This is an automated email from the ASF dual-hosted git repository. coheigea pushed a commit to branch 1.4.x-fixes in repository https://gitbox.apache.org/repos/asf/cxf-fediz.git
The following commit(s) were added to refs/heads/1.4.x-fixes by this push: new 4c396ac Make sure DocTypes are disallowed 4c396ac is described below commit 4c396acb42439e61cc63b0452dd22442d720b61b Author: Colm O hEigeartaigh <cohei...@apache.org> AuthorDate: Wed Mar 7 17:26:25 2018 +0000 Make sure DocTypes are disallowed --- .../org/apache/cxf/fediz/core/util/DOMUtils.java | 5 +-- .../org/apache/cxf/fediz/systests/idp/IdpTest.java | 41 ++++++++++++++++++++++ systests/idp/src/test/resources/entity_wreq2.xml | 1 + 3 files changed, 45 insertions(+), 2 deletions(-) diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/util/DOMUtils.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/util/DOMUtils.java index effd00a..9c533fc 100644 --- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/util/DOMUtils.java +++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/util/DOMUtils.java @@ -62,14 +62,15 @@ import org.slf4j.LoggerFactory; */ public final class DOMUtils { private static final Logger LOG = LoggerFactory.getLogger(DOMUtils.class); - + private static final String XMLNAMESPACE = "xmlns"; private static final DocumentBuilderFactory DBF = DocumentBuilderFactory.newInstance(); - + static { try { DBF.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); + DBF.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); DBF.setValidating(false); DBF.setIgnoringComments(false); diff --git a/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java b/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java index d951817..796357a 100644 --- a/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java +++ b/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java @@ -439,6 +439,47 @@ public class IdpTest { webClient.close(); } + // Send an entity expansion attack for the wreq value + @org.junit.Test + public void testEntityExpansionWReq2() throws Exception { + String url = "https://localhost:" + getIdpHttpsPort() + "/fediz-idp/federation?"; + url += "wa=wsignin1.0"; + url += "&whr=urn:org:apache:cxf:fediz:idp:realm-A"; + url += "&wtrealm=urn:org:apache:cxf:fediz:fedizhelloworld"; + String wreply = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName() + "/secure/fedservlet"; + url += "&wreply=" + wreply; + + InputStream is = this.getClass().getClassLoader().getResource("entity_wreq2.xml").openStream(); + String entity = IOUtils.toString(is, "UTF-8"); + is.close(); + String validWreq = + "<RequestSecurityToken xmlns=\"http://docs.oasis-open.org/ws-sx/ws-trust/200512\">" + + "<TokenType>&m;http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</TokenType>" + + "</RequestSecurityToken>"; + + url += "&wreq=" + URLEncoder.encode(entity + validWreq, "UTF-8"); + + String user = "alice"; + String password = "ecila"; + + final WebClient webClient = new WebClient(); + webClient.getOptions().setUseInsecureSSL(true); + webClient.getCredentialsProvider().setCredentials( + new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())), + new UsernamePasswordCredentials(user, password)); + + webClient.getOptions().setJavaScriptEnabled(false); + + try { + webClient.getPage(url); + Assert.fail("Failure expected on a bad wreq value"); + } catch (FailingHttpStatusCodeException ex) { + Assert.assertEquals(ex.getStatusCode(), 400); + } + + webClient.close(); + } + // Send an malformed wreq value @org.junit.Test public void testMalformedWReq() throws Exception { diff --git a/systests/idp/src/test/resources/entity_wreq2.xml b/systests/idp/src/test/resources/entity_wreq2.xml new file mode 100644 index 0000000..5a8cec5 --- /dev/null +++ b/systests/idp/src/test/resources/entity_wreq2.xml @@ -0,0 +1 @@ +<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE RequestSecurityTokenResponseCollection [<!ENTITY m SYSTEM "/etc/hosts">]> \ No newline at end of file -- To stop receiving notification emails like this one, please contact cohei...@apache.org.