From 0d7417cff68e74f636d371529998e275e2765be8 Mon Sep 17 00:00:00 2001
From: Davanum Srinivas
Date: Tue, 26 Feb 2013 11:26:24 -0500
Subject: Port safe parsing with minidom patches from Nova
Prevent attacks through xml entity expansion etc.
Fixes LP# 1100282
Change-Id: I391531deac122697556c282184c8f8890ea66489
---
tests/unit/test_xmlutils.py | 101 ++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 101 insertions(+)
create mode 100644 tests/unit/test_xmlutils.py
(limited to 'tests/unit/test_xmlutils.py')
diff --git a/tests/unit/test_xmlutils.py b/tests/unit/test_xmlutils.py
new file mode 100644
index 0000000..c38e223
--- /dev/null
+++ b/tests/unit/test_xmlutils.py
@@ -0,0 +1,101 @@
+# vim: tabstop=4 shiftwidth=4 softtabstop=4
+
+# Copyright 2013 IBM
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+import datetime
+import StringIO
+from xml.dom import minidom
+
+from openstack.common import xmlutils
+from tests import utils
+
+
+class XMLUtilsTestCase(utils.BaseTestCase):
+ def test_safe_parse_xml(self):
+
+ normal_body = ("""
+
+
+ hey
+ there
+
+ """).strip()
+
+ def killer_body():
+ return (("""
+
+ ]>
+
+
+ %(d)s
+
+ """) % {
+ 'a': 'A' * 10,
+ 'b': '&a;' * 10,
+ 'c': '&b;' * 10,
+ 'd': '&c;' * 9999,
+ }).strip()
+
+ dom = xmlutils.safe_minidom_parse_string(normal_body)
+ self.assertEqual(normal_body, str(dom.toxml()))
+
+ self.assertRaises(ValueError,
+ xmlutils.safe_minidom_parse_string,
+ killer_body())
+
+
+class SafeParserTestCase(utils.BaseTestCase):
+ def test_external_dtd(self):
+ xml_string = ("""
+
+
+
+
html with dtd
+ """)
+
+ parser = xmlutils.ProtectedExpatParser(forbid_dtd=True,
+ forbid_entities=True)
+ self.assertRaises(ValueError,
+ minidom.parseString,
+ xml_string, parser)
+
+ def test_external_file(self):
+ xml_string = """
+ ]>
+ ⅇ"""
+
+ parser = xmlutils.ProtectedExpatParser(forbid_dtd=False,
+ forbid_entities=True)
+ self.assertRaises(ValueError,
+ minidom.parseString,
+ xml_string, parser)
+
+ def test_notation(self):
+ xml_string = """
+
+
+ ]>
+
+ """
+
+ parser = xmlutils.ProtectedExpatParser(forbid_dtd=False,
+ forbid_entities=True)
+ self.assertRaises(ValueError,
+ minidom.parseString,
+ xml_string, parser)
--
cgit