more tests for xxe + optional xml support

author: Ben Fuhrmannek 2021-11-11 13:32:07 +0100
committer: Ben Fuhrmannek 2021-11-11 13:32:07 +0100
commit: 0be11fcc6e73f7e35bf2f3b884676413f5522cf1 (patch)
tree: 50b6d6108e069839f5715228c0b5623648a8514c /src
parent: 713cb08b58d4e5dd5e7e80b1f82e27cbe52d4381 (diff)
3 files changed, 123 insertions, 0 deletions
diff --git a/src/sp_disable_xxe.c b/src/sp_disable_xxe.c
index 7db2451..b6030c6 100644
--- a/src/sp_disable_xxe.c
+++ b/src/sp_disable_xxe.c
@@ -1,5 +1,7 @@
 #include "php_snuffleupagus.h"
+#ifdef HAVE_XML
 PHP_FUNCTION(sp_libxml_disable_entity_loader) {
  sp_log_warn("xxe",
              "A call to libxml_disable_entity_loader was tried and nopped");
@@ -39,3 +41,8 @@ int hook_libxml_disable_entity_loader() {
  return SUCCESS;
 }
+#else
+int hook_libxml_disable_entity_loader() {
+  sp_log_warn("xxe", "Cannot enable XXE protection. XML support is disabled in PHP.");
+}
+#endif
+\ No newline at end of file
diff --git a/src/tests/xxe/disable_xxe_dom_disabled_php8.phpt b/src/tests/xxe/disable_xxe_dom_disabled_php8.phpt
new file mode 100644
index 0000000..01e3349
--- /dev/null
+++ b/src/tests/xxe/disable_xxe_dom_disabled_php8.phpt
@@ -0,0 +1,57 @@
+--TEST--
+Disable XXE (feature disabled)
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus") || !extension_loaded("dom")) print("skip"); ?>
+<?php if (PHP_VERSION_ID < 80000) print "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/disable_xxe_disable.ini
+--EXTENSIONS--
+dom
+--FILE--
+<?php 
+$dir = __DIR__;
+$content = '<content>WARNING, external entity loaded!</content>';
+file_put_contents($dir . '/content.txt', $content);
+$xml = <<<EOD
+<?xml version="1.0"?>
+<!DOCTYPE root
+[
+<!ENTITY foo SYSTEM "file://$dir/content.txt">
+]>
+<test><testing>&foo;</testing></test>
+EOD;
+file_put_contents($dir . '/content.xml', $xml);
+$dom = new DOMDocument('1.0');
+$dom->loadXML($xml, LIBXML_DTDATTR|LIBXML_DTDLOAD|LIBXML_NOENT);
+printf("default setting with LIBXML_NOENT: %s\n", $dom->getElementsByTagName('testing')->item(0)->nodeValue);
+$dom = new DOMDocument('1.0');
+$dom->loadXML($xml, LIBXML_DTDATTR|LIBXML_DTDLOAD);
+printf("default setting without LIBXML_NOENT: %s\n", $dom->getElementsByTagName('testing')->item(0)->nodeValue);
+libxml_set_external_entity_loader(null);
+$dom = new DOMDocument('1.0');
+$dom->loadXML($xml, LIBXML_DTDATTR|LIBXML_DTDLOAD|LIBXML_NOENT);
+printf("disabled entity loader with LIBXML_NOENT: %s\n", $dom->getElementsByTagName('testing')->item(0)->nodeValue);
+$dom = new DOMDocument('1.0');
+$dom->loadXML($xml, LIBXML_DTDATTR|LIBXML_DTDLOAD);
+printf("disabled entity loader without LIBXML_NOENT: %s\n", $dom->getElementsByTagName('testing')->item(0)->nodeValue);
+?>
+--EXPECTF-- 
+default setting with LIBXML_NOENT: WARNING, external entity loaded!
+default setting without LIBXML_NOENT: 
+disabled entity loader with LIBXML_NOENT: WARNING, external entity loaded!
