[cxf-fediz] branch 1.4.x-fixes updated: Make sure DocTypes are disallowed

Wed, 07 Mar 2018 09:56:08 -0800 

This is an automated email from the ASF dual-hosted git repository.

coheigea pushed a commit to branch 1.4.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf-fediz.git


The following commit(s) were added to refs/heads/1.4.x-fixes by this push:
     new 4c396ac  Make sure DocTypes are disallowed
4c396ac is described below

commit 4c396acb42439e61cc63b0452dd22442d720b61b
Author: Colm O hEigeartaigh <cohei...@apache.org>
AuthorDate: Wed Mar 7 17:26:25 2018 +0000

    Make sure DocTypes are disallowed
---
 .../org/apache/cxf/fediz/core/util/DOMUtils.java   |  5 +--
 .../org/apache/cxf/fediz/systests/idp/IdpTest.java | 41 ++++++++++++++++++++++
 systests/idp/src/test/resources/entity_wreq2.xml   |  1 +
 3 files changed, 45 insertions(+), 2 deletions(-)

diff --git 
a/plugins/core/src/main/java/org/apache/cxf/fediz/core/util/DOMUtils.java 
b/plugins/core/src/main/java/org/apache/cxf/fediz/core/util/DOMUtils.java
index effd00a..9c533fc 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/util/DOMUtils.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/util/DOMUtils.java
@@ -62,14 +62,15 @@ import org.slf4j.LoggerFactory;
  */
 public final class DOMUtils {
     private static final Logger LOG = LoggerFactory.getLogger(DOMUtils.class);
-    
+
     private static final String XMLNAMESPACE = "xmlns";
 
     private static final DocumentBuilderFactory DBF = 
DocumentBuilderFactory.newInstance();
-    
+
     static {
         try {
             DBF.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+            
DBF.setFeature("http://apache.org/xml/features/disallow-doctype-decl";, true);
 
             DBF.setValidating(false);
             DBF.setIgnoringComments(false);
diff --git 
a/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java 
b/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
index d951817..796357a 100644
--- a/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
+++ b/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
@@ -439,6 +439,47 @@ public class IdpTest {
         webClient.close();
     }
 
+    // Send an entity expansion attack for the wreq value
+    @org.junit.Test
+    public void testEntityExpansionWReq2() throws Exception {
+        String url = "https://localhost:"; + getIdpHttpsPort() + 
"/fediz-idp/federation?";
+        url += "wa=wsignin1.0";
+        url += "&whr=urn:org:apache:cxf:fediz:idp:realm-A";
+        url += "&wtrealm=urn:org:apache:cxf:fediz:fedizhelloworld";
+        String wreply = "https://localhost:"; + getRpHttpsPort() + "/" + 
getServletContextName() + "/secure/fedservlet";
+        url += "&wreply=" + wreply;
+
+        InputStream is = 
this.getClass().getClassLoader().getResource("entity_wreq2.xml").openStream();
+        String entity = IOUtils.toString(is, "UTF-8");
+        is.close();
+        String validWreq =
+            "<RequestSecurityToken 
xmlns=\"http://docs.oasis-open.org/ws-sx/ws-trust/200512\";>"
+            + 
"<TokenType>&m;http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</TokenType>"
+            + "</RequestSecurityToken>";
+
+        url += "&wreq=" + URLEncoder.encode(entity + validWreq, "UTF-8");
+
+        String user = "alice";
+        String password = "ecila";
+
+        final WebClient webClient = new WebClient();
+        webClient.getOptions().setUseInsecureSSL(true);
+        webClient.getCredentialsProvider().setCredentials(
+            new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())),
+            new UsernamePasswordCredentials(user, password));
+
+        webClient.getOptions().setJavaScriptEnabled(false);
+
+        try {
+            webClient.getPage(url);
+            Assert.fail("Failure expected on a bad wreq value");
+        } catch (FailingHttpStatusCodeException ex) {
+            Assert.assertEquals(ex.getStatusCode(), 400);
+        }
+
+        webClient.close();
+    }
+
     // Send an malformed wreq value
     @org.junit.Test
     public void testMalformedWReq() throws Exception {
diff --git a/systests/idp/src/test/resources/entity_wreq2.xml 
b/systests/idp/src/test/resources/entity_wreq2.xml
new file mode 100644
index 0000000..5a8cec5
--- /dev/null
+++ b/systests/idp/src/test/resources/entity_wreq2.xml
@@ -0,0 +1 @@
+<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE 
RequestSecurityTokenResponseCollection [<!ENTITY m SYSTEM "/etc/hosts">]>
\ No newline at end of file

-- 
To stop receiving notification emails like this one, please contact
cohei...@apache.org.

Reply via email to