-
Notifications
You must be signed in to change notification settings - Fork 407
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add test to ensure that XXE injection is not possible with DDFFileParser
- Loading branch information
1 parent
15fc34d
commit 547eb0e
Showing
2 changed files
with
61 additions
and
0 deletions.
There are no files selected for viewing
32 changes: 32 additions & 0 deletions
32
leshan-core/src/test/java/org/eclipse/leshan/core/model/DDFFileParserTest.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,32 @@ | ||
| /******************************************************************************* | ||
| * Copyright (c) 2023 Sierra Wireless and others. | ||
| * | ||
| * All rights reserved. This program and the accompanying materials | ||
| * are made available under the terms of the Eclipse Public License v2.0 | ||
| * and Eclipse Distribution License v1.0 which accompany this distribution. | ||
| * | ||
| * The Eclipse Public License is available at | ||
| * http://www.eclipse.org/legal/epl-v20.html | ||
| * and the Eclipse Distribution License is available at | ||
| * http://www.eclipse.org/org/documents/edl-v10.html. | ||
| * | ||
| * Contributors: | ||
| * Sierra Wireless - initial API and implementation | ||
| *******************************************************************************/ | ||
| package org.eclipse.leshan.core.model; | ||
|
|
||
| import static org.junit.jupiter.api.Assertions.assertThrows; | ||
|
|
||
| import java.io.IOException; | ||
|
|
||
| import org.junit.jupiter.api.Test; | ||
|
|
||
| public class DDFFileParserTest { | ||
|
|
||
| @Test | ||
| public void test_xxe_injection_failed() throws IOException, InvalidModelException, InvalidDDFFileException { | ||
| assertThrows(InvalidDDFFileException.class, () -> { | ||
| ObjectLoader.loadDdfResources("/models/", new String[] { "xxe_injection.xml" }, true); | ||
| }); | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,29 @@ | ||
| <?xml version="1.0" encoding="UTF-8"?> | ||
| <!DOCTYPE data[ | ||
| <!ENTITY xxe SYSTEM "/etc/passwd"> | ||
| ]> | ||
| <LWM2M xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://www.openmobilealliance.org/tech/profiles/LWM2M-v1_1.xsd"> | ||
| <Object ObjectType="MODefinition"> | ||
| <Name>LWM2M Security</Name> | ||
| <Description1>&xxe;</Description1> | ||
| <ObjectID>0</ObjectID> | ||
| <ObjectURN>urn:oma:lwm2m:oma:0:1.2</ObjectURN> | ||
| <LWM2MVersion>1.1</LWM2MVersion> | ||
| <ObjectVersion>1.2</ObjectVersion> | ||
| <MultipleInstances>Multiple</MultipleInstances> | ||
| <Mandatory>Mandatory</Mandatory> | ||
| <Resources> | ||
| <Item ID="0"> | ||
| <Name>LWM2M Server URI</Name> | ||
| <Operations></Operations> | ||
| <MultipleInstances>Single</MultipleInstances> | ||
| <Mandatory>Mandatory</Mandatory> | ||
| <Type>String</Type> | ||
| <RangeEnumeration>0..255</RangeEnumeration> | ||
| <Units></Units> | ||
| <Description><![CDATA[Uniquely identifies the LwM2M Server or LwM2M Bootstrap-Server. The format of the CoAP URI is defined in Section 6 of RFC 7252.]]></Description> | ||
| </Item> | ||
| </Resources> | ||
| <Description2><![CDATA[]]></Description2> | ||
| </Object> | ||
| </LWM2M> |