Add unit test for external entity loading

2023-08-04 22:24:32 +01:00 · 2023-08-04 22:24:32 +01:00 · 307692cee8
parent ca0859b90f
commit 307692cee8
3 changed files with 36 additions and 0 deletions
--- a/test/fixtures/xml_external_entities.xml
+++ b/test/fixtures/xml_external_entities.xml
@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
+<stockCheck><productId>&xxe;</productId></stockCheck>
--- a/test/pleroma/web/web_finger_test.exs
+++ b/test/pleroma/web/web_finger_test.exs
@ -180,5 +180,28 @@ defmodule Pleroma.Web.WebFingerTest do

      {:ok, _data} = WebFinger.finger("pekorino@pawoo.net")
    end
+
+    test "refuses to process XML remote entities" do
+      Tesla.Mock.mock(fn
+        %{
+          url: "https://pawoo.net/.well-known/webfinger?resource=acct:pekorino@pawoo.net"
+        } ->
+          {:ok,
+           %Tesla.Env{
+             status: 200,
+             body: File.read!("test/fixtures/xml_external_entities.xml"),
+             headers: [{"content-type", "application/xrd+xml"}]
+           }}
+
+        %{url: "https://pawoo.net/.well-known/host-meta"} ->
+          {:ok,
+           %Tesla.Env{
+             status: 200,
+             body: File.read!("test/fixtures/tesla_mock/pawoo.net_host_meta")
+           }}
+      end)
+
+      assert :error = WebFinger.finger("pekorino@pawoo.net")
+    end
  end
 end
--- a/test/pleroma/web/xml_test.exs
+++ b/test/pleroma/web/xml_test.exs
@ -0,0 +1,10 @@
+defmodule Pleroma.Web.XMLTest do
+  use Pleroma.DataCase, async: true
+
+  alias Pleroma.Web.XML
+
+  test "refuses to load external entities from XML" do
+    data = File.read!("test/fixtures/xml_external_entities.xml")
+    assert(:error == XML.parse_document(data))
+  end
+end