mirrors/pleroma
1
0
Fork 0
mirror of https://git.pleroma.social/pleroma/pleroma.git synced 2024-11-13 12:31:13 +00:00
Code Issues Projects Releases Wiki Activity

Add unit test for external entity loading

Browse source
This commit is contained in:
FloatingGhost 2023-08-04 22:24:32 +01:00 committed by Haelwenn (lanodan) Monnier
parent fc10e07ffb
commit 77d57c974a
3 changed files with 36 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
test/fixtures/xml_external_entities.xml vendored Normal file
View file

@ -0,0 +1,3 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<stockCheck><productId>&xxe;</productId></stockCheck>

23
test/pleroma/web/web_finger_test.exs
View file

@ -180,5 +180,28 @@ defmodule Pleroma.Web.WebFingerTest do
{:ok, _data} = WebFinger.finger("pekorino@pawoo.net")
end
test "refuses to process XML remote entities" do
Tesla.Mock.mock(fn
%{
url: "https://pawoo.net/.well-known/webfinger?resource=acct:pekorino@pawoo.net"
} ->
{:ok,
%Tesla.Env{
status: 200,
body: File.read!("test/fixtures/xml_external_entities.xml"),
headers: [{"content-type", "application/xrd+xml"}]
}}
%{url: "https://pawoo.net/.well-known/host-meta"} ->
{:ok,
%Tesla.Env{
status: 200,
body: File.read!("test/fixtures/tesla_mock/pawoo.net_host_meta")
}}
end)
assert :error = WebFinger.finger("pekorino@pawoo.net")
end
end
end

10
test/pleroma/web/xml_test.exs Normal file
View file

@ -0,0 +1,10 @@
defmodule Pleroma.Web.XMLTest do
use Pleroma.DataCase, async: true
alias Pleroma.Web.XML
test "refuses to load external entities from XML" do
data = File.read!("test/fixtures/xml_external_entities.xml")
assert(:error == XML.parse_document(data))
end
end