Include composer dependencies in repo

2 files changed, 260 insertions, 0 deletions

diff --git a/vendor/zendframework/zendxml/tests/ZendXmlTest/MultibyteTest.php b/vendor/zendframework/zendxml/tests/ZendXmlTest/MultibyteTest.php
new file mode 100644
index 00000000..165e8fa5
--- /dev/null
+++ b/vendor/zendframework/zendxml/tests/ZendXmlTest/MultibyteTest.php
@@ -0,0 +1,125 @@
+<?php
+/**
+ * Zend Framework (http://framework.zend.com/)
+ *
+ * @link      http://github.com/zendframework/zf2 for the canonical source repository
+ * @copyright Copyright (c) 2005-2015 Zend Technologies USA Inc. (http://www.zend.com)
+ * @license   http://framework.zend.com/license/new-bsd New BSD License
+ */
+namespace ZendTest\Xml;
+
+use ZendXml\Security as XmlSecurity;
+use ZendXml\Exception;
+use DOMDocument;
+use ReflectionMethod;
+use SimpleXMLElement;
+
+/**
+ * @group ZF2015-06
+ */
+class MultibyteTest extends \PHPUnit_Framework_TestCase
+{
+    public function multibyteEncodings()
+    {
+        return array(
+            'UTF-16LE' => array('UTF-16LE', pack('CC', 0xff, 0xfe), 3),
+            'UTF-16BE' => array('UTF-16BE', pack('CC', 0xfe, 0xff), 3),
+            'UTF-32LE' => array('UTF-32LE', pack('CCCC', 0xff, 0xfe, 0x00, 0x00), 4),
+            'UTF-32BE' => array('UTF-32BE', pack('CCCC', 0x00, 0x00, 0xfe, 0xff), 4),
+        );
+    }
+
+    public function getXmlWithXXE()
+    {
+        return <<<XML
+<?xml version="1.0" encoding="{ENCODING}"?>
+<!DOCTYPE methodCall [
+  <!ENTITY pocdata SYSTEM "file:///etc/passwd">
+]>
+<methodCall>
+    <methodName>retrieved: &pocdata;</methodName>
+</methodCall>
+XML;
+    }
+
+    /**
+     * Invoke ZendXml\Security::heuristicScan with the provided XML.
+     *
+     * @param string $xml
+     * @return void
+     * @throws Exception\RuntimeException
+     */
+    public function invokeHeuristicScan($xml)
+    {
+        $r = new ReflectionMethod('ZendXml\Security', 'heuristicScan');
+        $r->setAccessible(true);
+        return $r->invoke(null, $xml);
+    }
+
+    /**
+     * @dataProvider multibyteEncodings
+     * @group heuristicDetection
+     */
+    public function testDetectsMultibyteXXEVectorsUnderFPMWithEncodedStringMissingBOM($encoding, $bom, $bomLength)
+    {
+        $xml = $this->getXmlWithXXE();
+        $xml = str_replace('{ENCODING}', $encoding, $xml);
+        $xml = iconv('UTF-8', $encoding, $xml);
+        $this->assertNotSame(0, strncmp($xml, $bom, $bomLength));
+        $this->setExpectedException('ZendXml\Exception\RuntimeException', 'ENTITY');
+        $this->invokeHeuristicScan($xml);
+    }
+
+    /**
+     * @dataProvider multibyteEncodings
+     */
+    public function testDetectsMultibyteXXEVectorsUnderFPMWithEncodedStringUsingBOM($encoding, $bom)
+    {
+        $xml  = $this->getXmlWithXXE();
+        $xml  = str_replace('{ENCODING}', $encoding, $xml);
+        $orig = iconv('UTF-8', $encoding, $xml);
+        $xml  = $bom . $orig;
+        $this->setExpectedException('ZendXml\Exception\RuntimeException', 'ENTITY');
+        $this->invokeHeuristicScan($xml);
+    }
+
+    public function getXmlWithoutXXE()
+    {
+        return <<<XML
+<?xml version="1.0" encoding="{ENCODING}"?>
+<methodCall>
+    <methodName>retrieved: &pocdata;</methodName>
+</methodCall>
+XML;
+    }
+
+    /**
+     * @dataProvider multibyteEncodings
+     */
+    public function testDoesNotFlagValidMultibyteXmlAsInvalidUnderFPM($encoding)
+    {
+        $xml = $this->getXmlWithoutXXE();
+        $xml = str_replace('{ENCODING}', $encoding, $xml);
+        $xml = iconv('UTF-8', $encoding, $xml);
+        try {
+            $result = $this->invokeHeuristicScan($xml);
+            $this->assertNull($result);
+        } catch (\Exception $e) {
+            $this->fail('Security scan raised exception when it should not have');
+        }
+    }
+
+    /**
+     * @dataProvider multibyteEncodings
+     * @group mixedEncoding
+     */
+    public function testDetectsXXEWhenXMLDocumentEncodingDiffersFromFileEncoding($encoding, $bom)
+    {
+        $xml = $this->getXmlWithXXE();
