| package flex.messaging.securityadvisories; |
| |
| import com.sun.org.apache.xml.internal.serialize.OutputFormat; |
| import com.sun.org.apache.xml.internal.serialize.XMLSerializer; |
| import flex.messaging.util.XMLUtil; |
| import junit.framework.Assert; |
| import junit.framework.TestCase; |
| import org.w3c.dom.Document; |
| |
| import java.io.StringWriter; |
| |
| /** |
| * Created by christoferdutz on 23.07.15. |
| */ |
| |
| public class BlazeDsXmlProcessingXXEVulnerability extends TestCase { |
| |
| public void testVulnerability() throws Exception { |
| StringBuffer xml = new StringBuffer(512); |
| xml.append("<?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\n"); |
| xml.append("<!DOCTYPE foo [\r\n"); |
| xml.append("<!ELEMENT foo ANY >\r\n"); |
| xml.append("<!ENTITY xxe SYSTEM \"file:///etc/passwd\" >]>\r\n"); |
| xml.append("<foo>&xxe;</foo>"); |
| |
| Document data = XMLUtil.stringToDocument(xml.toString()); |
| |
| OutputFormat format = new OutputFormat(data); |
| StringWriter stringOut = new StringWriter(); |
| XMLSerializer serial = new XMLSerializer(stringOut, format); |
| serial.serialize(data); |
| |
| Assert.assertTrue(stringOut.toString().contains("&xxe;")); |
| } |
| |
| } |
