summaryrefslogtreecommitdiff
path: root/vendor/zendframework/zendxml/tests/ZendXmlTest
diff options
context:
space:
mode:
Diffstat (limited to 'vendor/zendframework/zendxml/tests/ZendXmlTest')
-rw-r--r--vendor/zendframework/zendxml/tests/ZendXmlTest/MultibyteTest.php125
-rw-r--r--vendor/zendframework/zendxml/tests/ZendXmlTest/SecurityTest.php135
2 files changed, 260 insertions, 0 deletions
diff --git a/vendor/zendframework/zendxml/tests/ZendXmlTest/MultibyteTest.php b/vendor/zendframework/zendxml/tests/ZendXmlTest/MultibyteTest.php
new file mode 100644
index 00000000..165e8fa5
--- /dev/null
+++ b/vendor/zendframework/zendxml/tests/ZendXmlTest/MultibyteTest.php
@@ -0,0 +1,125 @@
+<?php
+/**
+ * Zend Framework (http://framework.zend.com/)
+ *
+ * @link http://github.com/zendframework/zf2 for the canonical source repository
+ * @copyright Copyright (c) 2005-2015 Zend Technologies USA Inc. (http://www.zend.com)
+ * @license http://framework.zend.com/license/new-bsd New BSD License
+ */
+namespace ZendTest\Xml;
+
+use ZendXml\Security as XmlSecurity;
+use ZendXml\Exception;
+use DOMDocument;
+use ReflectionMethod;
+use SimpleXMLElement;
+
+/**
+ * @group ZF2015-06
+ */
+class MultibyteTest extends \PHPUnit_Framework_TestCase
+{
+ public function multibyteEncodings()
+ {
+ return array(
+ 'UTF-16LE' => array('UTF-16LE', pack('CC', 0xff, 0xfe), 3),
+ 'UTF-16BE' => array('UTF-16BE', pack('CC', 0xfe, 0xff), 3),
+ 'UTF-32LE' => array('UTF-32LE', pack('CCCC', 0xff, 0xfe, 0x00, 0x00), 4),
+ 'UTF-32BE' => array('UTF-32BE', pack('CCCC', 0x00, 0x00, 0xfe, 0xff), 4),
+ );
+ }
+
+ public function getXmlWithXXE()
+ {
+ return <<<XML
+<?xml version="1.0" encoding="{ENCODING}"?>
+<!DOCTYPE methodCall [
+ <!ENTITY pocdata SYSTEM "file:///etc/passwd">
+]>
+<methodCall>
+ <methodName>retrieved: &pocdata;</methodName>
+</methodCall>
+XML;
+ }
+
+ /**
+ * Invoke ZendXml\Security::heuristicScan with the provided XML.
+ *
+ * @param string $xml
+ * @return void
+ * @throws Exception\RuntimeException
+ */
+ public function invokeHeuristicScan($xml)
+ {
+ $r = new ReflectionMethod('ZendXml\Security', 'heuristicScan');
+ $r->setAccessible(true);
+ return $r->invoke(null, $xml);
+ }
+
+ /**
+ * @dataProvider multibyteEncodings
+ * @group heuristicDetection
+ */
+ public function testDetectsMultibyteXXEVectorsUnderFPMWithEncodedStringMissingBOM($encoding, $bom, $bomLength)
+ {
+ $xml = $this->getXmlWithXXE();
+ $xml = str_replace('{ENCODING}', $encoding, $xml);
+ $xml = iconv('UTF-8', $encoding, $xml);
+ $this->assertNotSame(0, strncmp($xml, $bom, $bomLength));
+ $this->setExpectedException('ZendXml\Exception\RuntimeException', 'ENTITY');
+ $this->invokeHeuristicScan($xml);
+ }
+
+ /**
+ * @dataProvider multibyteEncodings
+ */
+ public function testDetectsMultibyteXXEVectorsUnderFPMWithEncodedStringUsingBOM($encoding, $bom)
+ {
+ $xml = $this->getXmlWithXXE();
+ $xml = str_replace('{ENCODING}', $encoding, $xml);
+ $orig = iconv('UTF-8', $encoding, $xml);
+ $xml = $bom . $orig;
+ $this->setExpectedException('ZendXml\Exception\RuntimeException', 'ENTITY');
+ $this->invokeHeuristicScan($xml);
+ }
+
+ public function getXmlWithoutXXE()
+ {
+ return <<<XML
+<?xml version="1.0" encoding="{ENCODING}"?>
+<methodCall>
+ <methodName>retrieved: &pocdata;</methodName>
+</methodCall>
+XML;
+ }
+
+ /**
+ * @dataProvider multibyteEncodings
+ */
+ public function testDoesNotFlagValidMultibyteXmlAsInvalidUnderFPM($encoding)
+ {
+ $xml = $this->getXmlWithoutXXE();
+ $xml = str_replace('{ENCODING}', $encoding, $xml);
+ $xml = iconv('UTF-8', $encoding, $xml);
+ try {
+ $result = $this->invokeHeuristicScan($xml);
+ $this->assertNull($result);
+ } catch (\Exception $e) {
+ $this->fail('Security scan raised exception when it should not have');
+ }
+ }
+
+ /**
+ * @dataProvider multibyteEncodings
