From bbe653345bbb5dad2ed2356df6f817dd7de26528 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 23 Jun 2017 11:58:29 +0200 Subject: fix another possible XXE, SSRF problem. INFO: DocTypes are disabled by default for all XML content that should be signed with mocca!!! Consequently, XML and XAdES signatures for XML documents that contains a DocType declaration is not possible any more. If DocType declarations are absolutely necessary than this feature can be skipped by set the Java System-Property "-Degiz.mocca.xades.xml.allow.doctype=true" --- .../bku/slcommands/impl/xsect/SignatureTest.java | 52 +++++++++++++++++++++- 1 file changed, 51 insertions(+), 1 deletion(-) (limited to 'bkucommon/src/test/java/at/gv/egiz') diff --git a/bkucommon/src/test/java/at/gv/egiz/bku/slcommands/impl/xsect/SignatureTest.java b/bkucommon/src/test/java/at/gv/egiz/bku/slcommands/impl/xsect/SignatureTest.java index 23fdfc17..6e5612f6 100644 --- a/bkucommon/src/test/java/at/gv/egiz/bku/slcommands/impl/xsect/SignatureTest.java +++ b/bkucommon/src/test/java/at/gv/egiz/bku/slcommands/impl/xsect/SignatureTest.java @@ -316,6 +316,44 @@ public class SignatureTest { } + @Test + public void testSetSignature_Base64_WITH_DISALLOWED_DOCTYPE_And_SystemParameter() throws JAXBException, SLCommandException, XMLStreamException { + + SignatureInfoCreationType signatureInfo = unmarshalSignatureInfo("SignatureInfo_Base64_2.xml"); + + Signature signature = new Signature(urlDereferencer, new IdValueFactoryImpl(), null, false); + + //allow DocTypes to perform this test + System.setProperty(Signature.SYSTEM_PROPERTY_ALLOW_DOCTYPES, String.valueOf(Boolean.FALSE)); + try { + signature.setSignatureInfo(signatureInfo); + assertTrue("Check_ALLOW_DOCTYPES_System_Property", false); + + } catch (SLCommandException e) { + assertTrue("Check_ALLOW_DOCTYPES_System_Property", true); + + } + } + + @Test + public void testSetSignature_Base64_WITH_DISALLOWED_DOCTYPE_WithOut_SystemParameter() throws JAXBException, SLCommandException, XMLStreamException { + + SignatureInfoCreationType signatureInfo = unmarshalSignatureInfo("SignatureInfo_Base64_2.xml"); + + Signature signature = new Signature(urlDereferencer, new IdValueFactoryImpl(), null, false); + + //allow DocTypes to perform this test + System.clearProperty(Signature.SYSTEM_PROPERTY_ALLOW_DOCTYPES); + try { + signature.setSignatureInfo(signatureInfo); + assertTrue("Check_ALLOW_DOCTYPES_WithOut_System_Property", false); + + } catch (SLCommandException e) { + assertTrue("Check_ALLOW_DOCTYPES_WithOut_System_Property", true); + + } + } + @Test public void testSetSignature_Base64_2() throws JAXBException, SLCommandException, XMLStreamException { @@ -323,7 +361,10 @@ public class SignatureTest { Signature signature = new Signature(urlDereferencer, new IdValueFactoryImpl(), null, false); + //allow DocTypes to perform this test + System.setProperty(Signature.SYSTEM_PROPERTY_ALLOW_DOCTYPES, String.valueOf(Boolean.TRUE)); signature.setSignatureInfo(signatureInfo); + System.setProperty(Signature.SYSTEM_PROPERTY_ALLOW_DOCTYPES, String.valueOf(Boolean.FALSE)); Node parent = signature.getParent(); Node nextSibling = signature.getNextSibling(); @@ -343,7 +384,10 @@ public class SignatureTest { Signature signature = new Signature(urlDereferencer, new IdValueFactoryImpl(), null, true); + //allow DocTypes to perform this test + System.setProperty(Signature.SYSTEM_PROPERTY_ALLOW_DOCTYPES, String.valueOf(Boolean.TRUE)); signature.setSignatureInfo(signatureInfo); + System.setProperty(Signature.SYSTEM_PROPERTY_ALLOW_DOCTYPES, String.valueOf(Boolean.FALSE)); Node parent = signature.getParent(); Node nextSibling = signature.getNextSibling(); @@ -363,7 +407,10 @@ public class SignatureTest { Signature signature = new Signature(urlDereferencer, new IdValueFactoryImpl(), null, false); + //allow DocTypes to perform this test + System.setProperty(Signature.SYSTEM_PROPERTY_ALLOW_DOCTYPES, String.valueOf(Boolean.TRUE)); signature.setSignatureInfo(signatureInfo); + System.setProperty(Signature.SYSTEM_PROPERTY_ALLOW_DOCTYPES, String.valueOf(Boolean.FALSE)); Node parent = signature.getParent(); Node nextSibling = signature.getNextSibling(); @@ -383,7 +430,10 @@ public class SignatureTest { Signature signature = new Signature(urlDereferencer, new IdValueFactoryImpl(), null, true); - signature.setSignatureInfo(signatureInfo); + //allow DocTypes to perform this test + System.setProperty(Signature.SYSTEM_PROPERTY_ALLOW_DOCTYPES, String.valueOf(Boolean.TRUE)); + signature.setSignatureInfo(signatureInfo); + System.setProperty(Signature.SYSTEM_PROPERTY_ALLOW_DOCTYPES, String.valueOf(Boolean.FALSE)); Node parent = signature.getParent(); Node nextSibling = signature.getNextSibling(); -- cgit v1.2.3