Mercurial Mercurial > prosody > prosody / annotate
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
spec/util_xml_spec.lua
author Jonas Schäfer <jonas@wielicki.name>
Mon, 10 Jan 2022 18:23:54 +0100
branch0.11
changeset 12185 783056b4e448
parent 8239 4878e4159e12
child 12274 c78639ee6ccb
permissions -rw-r--r--
util.xml: Do not allow doctypes, comments or processing instructions Yes. This is as bad as it sounds. CVE pending. In Prosody itself, this only affects mod_websocket, which uses util.xml to parse the <open/> frame, thus allowing unauthenticated remote DoS using Billion Laughs. However, third-party modules using util.xml may also be affected by this. This commit installs handlers which disallow the use of doctype declarations and processing instructions without any escape hatch. It, by default, also introduces such a handler for comments, however, there is a way to enable comments nontheless. This is because util.xml is used to parse human-facing data, where comments are generally a desirable feature, and also because comments are generally harmless.
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
8239
4878e4159e12 Port tests to the `busted` test runner
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset 
     1
 












4878e4159e12
Port tests to the `busted` test runner



Waqas Hussain <waqas20@gmail.com>


parents: 

diff
changeset




     2


local xml = require "util.xml";












4878e4159e12
Port tests to the `busted` test runner



Waqas Hussain <waqas20@gmail.com>


parents: 

diff
changeset




     3














4878e4159e12
Port tests to the `busted` test runner



Waqas Hussain <waqas20@gmail.com>


parents: 

diff
changeset




     4


describe("util.xml", function()












4878e4159e12
Port tests to the `busted` test runner



Waqas Hussain <waqas20@gmail.com>


parents: 

diff
changeset




     5


	describe("#parse()", function()












4878e4159e12
Port tests to the `busted` test runner



Waqas Hussain <waqas20@gmail.com>


parents: 

diff
changeset




     6


		it("should work", function()












4878e4159e12
Port tests to the `busted` test runner



Waqas Hussain <waqas20@gmail.com>


parents: 

diff
changeset




     7


			local x =












4878e4159e12
Port tests to the `busted` test runner



Waqas Hussain <waqas20@gmail.com>


parents: 

diff
changeset




     8


[[<x xmlns:a="b">












4878e4159e12
Port tests to the `busted` test runner



Waqas Hussain <waqas20@gmail.com>


parents: 

diff
changeset




     9


	<y xmlns:a="c"> <!-- this overwrites 'a' -->












4878e4159e12
Port tests to the `busted` test runner



Waqas Hussain <waqas20@gmail.com>


parents: 

diff
changeset




    10


	    <a:z/>












4878e4159e12
Port tests to the `busted` test runner



Waqas Hussain <waqas20@gmail.com>


parents: 

diff
changeset




    11


	</y>












4878e4159e12
Port tests to the `busted` test runner



Waqas Hussain <waqas20@gmail.com>


parents: 

diff
changeset




    12


	<a:z/> <!-- prefix 'a' is nil here, but should be 'b' -->












4878e4159e12
Port tests to the `busted` test runner



Waqas Hussain <waqas20@gmail.com>


parents: 

diff
changeset




    13


</x>












4878e4159e12
Port tests to the `busted` test runner



Waqas Hussain <waqas20@gmail.com>


parents: 

diff
changeset




    14


]]







12185






783056b4e448
util.xml: Do not allow doctypes, comments or processing instructions



Jonas Schäfer <jonas@wielicki.name>


parents: 
8239

diff
changeset




    15


			local stanza = xml.parse(x, {allow_comments = true});







8239






4878e4159e12
Port tests to the `busted` test runner



Waqas Hussain <waqas20@gmail.com>


parents: 

diff
changeset




    16


			assert.are.equal(stanza.tags[2].attr.xmlns, "b");












4878e4159e12
Port tests to the `busted` test runner



Waqas Hussain <waqas20@gmail.com>


parents: 

diff
changeset




    17


			assert.are.equal(stanza.tags[2].namespaces["a"], "b");












4878e4159e12
Port tests to the `busted` test runner



Waqas Hussain <waqas20@gmail.com>


parents: 

diff
changeset




    18


		end);







12185






783056b4e448
util.xml: Do not allow doctypes, comments or processing instructions



Jonas Schäfer <jonas@wielicki.name>


parents: 
8239

diff
changeset




    19














783056b4e448
util.xml: Do not allow doctypes, comments or processing instructions



Jonas Schäfer <jonas@wielicki.name>


parents: 
8239

diff
changeset




    20


		it("should reject doctypes", function()












783056b4e448
util.xml: Do not allow doctypes, comments or processing instructions



Jonas Schäfer <jonas@wielicki.name>


parents: 
8239

diff
changeset




    21


			local x = "<!DOCTYPE foo []><foo/>";












783056b4e448
util.xml: Do not allow doctypes, comments or processing instructions



Jonas Schäfer <jonas@wielicki.name>


parents: 
8239

diff
changeset




    22


			local ok = xml.parse(x);












783056b4e448
util.xml: Do not allow doctypes, comments or processing instructions



Jonas Schäfer <jonas@wielicki.name>


parents: 
8239

diff
changeset




    23


			assert.falsy(ok);












783056b4e448
util.xml: Do not allow doctypes, comments or processing instructions



Jonas Schäfer <jonas@wielicki.name>


parents: 
8239

diff
changeset




    24


		end);












783056b4e448
util.xml: Do not allow doctypes, comments or processing instructions



Jonas Schäfer <jonas@wielicki.name>


parents: 
8239

diff
changeset




    25














783056b4e448
util.xml: Do not allow doctypes, comments or processing instructions



