@Test
public void testExternalEntityExpansion() throws SAXException, MalformedURLException {
// Include a dummy file
final File aFile = new File("src/test/resources/test1.txt");
assertTrue(aFile.exists());
final String sFileContent =
StreamHelper.getAllBytesAsString(
new FileSystemResource(aFile), CCharset.CHARSET_ISO_8859_1_OBJ);
// The XML with XXE problem
final String sXML =
"<?xml version='1.0' encoding='utf-8'?>"
+ "<!DOCTYPE root ["
+ " <!ELEMENT root ANY >"
+ " <!ENTITY xxe SYSTEM \""
+ aFile.toURI().toURL().toExternalForm()
+ "\" >]>"
+ "<root>&xxe;</root>";
final DOMReaderSettings aDRS =
new DOMReaderSettings()
.setEntityResolver(
new EntityResolver() {
public InputSource resolveEntity(final String publicId, final String systemId)
throws SAXException, IOException {
// Read as URL
return InputSourceFactory.create(new URLResource(systemId));
}
});
// Read successful - entity expansion!
final Document aDoc = DOMReader.readXMLDOM(sXML, aDRS);
assertNotNull(aDoc);
assertEquals(sFileContent, aDoc.getDocumentElement().getTextContent());
// Should fail because inline DTD is present
try {
DOMReader.readXMLDOM(
sXML, aDRS.getClone().setFeatureValues(EXMLParserFeature.AVOID_XXE_SETTINGS));
fail();
} catch (final SAXParseException ex) {
// Expected
assertTrue(ex.getMessage().contains("http://apache.org/xml/features/disallow-doctype-decl"));
}
}
