Add unit test for external entity loading
This commit is contained in:
parent
1f54bea564
commit
9c7409808f
3 changed files with 14 additions and 0 deletions
|
@ -39,6 +39,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
|
||||||
## Security
|
## Security
|
||||||
|
|
||||||
- Add `no_new_privs` hardening to OpenRC and systemd service files
|
- Add `no_new_privs` hardening to OpenRC and systemd service files
|
||||||
|
- Ensured that XML parsers cannot load external entities (thanks @Mae@is.badat.dev!)
|
||||||
|
|
||||||
## Removed
|
## Removed
|
||||||
|
|
||||||
|
|
3
test/fixtures/xml_external_entities.xml
vendored
Normal file
3
test/fixtures/xml_external_entities.xml
vendored
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
|
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
|
||||||
|
<stockCheck><productId>&xxe;</productId></stockCheck>
|
10
test/pleroma/web/xml_test.exs
Normal file
10
test/pleroma/web/xml_test.exs
Normal file
|
@ -0,0 +1,10 @@
|
||||||
|
defmodule Pleroma.Web.XMLTest do
|
||||||
|
use Pleroma.DataCase, async: true
|
||||||
|
|
||||||
|
alias Pleroma.Web.XML
|
||||||
|
|
||||||
|
test "refuses to load external entities from XML" do
|
||||||
|
data = File.read!("test/fixtures/xml_external_entities.xml")
|
||||||
|
assert(:error == XML.parse_document(data))
|
||||||
|
end
|
||||||
|
end
|
Loading…
Reference in a new issue