+disabled entity loader without LIBXML_NOENT:
+--CLEAN--
+<?php
+$dir = __DIR__;
+unlink($dir . "/content.xml");
+unlink($dir . "/content.txt");
+?>
diff --git a/src/tests/xxe/disable_xxe_dom_php8.phpt b/src/tests/xxe/disable_xxe_dom_php8.phpt
new file mode 100644
index 0000000..485828f
--- /dev/null
+++ b/src/tests/xxe/disable_xxe_dom_php8.phpt
@@ -0,0 +1,59 @@
+--TEST--
+Disable XXE (feature enabled)
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus") || !extension_loaded("dom")) print("skip"); ?>
+<?php if (PHP_VERSION_ID < 80000) print "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/disable_xxe.ini
+--EXTENSIONS--
+dom
+--FILE--
+<?php 
+$dir = __DIR__;
+$content = '<content>WARNING, external entity loaded!</content>';
+file_put_contents($dir . '/content.txt', $content);
+$xml = <<<EOD
+<?xml version="1.0"?>
+<!DOCTYPE root
+[
+<!ENTITY foo SYSTEM "file://$dir/content.txt">
+]>
+<test><testing>&foo;</testing></test>
+EOD;
+file_put_contents($dir . '/content.xml', $xml);
+$dom = new DOMDocument('1.0');
+$dom->loadXML($xml, LIBXML_DTDATTR|LIBXML_DTDLOAD|LIBXML_NOENT);
+printf("default setting with LIBXML_NOENT: %s\n", $dom->getElementsByTagName('testing')->item(0)->nodeValue);
+$dom = new DOMDocument('1.0');
+$dom->loadXML($xml, LIBXML_DTDATTR|LIBXML_DTDLOAD);
+printf("default setting without LIBXML_NOENT: %s\n", $dom->getElementsByTagName('testing')->item(0)->nodeValue);
+libxml_set_external_entity_loader(null);
+$dom = new DOMDocument('1.0');
+$dom->loadXML($xml, LIBXML_DTDATTR|LIBXML_DTDLOAD|LIBXML_NOENT);
+printf("disabled entity loader with LIBXML_NOENT: %s\n", $dom->getElementsByTagName('testing')->item(0)->nodeValue);
+$dom = new DOMDocument('1.0');
+$dom->loadXML($xml, LIBXML_DTDATTR|LIBXML_DTDLOAD);
+printf("disabled entity loader without LIBXML_NOENT: %s\n", $dom->getElementsByTagName('testing')->item(0)->nodeValue);
+?>
+--EXPECTF-- 
+default setting with LIBXML_NOENT: WARNING, external entity loaded!
+default setting without LIBXML_NOENT: 
+Warning: [snuffleupagus][0.0.0.0][xxe][log] A call to libxml_set_external_entity_loader was tried and nopped in %a.php on line 26
+disabled entity loader with LIBXML_NOENT: WARNING, external entity loaded!
+disabled entity loader without LIBXML_NOENT:
+--CLEAN--
+<?php
+$dir = __DIR__;
+unlink($dir . "/content.xml");
+unlink($dir . "/content.txt");
+?>
author	Ben Fuhrmannek	2021-11-11 13:32:07 +0100
committer	Ben Fuhrmannek	2021-11-11 13:32:07 +0100
commit	0be11fcc6e73f7e35bf2f3b884676413f5522cf1 (patch)
tree	50b6d6108e069839f5715228c0b5623648a8514c /src
parent	713cb08b58d4e5dd5e7e80b1f82e27cbe52d4381 (diff)

diff --git a/src/sp_disable_xxe.c b/src/sp_disable_xxe.c index 7db2451..b6030c6 100644 --- a/src/sp_disable_xxe.c +++ b/src/sp_disable_xxe.c
@@ -1,5 +1,7 @@
1	#include "php_snuffleupagus.h"	1	#include "php_snuffleupagus.h"
2		2
		3	#ifdef HAVE_XML
		4
3	PHP_FUNCTION(sp_libxml_disable_entity_loader) {	5	PHP_FUNCTION(sp_libxml_disable_entity_loader) {
4	sp_log_warn("xxe",	6	sp_log_warn("xxe",
5	"A call to libxml_disable_entity_loader was tried and nopped");	7	"A call to libxml_disable_entity_loader was tried and nopped");
@@ -39,3 +41,8 @@ int hook_libxml_disable_entity_loader() {
39		41
40	return SUCCESS;	42	return SUCCESS;
41	}	43	}
		44	#else
		45	int hook_libxml_disable_entity_loader() {
		46	sp_log_warn("xxe", "Cannot enable XXE protection. XML support is disabled in PHP.");
		47	}
		48	#endif \ No newline at end of file


diff --git a/src/tests/xxe/disable_xxe_dom_disabled_php8.phpt b/src/tests/xxe/disable_xxe_dom_disabled_php8.phpt new file mode 100644 index 0000000..01e3349 --- /dev/null +++ b/src/tests/xxe/disable_xxe_dom_disabled_php8.phpt
@@ -0,0 +1,57 @@
		1	--TEST--
		2	Disable XXE (feature disabled)
		3	--SKIPIF--
		4	<?php if (!extension_loaded("snuffleupagus") \|\| !extension_loaded("dom")) print("skip"); ?>
		5	<?php if (PHP_VERSION_ID < 80000) print "skip"; ?>
		6	--INI--
		7	sp.configuration_file={PWD}/config/disable_xxe_disable.ini
		8	--EXTENSIONS--
		9	dom
		10	--FILE--
		11	<?php
		12	$dir = __DIR__;
		13	$content = '<content>WARNING, external entity loaded!</content>';
		14	file_put_contents($dir . '/content.txt', $content);
		15
		16	$xml = <<<EOD
		17	<?xml version="1.0"?>
		18	<!DOCTYPE root
		19	[
		20	<!ENTITY foo SYSTEM "file://$dir/content.txt">
		21	]>
		22	<test><testing>&foo;</testing></test>
		23	EOD;
		24
		25	file_put_contents($dir . '/content.xml', $xml);
		26
		27
		28	$dom = new DOMDocument('1.0');
		29	$dom->loadXML($xml, LIBXML_DTDATTR\|LIBXML_DTDLOAD\|LIBXML_NOENT);
		30	printf("default setting with LIBXML_NOENT: %s\n", $dom->getElementsByTagName('testing')->item(0)->nodeValue);
		31
		32	$dom = new DOMDocument('1.0');
		33	$dom->loadXML($xml, LIBXML_DTDATTR\|LIBXML_DTDLOAD);
		34	printf("default setting without LIBXML_NOENT: %s\n", $dom->getElementsByTagName('testing')->item(0)->nodeValue);
		35
		36	libxml_set_external_entity_loader(null);
		37
		38	$dom = new DOMDocument('1.0');
		39	$dom->loadXML($xml, LIBXML_DTDATTR\|LIBXML_DTDLOAD\|LIBXML_NOENT);
		40	printf("disabled entity loader with LIBXML_NOENT: %s\n", $dom->getElementsByTagName('testing')->item(0)->nodeValue);
		41
		42	$dom = new DOMDocument('1.0');
		43	$dom->loadXML($xml, LIBXML_DTDATTR\|LIBXML_DTDLOAD);
		44	printf("disabled entity loader without LIBXML_NOENT: %s\n", $dom->getElementsByTagName('testing')->item(0)->nodeValue);
		45
		46	?>
		47	--EXPECTF--
		48	default setting with LIBXML_NOENT: WARNING, external entity loaded!
