Fix XXE in XML parsing (related to #366)

This fixes XXE issues on anything where pysaml2 parses XML directly as part of issue #366. It doesn't address the xmlsec issues discussed on that ticket as they are out of reach of a direct fix and need the underlying library to fix this issue.
author: Florian Rüchel <fruechel@atlassian.com> 2016-10-31 11:56:48 +1100
committer: Florian Rüchel <fruechel@atlassian.com> 2016-10-31 11:56:48 +1100
commit: 6e09a25d9b4b7aa7a506853210a9a14100b8bc9b (patch)
tree: bae193001aec28d7b6cc32cbe3c1d9bdd0777833 /tests/test_03_saml2.py
parent: 78261b9ae13c3855b33009cb1c5abc2c45839828 (diff)
download: pysaml2-6e09a25d9b4b7aa7a506853210a9a14100b8bc9b.tar.gz
1 files changed, 27 insertions, 0 deletions
diff --git a/tests/test_03_saml2.py b/tests/test_03_saml2.py
index 136161ab..a71eb3cd 100644
--- a/tests/test_03_saml2.py
+++ b/tests/test_03_saml2.py
@@ -17,6 +17,7 @@ except ImportError:
         import cElementTree as ElementTree
     except ImportError:
         from elementtree import ElementTree
+from defusedxml.common import EntitiesForbidden
 
 ITEMS = {
     NameID: ["""<?xml version="1.0" encoding="utf-8"?>
@@ -166,6 +167,19 @@ def test_create_class_from_xml_string_wrong_class_spec():
     assert kl == None
 
 
+def test_create_class_from_xml_string_xxe():
+    xml = """<?xml version="1.0"?>
+    <!DOCTYPE lolz [
+    <!ENTITY lol "lol">
+    <!ELEMENT lolz (#PCDATA)>
+    <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
+    ]>
+    <lolz>&lol1;</lolz>
+    """
+    with raises(EntitiesForbidden) as err:
+        create_class_from_xml_string(NameID, xml)
+
+
 def test_ee_1():
     ee = saml2.extension_element_from_string(
         """<?xml version='1.0' encoding='UTF-8'?><foo>bar</foo>""")
@@ -454,6 +468,19 @@ def test_ee_7():
     assert nid.text.strip() == "http://federationX.org"
 
 
+def test_ee_xxe():
+    xml = """<?xml version="1.0"?>
+    <!DOCTYPE lolz [
+    <!ENTITY lol "lol">
+    <!ELEMENT lolz (#PCDATA)>
+    <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
+    ]>
+    <lolz>&lol1;</lolz>
+    """
+    with raises(EntitiesForbidden):
+        saml2.extension_element_from_string(xml)
+
+
 def test_extension_element_loadd():
     ava = {'attributes': {},
            'tag': 'ExternalEntityAttributeAuthority',
author	Florian Rüchel <fruechel@atlassian.com>	2016-10-31 11:56:48 +1100
committer	Florian Rüchel <fruechel@atlassian.com>	2016-10-31 11:56:48 +1100
commit	6e09a25d9b4b7aa7a506853210a9a14100b8bc9b (patch)
tree	bae193001aec28d7b6cc32cbe3c1d9bdd0777833 /tests/test_03_saml2.py
parent	78261b9ae13c3855b33009cb1c5abc2c45839828 (diff)
download	pysaml2-6e09a25d9b4b7aa7a506853210a9a14100b8bc9b.tar.gz