summaryrefslogtreecommitdiff
path: root/BKUViewer/src
diff options
context:
space:
mode:
authorBianca Schnalzer <bianca.schnalzer@egiz.gv.at>2017-06-23 10:05:35 +0200
committerBianca Schnalzer <bianca.schnalzer@egiz.gv.at>2017-06-23 10:05:35 +0200
commit2b395988ade78c58e6feaf55bd6ec129cf5f8e6f (patch)
treeca64698b31b478abe7fb5cde97398646f4105699 /BKUViewer/src
parentf31c5c8e557b611ff4f5e43443975fb08a202863 (diff)
parent0603c0fbdfe028113431c65590b6e7e28929f6f6 (diff)
downloadmocca-2b395988ade78c58e6feaf55bd6ec129cf5f8e6f.tar.gz
mocca-2b395988ade78c58e6feaf55bd6ec129cf5f8e6f.tar.bz2
mocca-2b395988ade78c58e6feaf55bd6ec129cf5f8e6f.zip
Merge branch 'manuell_XXE_and_SSRF_validation' into 'master'
Manuell xxe and ssrf validation
Diffstat (limited to 'BKUViewer/src')
-rw-r--r--BKUViewer/src/main/java/at/gv/egiz/bku/slxhtml/SLXHTMLValidator.java14
-rw-r--r--BKUViewer/src/test/java/at/gv/egiz/bku/slxhtml/ValidatorTest.java22
-rw-r--r--BKUViewer/src/test/resources/at/gv/egiz/bku/slxhtml/zugang_with_DocType.xhtml21
3 files changed, 57 insertions, 0 deletions
diff --git a/BKUViewer/src/main/java/at/gv/egiz/bku/slxhtml/SLXHTMLValidator.java b/BKUViewer/src/main/java/at/gv/egiz/bku/slxhtml/SLXHTMLValidator.java
index fe48eefa..6fea75cb 100644
--- a/BKUViewer/src/main/java/at/gv/egiz/bku/slxhtml/SLXHTMLValidator.java
+++ b/BKUViewer/src/main/java/at/gv/egiz/bku/slxhtml/SLXHTMLValidator.java
@@ -139,6 +139,19 @@ public class SLXHTMLValidator implements at.gv.egiz.bku.viewer.Validator {
spf.setValidating(true);
spf.setXIncludeAware(false);
+ /*
+ * Set parser features to disallow external entities and external dtd load operations
+ */
+ try {
+ spf.setFeature("http://xml.org/sax/features/external-general-entities", false);
+ spf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+ spf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+
+ } catch (Exception e) {
+ log.error("Can NOT set SAX parser security features. -> XML parsing is possible insecure!!!! ", e);
+
+ }
+
SAXParser parser;
try {
parser = spf.newSAXParser();
@@ -150,6 +163,7 @@ public class SLXHTMLValidator implements at.gv.egiz.bku.viewer.Validator {
throw new RuntimeException("Failed to create SLXHTML parser.", e);
}
+
InputSource source;
if (charset != null) {
source = new InputSource(new InputStreamReader(is, charset));
diff --git a/BKUViewer/src/test/java/at/gv/egiz/bku/slxhtml/ValidatorTest.java b/BKUViewer/src/test/java/at/gv/egiz/bku/slxhtml/ValidatorTest.java
index 1dd8c45f..d51b52eb 100644
--- a/BKUViewer/src/test/java/at/gv/egiz/bku/slxhtml/ValidatorTest.java
+++ b/BKUViewer/src/test/java/at/gv/egiz/bku/slxhtml/ValidatorTest.java
@@ -71,4 +71,26 @@ public class ValidatorTest {
}
+ @Test
+ public void testValidateWithDocType() throws ValidationException {
+
+ String slxhtmlFile = "at/gv/egiz/bku/slxhtml/zugang_with_DocType.xhtml";
+
+ Validator validator = ValidatorFactory.newValidator("application/xhtml+xml");
+
+ ClassLoader cl = ValidatorTest.class.getClassLoader();
+ InputStream slxhtml = cl.getResourceAsStream(slxhtmlFile);
+ long t0 = System.currentTimeMillis();
+ try {
+ validator.validate(slxhtml, null);
+
+ } catch (ValidationException e) {
+ e.printStackTrace();
+ throw e;
+ }
+ long t1 = System.currentTimeMillis();
+ log.info("Validated SLXHTML file '{}' in {}ms.", slxhtmlFile, t1 - t0);
+
+ }
+
}
diff --git a/BKUViewer/src/test/resources/at/gv/egiz/bku/slxhtml/zugang_with_DocType.xhtml b/BKUViewer/src/test/resources/at/gv/egiz/bku/slxhtml/zugang_with_DocType.xhtml
new file mode 100644
index 00000000..7417897f
--- /dev/null
+++ b/BKUViewer/src/test/resources/at/gv/egiz/bku/slxhtml/zugang_with_DocType.xhtml
@@ -0,0 +1,21 @@
+<!DOCTYPE lolz [
+ <!ELEMENT foo ANY >
+ <!ENTITY xxe SYSTEM "file:///etc/testtesttst" >
+]>
+<html xmlns="http://www.w3.org/1999/xhtml">
+ <head>
+ <title>&xxe;Signatur der Anmeldedaten</title>
+ <style media="screen" type="text/css">.boldstyle { font-weight: bold; } .italicstyle { font-style: italic; } .annotationstyle { font-size: small; }</style>
+ </head>
+ <body>
+ <h1>Signatur der Anmeldedaten</h1>
+ <p></p>
+ <h4>Mit meiner elektronischen Signatur beantrage ich, <span class="boldstyle">Horst Rotzstopper</span>, geboren am 12.12.1985, den Zugang zur gesicherten Anwendung.</h4>
+ <p></p>
+ <h4>Datum und Uhrzeit: 07.11.2008, 14:04:18</h4>
+ <h4>wbPK(*): LTpz8VYzns2jrx0J8Gm/R/nAhxA=</h4>
+ <p></p>
+ <hr></hr>
+ <div class="annotationstyle">(*) wbPK: Das <span class="italicstyle">wirtschaftsbereichsspezifische Personenkennzeichen</span> wird aus den jeweiligen Stammzahlen des Bürgers und des Wirtschaftsunternehmens berechnet und ermöglicht eine eindeutige Zuordnung des Bürgers zum Wirtschaftsunternehmen.</div>
+ </body>
+</html> \ No newline at end of file