		49	default setting without LIBXML_NOENT:
		50	disabled entity loader with LIBXML_NOENT: WARNING, external entity loaded!
		51	disabled entity loader without LIBXML_NOENT:
		52	--CLEAN--
		53	<?php
		54	$dir = __DIR__;
		55	unlink($dir . "/content.xml");
		56	unlink($dir . "/content.txt");
		57	?>


diff --git a/src/tests/xxe/disable_xxe_dom_php8.phpt b/src/tests/xxe/disable_xxe_dom_php8.phpt new file mode 100644 index 0000000..485828f --- /dev/null +++ b/src/tests/xxe/disable_xxe_dom_php8.phpt
@@ -0,0 +1,59 @@
		1	--TEST--
		2	Disable XXE (feature enabled)
		3	--SKIPIF--
		4	<?php if (!extension_loaded("snuffleupagus") \|\| !extension_loaded("dom")) print("skip"); ?>
		5	<?php if (PHP_VERSION_ID < 80000) print "skip"; ?>
		6	--INI--
		7	sp.configuration_file={PWD}/config/disable_xxe.ini
		8	--EXTENSIONS--
		9	dom
		10	--FILE--
		11	<?php
		12	$dir = __DIR__;
		13	$content = '<content>WARNING, external entity loaded!</content>';
		14	file_put_contents($dir . '/content.txt', $content);
		15
		16	$xml = <<<EOD
		17	<?xml version="1.0"?>
		18	<!DOCTYPE root
		19	[
		20	<!ENTITY foo SYSTEM "file://$dir/content.txt">
		21	]>
		22	<test><testing>&foo;</testing></test>
		23	EOD;
		24
		25	file_put_contents($dir . '/content.xml', $xml);
		26
		27
		28	$dom = new DOMDocument('1.0');
		29	$dom->loadXML($xml, LIBXML_DTDATTR\|LIBXML_DTDLOAD\|LIBXML_NOENT);
		30	printf("default setting with LIBXML_NOENT: %s\n", $dom->getElementsByTagName('testing')->item(0)->nodeValue);
		31
		32	$dom = new DOMDocument('1.0');
		33	$dom->loadXML($xml, LIBXML_DTDATTR\|LIBXML_DTDLOAD);
		34	printf("default setting without LIBXML_NOENT: %s\n", $dom->getElementsByTagName('testing')->item(0)->nodeValue);
		35
		36	libxml_set_external_entity_loader(null);
		37
		38	$dom = new DOMDocument('1.0');
		39	$dom->loadXML($xml, LIBXML_DTDATTR\|LIBXML_DTDLOAD\|LIBXML_NOENT);
		40	printf("disabled entity loader with LIBXML_NOENT: %s\n", $dom->getElementsByTagName('testing')->item(0)->nodeValue);
		41
		42	$dom = new DOMDocument('1.0');
		43	$dom->loadXML($xml, LIBXML_DTDATTR\|LIBXML_DTDLOAD);
		44	printf("disabled entity loader without LIBXML_NOENT: %s\n", $dom->getElementsByTagName('testing')->item(0)->nodeValue);
		45
		46	?>
		47	--EXPECTF--
		48	default setting with LIBXML_NOENT: WARNING, external entity loaded!
		49	default setting without LIBXML_NOENT:
		50
		51	Warning: [snuffleupagus][0.0.0.0][xxe][log] A call to libxml_set_external_entity_loader was tried and nopped in %a.php on line 26
		52	disabled entity loader with LIBXML_NOENT: WARNING, external entity loaded!
		53	disabled entity loader without LIBXML_NOENT:
		54	--CLEAN--
		55	<?php
		56	$dir = __DIR__;
		57	unlink($dir . "/content.xml");
		58	unlink($dir . "/content.txt");
		59	?>