Merge branch 'manuell_XXE_and_SSRF_validation' into 'master'

Manuell xxe and ssrf validation
author: Bianca Schnalzer <bianca.schnalzer@egiz.gv.at> 2017-06-23 10:05:35 +0200
committer: Bianca Schnalzer <bianca.schnalzer@egiz.gv.at> 2017-06-23 10:05:35 +0200
commit: 2b395988ade78c58e6feaf55bd6ec129cf5f8e6f (patch)
tree: ca64698b31b478abe7fb5cde97398646f4105699 /utils/src/test/java
parent: f31c5c8e557b611ff4f5e43443975fb08a202863 (diff)
parent: 0603c0fbdfe028113431c65590b6e7e28929f6f6 (diff)
download: mocca-2b395988ade78c58e6feaf55bd6ec129cf5f8e6f.tar.gz
mocca-2b395988ade78c58e6feaf55bd6ec129cf5f8e6f.tar.bz2
mocca-2b395988ade78c58e6feaf55bd6ec129cf5f8e6f.zip
1 files changed, 31 insertions, 1 deletions
diff --git a/utils/src/test/java/at/gv/egiz/slbinding/UnmarshallCXSRTest.java b/utils/src/test/java/at/gv/egiz/slbinding/UnmarshallCXSRTest.java
index 99c11cbe..5f97be0f 100644
--- a/utils/src/test/java/at/gv/egiz/slbinding/UnmarshallCXSRTest.java
+++ b/utils/src/test/java/at/gv/egiz/slbinding/UnmarshallCXSRTest.java
@@ -25,6 +25,7 @@
 
 package at.gv.egiz.slbinding;
 
+import java.io.BufferedInputStream;
 import java.io.InputStream;
 import java.io.InputStreamReader;
 
@@ -49,7 +50,7 @@ public class UnmarshallCXSRTest {
     assertNotNull(s);
     
     SLUnmarshaller unmarshaller = new SLUnmarshaller();
-    Object object = unmarshaller.unmarshal(new StreamSource(new InputStreamReader(s)));
+    Object object = unmarshaller.unmarshal(new StreamSource(new InputStreamReader(new BufferedInputStream(s))));
 
     assertTrue(object.getClass().getName(), object instanceof JAXBElement<?>);
 
@@ -59,4 +60,33 @@ public class UnmarshallCXSRTest {
     
   }
   
+  @Test
+  public void testUnmarshalCreateXMLSignatureResponseWithDocTypeXXEOrSSRF() throws JAXBException {
+    
+    ClassLoader cl = UnmarshallCXSRTest.class.getClassLoader();
+    InputStream s = cl.getResourceAsStream("at/gv/egiz/slbinding/CreateXMLSignatureResponse_with_Attacke.xml");
+    
+    assertNotNull(s);
+    
+    SLUnmarshaller unmarshaller = new SLUnmarshaller();
+    Object object;
+	try {
+		object = unmarshaller.unmarshal(new StreamSource(new InputStreamReader(new BufferedInputStream(s))));
+		
+	    assertTrue(object.getClass().getName(), object instanceof JAXBElement<?>);
+	    Object value = ((JAXBElement<?>) object).getValue();	    
+	    assertFalse(value.getClass().getName(), value instanceof CreateXMLSignatureResponseType);
+		
+	    /* If the parser has no exception and no CreateXMLSignatureResponseType than the test fails, because 
+	     * the tested XML document contains a CreateXMLSignatureResponseType and an XXE, SSRF attack vector.
+	     * Consequently, the parser result has to be an error
+	     */
+	    assertFalse(true);
+	    
+	} catch (XMLStreamException e) {
+		assertTrue(e.getClass().getName(), e instanceof XMLStreamException);
+		
+	}    
+  }
+  
 }
author	Bianca Schnalzer <bianca.schnalzer@egiz.gv.at>	2017-06-23 10:05:35 +0200
committer	Bianca Schnalzer <bianca.schnalzer@egiz.gv.at>	2017-06-23 10:05:35 +0200
commit	2b395988ade78c58e6feaf55bd6ec129cf5f8e6f (patch)
tree	ca64698b31b478abe7fb5cde97398646f4105699 /utils/src/test/java
parent	f31c5c8e557b611ff4f5e43443975fb08a202863 (diff)
parent	0603c0fbdfe028113431c65590b6e7e28929f6f6 (diff)
download	mocca-2b395988ade78c58e6feaf55bd6ec129cf5f8e6f.tar.gz mocca-2b395988ade78c58e6feaf55bd6ec129cf5f8e6f.tar.bz2 mocca-2b395988ade78c58e6feaf55bd6ec129cf5f8e6f.zip