+        $xml = str_replace('{ENCODING}', 'UTF-8', $xml);
+        $xml = iconv('UTF-8', $encoding, $xml);
+        $xml = $bom . $xml;
+        $this->setExpectedException('ZendXml\Exception\RuntimeException', 'ENTITY');
+        $this->invokeHeuristicScan($xml);
+    }
+}
diff --git a/vendor/zendframework/zendxml/tests/ZendXmlTest/SecurityTest.php b/vendor/zendframework/zendxml/tests/ZendXmlTest/SecurityTest.php
new file mode 100644
index 00000000..fa3b30bf
--- /dev/null
+++ b/vendor/zendframework/zendxml/tests/ZendXmlTest/SecurityTest.php
@@ -0,0 +1,135 @@
+<?php
+/**
+ * Zend Framework (http://framework.zend.com/)
+ *
+ * @link      http://github.com/zendframework/zf2 for the canonical source repository
+ * @copyright Copyright (c) 2005-2013 Zend Technologies USA Inc. (http://www.zend.com)
+ * @license   http://framework.zend.com/license/new-bsd New BSD License
+ */
+namespace ZendTest\Xml;
+
+use ZendXml\Security as XmlSecurity;
+use ZendXml\Exception;
+use DOMDocument;
+use SimpleXMLElement;
+
+class SecurityTest extends \PHPUnit_Framework_TestCase
+{
+    /**
+     * @expectedException ZendXml\Exception\RuntimeException
+     */
+    public function testScanForXEE()
+    {
+        $xml = <<<XML
+<?xml version="1.0"?>
+<!DOCTYPE results [<!ENTITY harmless "completely harmless">]>
+<results>
+    <result>This result is &harmless;</result>
+</results>
+XML;
+
+        $this->setExpectedException('ZendXml\Exception\RuntimeException');
+        $result = XmlSecurity::scan($xml);
+    }
+
+    public function testScanForXXE()
+    {
+        $file = tempnam(sys_get_temp_dir(), 'ZendXml_Security');
+        file_put_contents($file, 'This is a remote content!');
+        $xml = <<<XML
+<?xml version="1.0"?>
+<!DOCTYPE root
+[
+<!ENTITY foo SYSTEM "file://$file">
+]>
+<results>
+    <result>&foo;</result>
+</results>
+XML;
+
+        try {
+            $result = XmlSecurity::scan($xml);
+        } catch (Exception\RuntimeException $e) {
+            unlink($file);
+            return;
+        }
+        $this->fail('An expected exception has not been raised.');
+    }
+
+    public function testScanSimpleXmlResult()
+    {
+        $result = XmlSecurity::scan($this->getXml());
+        $this->assertTrue($result instanceof SimpleXMLElement);
+        $this->assertEquals($result->result, 'test');
+    }
+
+    public function testScanDom()
+    {
+        $dom = new DOMDocument('1.0');
+        $result = XmlSecurity::scan($this->getXml(), $dom);
+        $this->assertTrue($result instanceof DOMDocument);
+        $node = $result->getElementsByTagName('result')->item(0);
+        $this->assertEquals($node->nodeValue, 'test');
+    }
+
+    public function testScanInvalidXml()
+    {
+        $xml = <<<XML
+<foo>test</bar>
+XML;
+
+        $result = XmlSecurity::scan($xml);
+        $this->assertFalse($result);
+    }
+
+    public function testScanInvalidXmlDom()
+    {
+        $xml = <<<XML
+<foo>test</bar>
+XML;
+
+        $dom = new DOMDocument('1.0');
+        $result = XmlSecurity::scan($xml, $dom);
+        $this->assertFalse($result);
+    }
+
+    public function testScanFile()
+    {
+        $file = tempnam(sys_get_temp_dir(), 'ZendXml_Security');
+        file_put_contents($file, $this->getXml());
+
+        $result = XmlSecurity::scanFile($file);
+        $this->assertTrue($result instanceof SimpleXMLElement);
+        $this->assertEquals($result->result, 'test');
+        unlink($file);
+    }
+
+    public function testScanXmlWithDTD()
+    {
+        $xml = <<<XML
+<?xml version="1.0"?>
+<!DOCTYPE results [
+<!ELEMENT results (result+)>
+<!ELEMENT result (#PCDATA)>
+]>
+<results>
+    <result>test</result>
+</results>
+XML;
+
+        $dom = new DOMDocument('1.0');
+        $result = XmlSecurity::scan($xml, $dom);
+        $this->assertTrue($result instanceof DOMDocument);
+        $this->assertTrue($result->validate());
+    }
+
+    protected function getXml()
+    {
+        return <<<XML
+<?xml version="1.0"?>
+<results>
+    <result>test</result>
+</results>
+XML;
+    }
+}