summaryrefslogtreecommitdiff
path: root/utils/src/test/java
diff options
context:
space:
mode:
authorBianca Schnalzer <bianca.schnalzer@egiz.gv.at>2017-06-23 10:05:35 +0200
committerBianca Schnalzer <bianca.schnalzer@egiz.gv.at>2017-06-23 10:05:35 +0200
commit2b395988ade78c58e6feaf55bd6ec129cf5f8e6f (patch)
treeca64698b31b478abe7fb5cde97398646f4105699 /utils/src/test/java
parentf31c5c8e557b611ff4f5e43443975fb08a202863 (diff)
parent0603c0fbdfe028113431c65590b6e7e28929f6f6 (diff)
downloadmocca-2b395988ade78c58e6feaf55bd6ec129cf5f8e6f.tar.gz
mocca-2b395988ade78c58e6feaf55bd6ec129cf5f8e6f.tar.bz2
mocca-2b395988ade78c58e6feaf55bd6ec129cf5f8e6f.zip
Merge branch 'manuell_XXE_and_SSRF_validation' into 'master'
Manuell xxe and ssrf validation
Diffstat (limited to 'utils/src/test/java')
-rw-r--r--utils/src/test/java/at/gv/egiz/slbinding/UnmarshallCXSRTest.java32
1 files changed, 31 insertions, 1 deletions
diff --git a/utils/src/test/java/at/gv/egiz/slbinding/UnmarshallCXSRTest.java b/utils/src/test/java/at/gv/egiz/slbinding/UnmarshallCXSRTest.java
index 99c11cbe..5f97be0f 100644
--- a/utils/src/test/java/at/gv/egiz/slbinding/UnmarshallCXSRTest.java
+++ b/utils/src/test/java/at/gv/egiz/slbinding/UnmarshallCXSRTest.java
@@ -25,6 +25,7 @@
package at.gv.egiz.slbinding;
+import java.io.BufferedInputStream;
import java.io.InputStream;
import java.io.InputStreamReader;
@@ -49,7 +50,7 @@ public class UnmarshallCXSRTest {
assertNotNull(s);
SLUnmarshaller unmarshaller = new SLUnmarshaller();
- Object object = unmarshaller.unmarshal(new StreamSource(new InputStreamReader(s)));
+ Object object = unmarshaller.unmarshal(new StreamSource(new InputStreamReader(new BufferedInputStream(s))));
assertTrue(object.getClass().getName(), object instanceof JAXBElement<?>);
@@ -59,4 +60,33 @@ public class UnmarshallCXSRTest {
}
+ @Test
+ public void testUnmarshalCreateXMLSignatureResponseWithDocTypeXXEOrSSRF() throws JAXBException {
+
+ ClassLoader cl = UnmarshallCXSRTest.class.getClassLoader();
+ InputStream s = cl.getResourceAsStream("at/gv/egiz/slbinding/CreateXMLSignatureResponse_with_Attacke.xml");
+
+ assertNotNull(s);
+
+ SLUnmarshaller unmarshaller = new SLUnmarshaller();
+ Object object;
+ try {
+ object = unmarshaller.unmarshal(new StreamSource(new InputStreamReader(new BufferedInputStream(s))));
+
+ assertTrue(object.getClass().getName(), object instanceof JAXBElement<?>);
+ Object value = ((JAXBElement<?>) object).getValue();
+ assertFalse(value.getClass().getName(), value instanceof CreateXMLSignatureResponseType);
+
+ /* If the parser has no exception and no CreateXMLSignatureResponseType than the test fails, because
+ * the tested XML document contains a CreateXMLSignatureResponseType and an XXE, SSRF attack vector.
+ * Consequently, the parser result has to be an error
+ */
+ assertFalse(true);
+
+ } catch (XMLStreamException e) {
+ assertTrue(e.getClass().getName(), e instanceof XMLStreamException);
+
+ }
+ }
+
}