[GitHub] [santuario-xml-security-java] seanjmullan commented on a change in pull request #58: SANTUARIO-577 - Introduce a system property to control if file/http r…

Tue, 07 Sep 2021 06:23:11 -0700 


seanjmullan commented on a change in pull request #58:
URL: 
https://github.com/apache/santuario-xml-security-java/pull/58#discussion_r703504433



##########
File path: 
src/test/java/org/apache/xml/security/test/dom/utils/resolver/ResourceResolverTest.java
##########
@@ -96,4 +98,65 @@ public void testLocalFileWithEmptyBaseURI() throws Exception 
{
         }
     }
 
+    @org.junit.jupiter.api.Test
+    public void testIsSafeURIToResolveFile() throws Exception {
+        Document doc = TestUtils.newDocument();
+        Attr uriAttr = doc.createAttribute("URI");
+        String basedir = System.getProperty("basedir");
+        String file = new File(basedir, "pom.xml").toURI().toString();
+        uriAttr.setValue(file);
+
+        ResourceResolverContext resolverContext =
+                new ResourceResolverContext(uriAttr, null, false);
+        assertFalse(resolverContext.isURISafeToResolve());
+    }
+
+    @org.junit.jupiter.api.Test
+    public void testIsSafeURIToResolveFileBaseURI() throws Exception {
+        Document doc = TestUtils.newDocument();
+        Attr uriAttr = doc.createAttribute("URI");
+        String basedir = System.getProperty("basedir");
+        String file = new File(basedir, "pom.xml").toURI().toString();
+        uriAttr.setValue("xyz");
+
+        ResourceResolverContext resolverContext =
+                new ResourceResolverContext(uriAttr, file, false);
+        assertFalse(resolverContext.isURISafeToResolve());
+    }
+
+    @org.junit.jupiter.api.Test
+    public void testIsSafeURIToResolveHTTP() throws Exception {
+        Document doc = TestUtils.newDocument();
+        Attr uriAttr = doc.createAttribute("URI");
+        String basedir = System.getProperty("basedir");

Review comment:
       unused variable

##########
File path: src/main/java/org/apache/xml/security/encryption/XMLCipherInput.java
##########
@@ -115,7 +115,14 @@ public void setSecureValidation(boolean secureValidation) {
             try {
                 ResourceResolverContext resolverContext =
                     new ResourceResolverContext(uriAttr, null, 
secureValidation);
-                input = ResourceResolver.resolve(resolverContext);
+                if (resolverContext.isURISafeToResolve()) {
+                    input = ResourceResolver.resolve(resolverContext);
+                } else {
+                    String uriToResolve = uriAttr != null ? uriAttr.getValue() 
: null;
+                    Object[] exArgs = {uriToResolve != null ? uriToResolve : 
"null", null};

Review comment:
       I don't think you need to set the first argument to `"null"` if 
`uriToResolve` is `null`. I think the exception message should be able to 
handle `null` arguments, i.e. `MessageFormat.format` should print `"null"` for 
`null` arguments.

##########
File path: 
src/test/java/org/apache/xml/security/test/dom/utils/resolver/ResourceResolverTest.java
##########
@@ -96,4 +98,65 @@ public void testLocalFileWithEmptyBaseURI() throws Exception 
{
         }
     }
 
