commit: 307692cee8cdd0dbe3e6cf40c1192fcf43910610
parent ca0859b90f0f3cb9bb369d38d29868de59796c2c
Author: FloatingGhost <hannah@coffee-and-dreams.uk>
Date: Fri, 4 Aug 2023 22:24:32 +0100
Add unit test for external entity loading
Diffstat:
3 files changed, 36 insertions(+), 0 deletions(-)
diff --git a/test/fixtures/xml_external_entities.xml b/test/fixtures/xml_external_entities.xml
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
+<stockCheck><productId>&xxe;</productId></stockCheck>
diff --git a/test/pleroma/web/web_finger_test.exs b/test/pleroma/web/web_finger_test.exs
@@ -180,5 +180,28 @@ defmodule Pleroma.Web.WebFingerTest do
{:ok, _data} = WebFinger.finger("pekorino@pawoo.net")
end
+
+ test "refuses to process XML remote entities" do
+ Tesla.Mock.mock(fn
+ %{
+ url: "https://pawoo.net/.well-known/webfinger?resource=acct:pekorino@pawoo.net"
+ } ->
+ {:ok,
+ %Tesla.Env{
+ status: 200,
+ body: File.read!("test/fixtures/xml_external_entities.xml"),
+ headers: [{"content-type", "application/xrd+xml"}]
+ }}
+
+ %{url: "https://pawoo.net/.well-known/host-meta"} ->
+ {:ok,
+ %Tesla.Env{
+ status: 200,
+ body: File.read!("test/fixtures/tesla_mock/pawoo.net_host_meta")
+ }}
+ end)
+
+ assert :error = WebFinger.finger("pekorino@pawoo.net")
+ end
end
end
diff --git a/test/pleroma/web/xml_test.exs b/test/pleroma/web/xml_test.exs
@@ -0,0 +1,10 @@
+defmodule Pleroma.Web.XMLTest do
+ use Pleroma.DataCase, async: true
+
+ alias Pleroma.Web.XML
+
+ test "refuses to load external entities from XML" do
+ data = File.read!("test/fixtures/xml_external_entities.xml")
+ assert(:error == XML.parse_document(data))
+ end
+end
