diff options
author | Bianca Schnalzer <bianca.schnalzer@egiz.gv.at> | 2017-06-23 10:05:35 +0200 |
---|---|---|
committer | Bianca Schnalzer <bianca.schnalzer@egiz.gv.at> | 2017-06-23 10:05:35 +0200 |
commit | 2b395988ade78c58e6feaf55bd6ec129cf5f8e6f (patch) | |
tree | ca64698b31b478abe7fb5cde97398646f4105699 /utils/src/test/java/at | |
parent | f31c5c8e557b611ff4f5e43443975fb08a202863 (diff) | |
parent | 0603c0fbdfe028113431c65590b6e7e28929f6f6 (diff) | |
download | mocca-2b395988ade78c58e6feaf55bd6ec129cf5f8e6f.tar.gz mocca-2b395988ade78c58e6feaf55bd6ec129cf5f8e6f.tar.bz2 mocca-2b395988ade78c58e6feaf55bd6ec129cf5f8e6f.zip |
Merge branch 'manuell_XXE_and_SSRF_validation' into 'master'
Manuell xxe and ssrf validation
Diffstat (limited to 'utils/src/test/java/at')
-rw-r--r-- | utils/src/test/java/at/gv/egiz/slbinding/UnmarshallCXSRTest.java | 32 |
1 files changed, 31 insertions, 1 deletions
diff --git a/utils/src/test/java/at/gv/egiz/slbinding/UnmarshallCXSRTest.java b/utils/src/test/java/at/gv/egiz/slbinding/UnmarshallCXSRTest.java index 99c11cbe..5f97be0f 100644 --- a/utils/src/test/java/at/gv/egiz/slbinding/UnmarshallCXSRTest.java +++ b/utils/src/test/java/at/gv/egiz/slbinding/UnmarshallCXSRTest.java @@ -25,6 +25,7 @@ package at.gv.egiz.slbinding; +import java.io.BufferedInputStream; import java.io.InputStream; import java.io.InputStreamReader; @@ -49,7 +50,7 @@ public class UnmarshallCXSRTest { assertNotNull(s); SLUnmarshaller unmarshaller = new SLUnmarshaller(); - Object object = unmarshaller.unmarshal(new StreamSource(new InputStreamReader(s))); + Object object = unmarshaller.unmarshal(new StreamSource(new InputStreamReader(new BufferedInputStream(s)))); assertTrue(object.getClass().getName(), object instanceof JAXBElement<?>); @@ -59,4 +60,33 @@ public class UnmarshallCXSRTest { } + @Test + public void testUnmarshalCreateXMLSignatureResponseWithDocTypeXXEOrSSRF() throws JAXBException { + + ClassLoader cl = UnmarshallCXSRTest.class.getClassLoader(); + InputStream s = cl.getResourceAsStream("at/gv/egiz/slbinding/CreateXMLSignatureResponse_with_Attacke.xml"); + + assertNotNull(s); + + SLUnmarshaller unmarshaller = new SLUnmarshaller(); + Object object; + try { + object = unmarshaller.unmarshal(new StreamSource(new InputStreamReader(new BufferedInputStream(s)))); + + assertTrue(object.getClass().getName(), object instanceof JAXBElement<?>); + Object value = ((JAXBElement<?>) object).getValue(); + assertFalse(value.getClass().getName(), value instanceof CreateXMLSignatureResponseType); + + /* If the parser has no exception and no CreateXMLSignatureResponseType than the test fails, because + * the tested XML document contains a CreateXMLSignatureResponseType and an XXE, SSRF attack vector. + * Consequently, the parser result has to be an error + */ + assertFalse(true); + + } catch (XMLStreamException e) { + assertTrue(e.getClass().getName(), e instanceof XMLStreamException); + + } + } + } |