+    @org.junit.jupiter.api.Test
+    public void testIsSafeURIToResolveFile() throws Exception {
+        Document doc = TestUtils.newDocument();
+        Attr uriAttr = doc.createAttribute("URI");
+        String basedir = System.getProperty("basedir");
+        String file = new File(basedir, "pom.xml").toURI().toString();
+        uriAttr.setValue(file);
+
+        ResourceResolverContext resolverContext =
+                new ResourceResolverContext(uriAttr, null, false);
+        assertFalse(resolverContext.isURISafeToResolve());
+    }
+
+    @org.junit.jupiter.api.Test
+    public void testIsSafeURIToResolveFileBaseURI() throws Exception {
+        Document doc = TestUtils.newDocument();
+        Attr uriAttr = doc.createAttribute("URI");
+        String basedir = System.getProperty("basedir");
+        String file = new File(basedir, "pom.xml").toURI().toString();
+        uriAttr.setValue("xyz");
+
+        ResourceResolverContext resolverContext =
+                new ResourceResolverContext(uriAttr, file, false);
+        assertFalse(resolverContext.isURISafeToResolve());
+    }
+
+    @org.junit.jupiter.api.Test
+    public void testIsSafeURIToResolveHTTP() throws Exception {
+        Document doc = TestUtils.newDocument();
+        Attr uriAttr = doc.createAttribute("URI");
+        String basedir = System.getProperty("basedir");
+        uriAttr.setValue("http://www.apache.org";);
+
+        ResourceResolverContext resolverContext =
+                new ResourceResolverContext(uriAttr, null, false);
+        assertFalse(resolverContext.isURISafeToResolve());
+    }
+
+    @org.junit.jupiter.api.Test
+    public void testIsSafeURIToResolveHTTPBaseURI() throws Exception {
+        Document doc = TestUtils.newDocument();
+        Attr uriAttr = doc.createAttribute("URI");
+        String basedir = System.getProperty("basedir");

Review comment:
       unused variable

##########
File path: 
src/test/java/org/apache/xml/security/test/dom/utils/resolver/ResourceResolverTest.java
##########
@@ -96,4 +98,65 @@ public void testLocalFileWithEmptyBaseURI() throws Exception 
{
         }
     }
 
+    @org.junit.jupiter.api.Test
+    public void testIsSafeURIToResolveFile() throws Exception {
+        Document doc = TestUtils.newDocument();
+        Attr uriAttr = doc.createAttribute("URI");
+        String basedir = System.getProperty("basedir");
+        String file = new File(basedir, "pom.xml").toURI().toString();
+        uriAttr.setValue(file);
+
+        ResourceResolverContext resolverContext =
+                new ResourceResolverContext(uriAttr, null, false);
+        assertFalse(resolverContext.isURISafeToResolve());
+    }
+
+    @org.junit.jupiter.api.Test
+    public void testIsSafeURIToResolveFileBaseURI() throws Exception {
+        Document doc = TestUtils.newDocument();
+        Attr uriAttr = doc.createAttribute("URI");
+        String basedir = System.getProperty("basedir");
+        String file = new File(basedir, "pom.xml").toURI().toString();
+        uriAttr.setValue("xyz");
+
+        ResourceResolverContext resolverContext =
+                new ResourceResolverContext(uriAttr, file, false);
+        assertFalse(resolverContext.isURISafeToResolve());
+    }
+
+    @org.junit.jupiter.api.Test
+    public void testIsSafeURIToResolveHTTP() throws Exception {
+        Document doc = TestUtils.newDocument();
+        Attr uriAttr = doc.createAttribute("URI");
+        String basedir = System.getProperty("basedir");
+        uriAttr.setValue("http://www.apache.org";);
+
+        ResourceResolverContext resolverContext =
+                new ResourceResolverContext(uriAttr, null, false);
+        assertFalse(resolverContext.isURISafeToResolve());
+    }
+
+    @org.junit.jupiter.api.Test
+    public void testIsSafeURIToResolveHTTPBaseURI() throws Exception {
+        Document doc = TestUtils.newDocument();
+        Attr uriAttr = doc.createAttribute("URI");
+        String basedir = System.getProperty("basedir");
+        uriAttr.setValue("xyz");
+
+        ResourceResolverContext resolverContext =
+                new ResourceResolverContext(uriAttr, "http://www.apache.org";, 
false);
+        assertFalse(resolverContext.isURISafeToResolve());
+    }
+
+    @org.junit.jupiter.api.Test
+    public void testIsSafeURIToResolveLocalReference() throws Exception {
+        Document doc = TestUtils.newDocument();
+        Attr uriAttr = doc.createAttribute("URI");
+        String basedir = System.getProperty("basedir");

Review comment:
       unused variable




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to