implement a workaround to fix XXE and SSRF problems in an old XMLStreamParser implementation of a third party library

1 files changed, 25 insertions, 1 deletions

diff --git a/utils/src/test/java/at/gv/egiz/slbinding/UnmarshallCXSRTest.java b/utils/src/test/java/at/gv/egiz/slbinding/UnmarshallCXSRTest.java
index 99c11cbe..62a8d622 100644
--- a/utils/src/test/java/at/gv/egiz/slbinding/UnmarshallCXSRTest.java
+++ b/utils/src/test/java/at/gv/egiz/slbinding/UnmarshallCXSRTest.java
@@ -25,6 +25,7 @@
 
 package at.gv.egiz.slbinding;
 
+import java.io.BufferedInputStream;
 import java.io.InputStream;
 import java.io.InputStreamReader;
 
@@ -49,7 +50,7 @@ public class UnmarshallCXSRTest {
     assertNotNull(s);
     
     SLUnmarshaller unmarshaller = new SLUnmarshaller();
-    Object object = unmarshaller.unmarshal(new StreamSource(new InputStreamReader(s)));
+    Object object = unmarshaller.unmarshal(new StreamSource(new InputStreamReader(new BufferedInputStream(s))));
 
     assertTrue(object.getClass().getName(), object instanceof JAXBElement<?>);
 
@@ -59,4 +60,27 @@ public class UnmarshallCXSRTest {
     
   }
   
+  @Test
+  public void testUnmarshalCreateXMLSignatureResponseWithDocTypeXXEOrSSRF() throws JAXBException {
+    
+    ClassLoader cl = UnmarshallCXSRTest.class.getClassLoader();
+    InputStream s = cl.getResourceAsStream("at/gv/egiz/slbinding/CreateXMLSignatureResponse_with_Attacke.xml");
+    
+    assertNotNull(s);
+    
+    SLUnmarshaller unmarshaller = new SLUnmarshaller();
+    Object object;
+	try {
+		object = unmarshaller.unmarshal(new StreamSource(new InputStreamReader(new BufferedInputStream(s))));
+		
+	    assertTrue(object.getClass().getName(), object instanceof JAXBElement<?>);
+	    Object value = ((JAXBElement<?>) object).getValue();	    
+	    assertFalse(value.getClass().getName(), value instanceof CreateXMLSignatureResponseType);
+		
+	} catch (XMLStreamException e) {
+		assertTrue(e.getClass().getName(), e instanceof XMLStreamException);
+		
+	}    
+  }
+  
 }