+ * @group mixedEncoding
+ */
+ public function testDetectsXXEWhenXMLDocumentEncodingDiffersFromFileEncoding($encoding, $bom)
+ {
+ $xml = $this->getXmlWithXXE();
+ $xml = str_replace('{ENCODING}', 'UTF-8', $xml);
+ $xml = iconv('UTF-8', $encoding, $xml);
+ $xml = $bom . $xml;
+ $this->setExpectedException('ZendXml\Exception\RuntimeException', 'ENTITY');
+ $this->invokeHeuristicScan($xml);
+ }
+}
diff --git a/vendor/zendframework/zendxml/tests/ZendXmlTest/SecurityTest.php b/vendor/zendframework/zendxml/tests/ZendXmlTest/SecurityTest.php
new file mode 100644
index 00000000..fa3b30bf
--- /dev/null
+++ b/vendor/zendframework/zendxml/tests/ZendXmlTest/SecurityTest.php
@@ -0,0 +1,135 @@
+<?php
+/**
+ * Zend Framework (http://framework.zend.com/)
+ *
+ * @link http://github.com/zendframework/zf2 for the canonical source repository
+ * @copyright Copyright (c) 2005-2013 Zend Technologies USA Inc. (http://www.zend.com)
+ * @license http://framework.zend.com/license/new-bsd New BSD License
+ */
+namespace ZendTest\Xml;
+
+use ZendXml\Security as XmlSecurity;
+use ZendXml\Exception;
+use DOMDocument;
+use SimpleXMLElement;
+
+class SecurityTest extends \PHPUnit_Framework_TestCase
+{
+ /**
+ * @expectedException ZendXml\Exception\RuntimeException
+ */
+ public function testScanForXEE()
+ {
+ $xml = <<<XML
+<?xml version="1.0"?>
+<!DOCTYPE results [<!ENTITY harmless "completely harmless">]>
+<results>
+ <result>This result is &harmless;</result>
+</results>
+XML;
+
+ $this->setExpectedException('ZendXml\Exception\RuntimeException');
+ $result = XmlSecurity::scan($xml);
+ }
+
+ public function testScanForXXE()
+ {
+ $file = tempnam(sys_get_temp_dir(), 'ZendXml_Security');
+ file_put_contents($file, 'This is a remote content!');
+ $xml = <<<XML
+<?xml version="1.0"?>
+<!DOCTYPE root
+[
+<!ENTITY foo SYSTEM "file://$file">
+]>
+<results>
+ <result>&foo;</result>
+</results>
+XML;
+
+ try {
+ $result = XmlSecurity::scan($xml);
+ } catch (Exception\RuntimeException $e) {
+ unlink($file);
+ return;
+ }
+ $this->fail('An expected exception has not been raised.');
+ }
+
+ public function testScanSimpleXmlResult()
+ {
+ $result = XmlSecurity::scan($this->getXml());
+ $this->assertTrue($result instanceof SimpleXMLElement);
+ $this->assertEquals($result->result, 'test');
+ }
+
+ public function testScanDom()
+ {
+ $dom = new DOMDocument('1.0');
+ $result = XmlSecurity::scan($this->getXml(), $dom);
+ $this->assertTrue($result instanceof DOMDocument);
+ $node = $result->getElementsByTagName('result')->item(0);
+ $this->assertEquals($node->nodeValue, 'test');
+ }
+
+ public function testScanInvalidXml()
+ {
+ $xml = <<<XML
+<foo>test</bar>
+XML;
+
+ $result = XmlSecurity::scan($xml);
+ $this->assertFalse($result);
+ }
+
+ public function testScanInvalidXmlDom()
+ {
+ $xml = <<<XML
+<foo>test</bar>
+XML;
+
+ $dom = new DOMDocument('1.0');
+ $result = XmlSecurity::scan($xml, $dom);
+ $this->assertFalse($result);
+ }
+
+ public function testScanFile()
+ {
+ $file = tempnam(sys_get_temp_dir(), 'ZendXml_Security');
+ file_put_contents($file, $this->getXml());
+
+ $result = XmlSecurity::scanFile($file);
+ $this->assertTrue($result instanceof SimpleXMLElement);
+ $this->assertEquals($result->result, 'test');
+ unlink($file);
+ }
+
+ public function testScanXmlWithDTD()
+ {
+ $xml = <<<XML
+<?xml version="1.0"?>
+<!DOCTYPE results [
+<!ELEMENT results (result+)>
+<!ELEMENT result (#PCDATA)>
+]>
+<results>
+ <result>test</result>
+</results>
+XML;
+
+ $dom = new DOMDocument('1.0');
+ $result = XmlSecurity::scan($xml, $dom);
+ $this->assertTrue($result instanceof DOMDocument);
+ $this->assertTrue($result->validate());
+ }
+
+ protected function getXml()
+ {
+ return <<<XML
+<?xml version="1.0"?>
+<results>
+ <result>test</result>
+</results>
+XML;
+ }
+}