Add unit test for external entity loading
This commit is contained in:
parent
1f54bea564
commit
9c7409808f
3 changed files with 14 additions and 0 deletions
|
@ -39,6 +39,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
|
|||
## Security
|
||||
|
||||
- Add `no_new_privs` hardening to OpenRC and systemd service files
|
||||
- Ensured that XML parsers cannot load external entities (thanks @Mae@is.badat.dev!)
|
||||
|
||||
## Removed
|
||||
|
||||
|
|
3
test/fixtures/xml_external_entities.xml
vendored
Normal file
3
test/fixtures/xml_external_entities.xml
vendored
Normal file
|
@ -0,0 +1,3 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
|
||||
<stockCheck><productId>&xxe;</productId></stockCheck>
|
10
test/pleroma/web/xml_test.exs
Normal file
10
test/pleroma/web/xml_test.exs
Normal file
|
@ -0,0 +1,10 @@
|
|||
defmodule Pleroma.Web.XMLTest do
|
||||
use Pleroma.DataCase, async: true
|
||||
|
||||
alias Pleroma.Web.XML
|
||||
|
||||
test "refuses to load external entities from XML" do
|
||||
data = File.read!("test/fixtures/xml_external_entities.xml")
|
||||
assert(:error == XML.parse_document(data))
|
||||
end
|
||||
end
|
Loading…
Reference in a new issue