENTITY lol1 \"&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;\">"
+
+          "        <!ENTITY lol2 \"&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;\">"
+
+          "        <!ENTITY lol3 \"&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;\">"
+
+          "        <!ENTITY lol4 \"&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;\">"
+
+          "        <!ENTITY lol5 \"&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;\">"
+
+          "        <!ENTITY lol6 \"&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;\">"
+
+          "        <!ENTITY lol7 \"&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;\">"
+
+          "        <!ENTITY lol8 \"&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;\">"
+
+          "        <!ENTITY lol9 \"&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;\">"
+
+          "    ]>" +
+          "    <lolz>&lol9;</lolz>";
+
   @Test
   public void createReader() throws Exception {
     InputStream content = new ByteArrayInputStream(XML.getBytes("UTF-8"));
@@ -95,4 +117,30 @@ public class XmlHelperTest {
     return streamReader;
   }
 
+  @Test(expected = XMLStreamException.class)
+  public void lolWithProtection() throws Exception {
+    InputStream content = new ByteArrayInputStream(XML_LOL.getBytes("UTF-8"));
+    XMLStreamReader streamReader = XmlHelper.createStreamReader(content);
+
+    while (streamReader.hasNext()) {
+      streamReader.next();
+    }
+  }
+
+  @Test(expected = EntityProviderException.class)
+  public void lolApiWithProtection() throws Exception {
+    InputStream content = new ByteArrayInputStream(XML_LOL.getBytes("UTF-8"));
+    EdmEntitySet entitySet = MockFacade.getMockEdm().getDefaultEntityContainer().getEntitySet("Employees");
+
+    EntityProvider.readEntry("application/xml", entitySet, content, EntityProviderReadProperties.init().build());
+  }
+
+  @Test(expected = EntityProviderException.class)
+  public void xxeApiWithProtection() throws Exception {
+    InputStream content = new ByteArrayInputStream(XML_XXE.getBytes("UTF-8"));
+    EdmEntitySet entitySet = MockFacade.getMockEdm().getDefaultEntityContainer().getEntitySet("Employees");
+
+    EntityProvider.readEntry("application/xml", entitySet, content, EntityProviderReadProperties.init().build());
+  }
+
 }


Mime
View raw message