PageRenderTime 80ms CodeModel.GetById 33ms RepoModel.GetById 1ms app.codeStats 0ms

/src/test/java/JaxpParserBehaviourTest.java

https://bitbucket.org/jwalton/xml-parser-sanity-check
Java | 150 lines | 89 code | 24 blank | 37 comment | 0 complexity | 11e26702655e9074536329a142c4602b MD5 | raw file
    

  1. import com.atlassian.security.xml.UntrustedXmlParserFactory;
    2. 

  2. import org.junit.Test;
    3. 

  3. import org.w3c.dom.Document;
    4. 

  4. import org.w3c.dom.Node;
    5. 

  5. import org.xml.sax.InputSource;
    6. 

  6. import org.xml.sax.SAXParseException;
    7. 

  7. 

  8. import javax.xml.parsers.DocumentBuilder;
    9. 

  9. import javax.xml.parsers.DocumentBuilderFactory;
    10. 

  10. import javax.xml.parsers.ParserConfigurationException;
    11. 

  11. import java.io.IOException;
    12. 

  12. import java.io.StringReader;
    13. 

  13. 

  14. import static org.junit.Assert.assertEquals;
    15. 

  15. import static org.junit.Assert.assertFalse;
    16. 

  16. 

  17. 

  18. public class JaxpParserBehaviourTest
    19. 

  19. {
    20. 

  20. //    static DocumentBuilder createDocumentBuilder() throws ParserConfigurationException
    21. 

  21. //    {
    22. 

  22. ////        System.setProperty("entityExpansionLimit", "0");
    23. 

  23. //
    24. 

  24. //        DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
    25. 

  25. //
    26. 

  26. ////        dbf.setExpandEntityReferences(false);
    27. 

  27. //
    28. 

  28. //        // This will turn any attempt to use a DTD into failure
    29. 

  29. ////        dbf.setAttribute("http://apache.org/xml/features/disallow-doctype-decl", true);
    30. 

  30. //
    31. 

  31. //        // Only necessary for bundled non-JDK Xerces
    32. 

  32. //        dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
    33. 

  33. //
    34. 

  34. //        dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
    35. 

  35. //        dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
    36. 

  36. //
    37. 

  37. //        dbf.setAttribute("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
    38. 

  38. //
    39. 

  39. //        DocumentBuilder db = dbf.newDocumentBuilder();
    40. 

  40. ////        db.setEntityResolver(new EntityResolver()
    41. 

  41. ////        {
    42. 

  42. ////            @Override
    43. 

  43. ////            public InputSource resolveEntity(String publicId, String systemId) throws SAXException, IOException
    44. 

  44. ////            {
    45. 

  45. ////                throw new IOException();
    46. 

  46. ////            }
    47. 

  47. ////        });
    48. 

  48. //        return db;
    49. 

  49. //    }
    50. 

  50. 

  51.     static DocumentBuilder createDocumentBuilder() throws ParserConfigurationException
    52. 

  52.     {
    53. 

  53.         return UntrustedXmlParserFactory.newDocumentBuilder();
    54. 

  54.     }
    55. 

  55. 

  56.     @Test(expected = IllegalArgumentException.class)
    57. 

  57.     public void askingForUnknownAttributesFails()
    58. 

  58.     {
    59. 

  59.         DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
    60. 

  60.         dbf.setAttribute("no-attribute-with-this-identifier", false);
    61. 

  61.     }
    62. 

  62. 

  63.     @Test
    64. 

  64.     public void parseDocumentExpandsAmpersand() throws Exception
    65. 

  65.     {
    66. 

  66.         Document d = createDocumentBuilder().parse(new InputSource(new StringReader(SampleXmlDocuments.AMPERSAND_DOCUMENT)));
    67. 

  67.         Node n = d.getDocumentElement().getChildNodes().item(0);
    68. 

  68.         assertEquals("&", n.getTextContent());
    69. 

  69.     }
    70. 

  70. 

  71.     @Test(expected = SAXParseException.class, timeout = 1000)
    72. 

