(commons-text) branch master updated: Add XmlStringLookupTest.testInterpolatorSecureOnBla()

Wed, 03 Dec 2025 04:08:07 -0800 

This is an automated email from the ASF dual-hosted git repository.

ggregory pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/commons-text.git


The following commit(s) were added to refs/heads/master by this push:
     new 081a9336 Add XmlStringLookupTest.testInterpolatorSecureOnBla()
081a9336 is described below

commit 081a9336f02d88176f833e10c9334fe9bd4116ea
Author: Gary Gregory <[email protected]>
AuthorDate: Wed Dec 3 07:07:54 2025 -0500

    Add XmlStringLookupTest.testInterpolatorSecureOnBla()
---
 .../apache/commons/text/lookup/XmlStringLookupTest.java   |  8 ++++++++
 src/test/resources/org/apache/commons/text/bla.xml        | 15 +++++++++++++++
 2 files changed, 23 insertions(+)

diff --git 
a/src/test/java/org/apache/commons/text/lookup/XmlStringLookupTest.java 
b/src/test/java/org/apache/commons/text/lookup/XmlStringLookupTest.java
index d24c4090..a37cafbe 100644
--- a/src/test/java/org/apache/commons/text/lookup/XmlStringLookupTest.java
+++ b/src/test/java/org/apache/commons/text/lookup/XmlStringLookupTest.java
@@ -99,6 +99,14 @@ class XmlStringLookupTest {
                 () -> stringSubstitutor.replace("${xml:secure=true:" + DOC_DIR 
+ "document-entity-ref.xml:/document/content}"));
     }
 
+    @Test
+    void testInterpolatorSecureOnBla() {
+        final StringSubstitutor stringSubstitutor = 
StringSubstitutor.createInterpolator();
+        assertThrows(IllegalArgumentException.class, () -> 
stringSubstitutor.replace("${xml:" + DOC_DIR + "bla.xml:/document/content}"));
+        assertThrows(IllegalArgumentException.class, () -> 
stringSubstitutor.replace("${xml:secure=true:" + DOC_DIR + 
"bla.xml:/document/content}"));
+        // Using secure=false allows the BLA to occur.
+    }
+
     @Test
     void testMissingXPath() {
         assertThrows(IllegalArgumentException.class, () -> 
XmlStringLookup.INSTANCE.apply(DOC_RELATIVE + ":!JUNK!"));
diff --git a/src/test/resources/org/apache/commons/text/bla.xml 
b/src/test/resources/org/apache/commons/text/bla.xml
new file mode 100644
index 00000000..75fb24ca
--- /dev/null
+++ b/src/test/resources/org/apache/commons/text/bla.xml
@@ -0,0 +1,15 @@
+<?xml version="1.0"?>
+<!DOCTYPE lolz [
+ <!ENTITY lol "lol">
+ <!ELEMENT lolz (#PCDATA)>
+ <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
+ <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
+ <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
+ <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
+ <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
+ <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
+ <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
+ <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
+ <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
+]>
+<lolz>&lol9;</lolz>

Reply via email to