diff options
author | Florian Rüchel <fruechel@atlassian.com> | 2016-10-31 11:56:48 +1100 |
---|---|---|
committer | Florian Rüchel <fruechel@atlassian.com> | 2016-10-31 11:56:48 +1100 |
commit | 6e09a25d9b4b7aa7a506853210a9a14100b8bc9b (patch) | |
tree | bae193001aec28d7b6cc32cbe3c1d9bdd0777833 /tests/test_03_saml2.py | |
parent | 78261b9ae13c3855b33009cb1c5abc2c45839828 (diff) | |
download | pysaml2-6e09a25d9b4b7aa7a506853210a9a14100b8bc9b.tar.gz |
Fix XXE in XML parsing (related to #366)
This fixes XXE issues on anything where pysaml2 parses XML directly as part of
issue #366. It doesn't address the xmlsec issues discussed on that ticket as
they are out of reach of a direct fix and need the underlying library to fix
this issue.
Diffstat (limited to 'tests/test_03_saml2.py')
-rw-r--r-- | tests/test_03_saml2.py | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/tests/test_03_saml2.py b/tests/test_03_saml2.py index 136161ab..a71eb3cd 100644 --- a/tests/test_03_saml2.py +++ b/tests/test_03_saml2.py @@ -17,6 +17,7 @@ except ImportError: import cElementTree as ElementTree except ImportError: from elementtree import ElementTree +from defusedxml.common import EntitiesForbidden ITEMS = { NameID: ["""<?xml version="1.0" encoding="utf-8"?> @@ -166,6 +167,19 @@ def test_create_class_from_xml_string_wrong_class_spec(): assert kl == None +def test_create_class_from_xml_string_xxe(): + xml = """<?xml version="1.0"?> + <!DOCTYPE lolz [ + <!ENTITY lol "lol"> + <!ELEMENT lolz (#PCDATA)> + <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"> + ]> + <lolz>&lol1;</lolz> + """ + with raises(EntitiesForbidden) as err: + create_class_from_xml_string(NameID, xml) + + def test_ee_1(): ee = saml2.extension_element_from_string( """<?xml version='1.0' encoding='UTF-8'?><foo>bar</foo>""") @@ -454,6 +468,19 @@ def test_ee_7(): assert nid.text.strip() == "http://federationX.org" +def test_ee_xxe(): + xml = """<?xml version="1.0"?> + <!DOCTYPE lolz [ + <!ENTITY lol "lol"> + <!ELEMENT lolz (#PCDATA)> + <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"> + ]> + <lolz>&lol1;</lolz> + """ + with raises(EntitiesForbidden): + saml2.extension_element_from_string(xml) + + def test_extension_element_loadd(): ava = {'attributes': {}, 'tag': 'ExternalEntityAttributeAuthority', |