diff options
Diffstat (limited to 'utils/src/test/java/at')
-rw-r--r-- | utils/src/test/java/at/gv/egiz/slbinding/UnmarshallCXSRTest.java | 32 |
1 files changed, 31 insertions, 1 deletions
diff --git a/utils/src/test/java/at/gv/egiz/slbinding/UnmarshallCXSRTest.java b/utils/src/test/java/at/gv/egiz/slbinding/UnmarshallCXSRTest.java index 99c11cbe..5f97be0f 100644 --- a/utils/src/test/java/at/gv/egiz/slbinding/UnmarshallCXSRTest.java +++ b/utils/src/test/java/at/gv/egiz/slbinding/UnmarshallCXSRTest.java @@ -25,6 +25,7 @@ package at.gv.egiz.slbinding; +import java.io.BufferedInputStream; import java.io.InputStream; import java.io.InputStreamReader; @@ -49,7 +50,7 @@ public class UnmarshallCXSRTest { assertNotNull(s); SLUnmarshaller unmarshaller = new SLUnmarshaller(); - Object object = unmarshaller.unmarshal(new StreamSource(new InputStreamReader(s))); + Object object = unmarshaller.unmarshal(new StreamSource(new InputStreamReader(new BufferedInputStream(s)))); assertTrue(object.getClass().getName(), object instanceof JAXBElement<?>); @@ -59,4 +60,33 @@ public class UnmarshallCXSRTest { } + @Test + public void testUnmarshalCreateXMLSignatureResponseWithDocTypeXXEOrSSRF() throws JAXBException { + + ClassLoader cl = UnmarshallCXSRTest.class.getClassLoader(); + InputStream s = cl.getResourceAsStream("at/gv/egiz/slbinding/CreateXMLSignatureResponse_with_Attacke.xml"); + + assertNotNull(s); + + SLUnmarshaller unmarshaller = new SLUnmarshaller(); + Object object; + try { + object = unmarshaller.unmarshal(new StreamSource(new InputStreamReader(new BufferedInputStream(s)))); + + assertTrue(object.getClass().getName(), object instanceof JAXBElement<?>); + Object value = ((JAXBElement<?>) object).getValue(); + assertFalse(value.getClass().getName(), value instanceof CreateXMLSignatureResponseType); + + /* If the parser has no exception and no CreateXMLSignatureResponseType than the test fails, because + * the tested XML document contains a CreateXMLSignatureResponseType and an XXE, SSRF attack vector. + * Consequently, the parser result has to be an error + */ + assertFalse(true); + + } catch (XMLStreamException e) { + assertTrue(e.getClass().getName(), e instanceof XMLStreamException); + + } + } + } |