This is an automated email from the ASF dual-hosted git repository. pmouawad pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/jmeter.git
commit bccc3e05760930ab210da78feccb68f8830da6c9 Author: pmouawad <[email protected]> AuthorDate: Tue Oct 1 11:23:29 2019 +0200 Add test for unsecure XML loading --- .../java/org/apache/jmeter/assertions/XMLAssertion.java | 4 +--- .../org/apache/jmeter/assertions/XmlAssertionTest.java | 14 ++++++++++++++ 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/src/components/src/main/java/org/apache/jmeter/assertions/XMLAssertion.java b/src/components/src/main/java/org/apache/jmeter/assertions/XMLAssertion.java index 4eb9554..b5dbbc1 100644 --- a/src/components/src/main/java/org/apache/jmeter/assertions/XMLAssertion.java +++ b/src/components/src/main/java/org/apache/jmeter/assertions/XMLAssertion.java @@ -22,8 +22,6 @@ import java.io.IOException; import java.io.Serializable; import java.io.StringReader; -import javax.xml.XMLConstants; - import org.apache.jmeter.samplers.SampleResult; import org.apache.jmeter.testelement.AbstractTestElement; import org.apache.jmeter.testelement.ThreadListener; @@ -49,7 +47,7 @@ public class XMLAssertion extends AbstractTestElement implements Serializable, A protected XMLReader initialValue() { try { XMLReader reader = XMLReaderFactory.createXMLReader(); - reader.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); + reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl";, true); return reader; } catch (SAXException e) { log.error("Error initializing XMLReader in XMLAssertion", e); diff --git a/src/components/src/test/java/org/apache/jmeter/assertions/XmlAssertionTest.java b/src/components/src/test/java/org/apache/jmeter/assertions/XmlAssertionTest.java index cd142bd..951a877 100644 --- a/src/components/src/test/java/org/apache/jmeter/assertions/XmlAssertionTest.java +++ b/src/components/src/test/java/org/apache/jmeter/assertions/XmlAssertionTest.java @@ -35,6 +35,10 @@ public class XmlAssertionTest extends JMeterTestCase { private final String invalidXml = "<note><to>Tove</to><from>Jani</from><heading>Reminder</heading><body>Don't forget me this weekend!</body></note1>"; private final String validXml = "<note><to>Tove</to><from>Jani</from><heading>Reminder</heading><body>Don't forget me this weekend!</body></note>"; private final String noXml = "response Data"; + private final String unsecureXML = "<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?>\n" + + "<!DOCTYPE foo [\n" + + " <!ENTITY xxe SYSTEM \"file:///etc/passwd\" > ]>\n" + + "<foo>&xxe;</foo>"; @Before public void setUp() { @@ -47,6 +51,16 @@ public class XmlAssertionTest extends JMeterTestCase { } @Test + public void testUnsecureX() throws Exception { + sampleResult.setResponseData(unsecureXML, null); + result = assertion.getResult(sampleResult); + Assert.assertTrue(result.isFailure()); + Assert.assertTrue(result.isError()); + Assert.assertEquals("DOCTYPE is disallowed when the feature \"http://apache.org/xml/features/disallow-doctype-decl\"; set to true.", + result.getFailureMessage()); + } + + @Test public void testValidXML() throws Exception { sampleResult.setResponseData(validXml, null); result = assertion.getResult(sampleResult);