Jonas Schäfer <jonas@wielicki.name>


parents: 
8239

diff
changeset




    26


		it("should reject comments by default", function()












783056b4e448
util.xml: Do not allow doctypes, comments or processing instructions



Jonas Schäfer <jonas@wielicki.name>


parents: 
8239

diff
changeset




    27


			local x = "<foo><!-- foo --></foo>";












783056b4e448
util.xml: Do not allow doctypes, comments or processing instructions



Jonas Schäfer <jonas@wielicki.name>


parents: 
8239

diff
changeset




    28


			local ok = xml.parse(x);












783056b4e448
util.xml: Do not allow doctypes, comments or processing instructions



Jonas Schäfer <jonas@wielicki.name>


parents: 
8239

diff
changeset




    29


			assert.falsy(ok);












783056b4e448
util.xml: Do not allow doctypes, comments or processing instructions



Jonas Schäfer <jonas@wielicki.name>


parents: 
8239

diff
changeset




    30


		end);












783056b4e448
util.xml: Do not allow doctypes, comments or processing instructions



Jonas Schäfer <jonas@wielicki.name>


parents: 
8239

diff
changeset




    31














783056b4e448
util.xml: Do not allow doctypes, comments or processing instructions



Jonas Schäfer <jonas@wielicki.name>


parents: 
8239

diff
changeset




    32


		it("should allow comments if asked nicely", function()












783056b4e448
util.xml: Do not allow doctypes, comments or processing instructions



Jonas Schäfer <jonas@wielicki.name>


parents: 
8239

diff
changeset




    33


			local x = "<foo><!-- foo --></foo>";












783056b4e448
util.xml: Do not allow doctypes, comments or processing instructions



Jonas Schäfer <jonas@wielicki.name>


parents: 
8239

diff
changeset




    34


			local stanza = xml.parse(x, {allow_comments = true});












783056b4e448
util.xml: Do not allow doctypes, comments or processing instructions



Jonas Schäfer <jonas@wielicki.name>


parents: 
8239

diff
changeset




    35


			assert.are.equal(stanza.name, "foo");












783056b4e448
util.xml: Do not allow doctypes, comments or processing instructions



Jonas Schäfer <jonas@wielicki.name>


parents: 
8239

diff
changeset




    36


			assert.are.equal(#stanza, 0);












783056b4e448
util.xml: Do not allow doctypes, comments or processing instructions



Jonas Schäfer <jonas@wielicki.name>


parents: 
8239

diff
changeset




    37


		end);












783056b4e448
util.xml: Do not allow doctypes, comments or processing instructions



Jonas Schäfer <jonas@wielicki.name>


parents: 
8239

diff
changeset




    38














783056b4e448
util.xml: Do not allow doctypes, comments or processing instructions



Jonas Schäfer <jonas@wielicki.name>


parents: 
8239

diff
changeset




    39


		it("should reject processing instructions", function()












783056b4e448
util.xml: Do not allow doctypes, comments or processing instructions



Jonas Schäfer <jonas@wielicki.name>


parents: 
8239

diff
changeset




    40


			local x = "<foo><?php die(); ?></foo>";












783056b4e448
util.xml: Do not allow doctypes, comments or processing instructions



Jonas Schäfer <jonas@wielicki.name>


parents: 
8239

diff
changeset




    41


			local ok = xml.parse(x);












783056b4e448
util.xml: Do not allow doctypes, comments or processing instructions



Jonas Schäfer <jonas@wielicki.name>


parents: 
8239

diff
changeset




    42


			assert.falsy(ok);












783056b4e448
util.xml: Do not allow doctypes, comments or processing instructions



Jonas Schäfer <jonas@wielicki.name>


parents: 
8239

diff
changeset




    43


		end);












783056b4e448
util.xml: Do not allow doctypes, comments or processing instructions



Jonas Schäfer <jonas@wielicki.name>


parents: 
8239

diff
changeset




    44














783056b4e448
util.xml: Do not allow doctypes, comments or processing instructions



Jonas Schäfer <jonas@wielicki.name>


parents: 
8239

diff
changeset




    45


		it("should allow an xml declaration", function()












783056b4e448
util.xml: Do not allow doctypes, comments or processing instructions



Jonas Schäfer <jonas@wielicki.name>


parents: 
8239

diff
changeset




    46


			local x = "<?xml version='1.0'?><foo/>";












783056b4e448
util.xml: Do not allow doctypes, comments or processing instructions



Jonas Schäfer <jonas@wielicki.name>


parents: 
8239

diff
changeset




    47


			local stanza = xml.parse(x);












783056b4e448
util.xml: Do not allow doctypes, comments or processing instructions



Jonas Schäfer <jonas@wielicki.name>


parents: 
8239

diff
changeset




    48


			assert.truthy(stanza);












783056b4e448
util.xml: Do not allow doctypes, comments or processing instructions



Jonas Schäfer <jonas@wielicki.name>


parents: 
8239

diff
changeset




    49


			assert.are.equal(stanza.name, "foo");












783056b4e448
util.xml: Do not allow doctypes, comments or processing instructions



Jonas Schäfer <jonas@wielicki.name>


parents: 
8239

diff
changeset




    50


		end);







8239






4878e4159e12
Port tests to the `busted` test runner



Waqas Hussain <waqas20@gmail.com>


parents: 

diff
changeset




    51


	end);












4878e4159e12
Port tests to the `busted` test runner



Waqas Hussain <waqas20@gmail.com>


parents: 

diff
changeset




    52


end);














prosody