  72.     public void parseBillionLaughsDoesNotExhaustMemory() throws Exception
    73. 

  73.     {
    74. 

  74.         createDocumentBuilder().parse(new InputSource(new StringReader(SampleXmlDocuments.BILLION_LAUGHS)));
    75. 

  75.     }
    76. 

  76. 

  77.     @Test
    78. 

  78.     public void externalEntityIsNotIncludedInDom() throws Exception
    79. 

  79.     {
    80. 

  80.         Document d = createDocumentBuilder().parse(new InputSource(new StringReader(SampleXmlDocuments.externalResourceEntity())));
    81. 

  81.         assertEquals(0, d.getDocumentElement().getChildNodes().getLength());
    82. 

  82. 

  83.         // If we didn't expandEntityReferences...
    84. 

  84. //        Node n = d.getDocumentElement().getChildNodes().item(0);
    85. 

  85. //
    86. 

  86. //        assertFalse(n instanceof Text);
    87. 

  87. //        assertTrue(n instanceof EntityReference);
    88. 

  88.     }
    89. 

  89. 

  90.     @Test
    91. 

  91.     public void externalEntityIsNotRead() throws Exception
    92. 

  92.     {
    93. 

  93.         HttpAttemptDetector detector = new HttpAttemptDetector();
    94. 

  94. 

  95.         new Thread(detector).start();
    96. 

  96. 

  97.         createDocumentBuilder().parse(new InputSource(
    98. 

  98.                 new StringReader(SampleXmlDocuments.externalResourceEntity(detector.getUrl()))));
    99. 

  99. 

  100.         assertFalse(detector.wasAttempted());
    101. 

  101.     }
    102. 

  102. 

  103.     @Test
    104. 

  104.     public void externalParameterEntityIsNotRead() throws Exception
    105. 

  105.     {
    106. 

  106.         HttpAttemptDetector detector = new HttpAttemptDetector();
    107. 

  107. 

  108.         new Thread(detector).start();
    109. 

  109. 

  110.         try
    111. 

  111.         {
    112. 

  112.             createDocumentBuilder().parse(new InputSource(
    113. 

  113.                     new StringReader(SampleXmlDocuments.externalParameterEntity(detector.getUrl()))));
    114. 

  114.         }
    115. 

  115.         catch (SAXParseException spe)
    116. 

  116.         {
    117. 

  117.             // Don't care
    118. 

  118.         }
    119. 

  119.         catch (IOException e)
    120. 

  120.         {
    121. 

  121.             // Don't care
    122. 

  122.         }
    123. 

  123. 

  124.         assertFalse(detector.wasAttempted());
    125. 

  125.     }
    126. 

  126. 

  127.     @Test
    128. 

  128.     public void dtdUriPointsToFile() throws Exception
    129. 

  129.     {
    130. 

  130.         Document d = createDocumentBuilder().parse(new InputSource(new StringReader(SampleXmlDocuments.EXTERNAL_DTD)));
    131. 

  131.         assertEquals("root", d.getDocumentElement().getTagName());
    132. 

  132.         assertEquals(0, d.getDocumentElement().getChildNodes().getLength());
    133. 

  133.     }
    134. 

  134. 

  135.     @Test
    136. 

  136.     public void dtdUriPointsToUrl() throws Exception
    137. 

  137.     {
    138. 

  138.         HttpAttemptDetector detector = new HttpAttemptDetector();
    139. 

  139. 

  140.         new Thread(detector).start();
    141. 

  141. 

  142.         String s = SampleXmlDocuments.externalUrlDtd(detector.getUrl());
    143. 

  143. 

  144.         Document d = createDocumentBuilder().parse(new InputSource(new StringReader(s)));
    145. 

  145.         assertEquals("root", d.getDocumentElement().getTagName());
    146. 

  146.         assertEquals(0, d.getDocumentElement().getChildNodes().getLength());
    147. 

  147. 

  148.         assertFalse("I don't want to see HTTP connection attempts", detector.wasAttempted());
    149. 

  149.     }
    150. 

  150. }
    151. 

  151.