From 0be11fcc6e73f7e35bf2f3b884676413f5522cf1 Mon Sep 17 00:00:00 2001
From: Ben Fuhrmannek
Date: Thu, 11 Nov 2021 13:32:07 +0100
Subject: more tests for xxe + optional xml support

---
 src/sp_disable_xxe.c                             |  7 +++
 src/tests/xxe/disable_xxe_dom_disabled_php8.phpt | 57 +++++++++++++++++++++++
 src/tests/xxe/disable_xxe_dom_php8.phpt          | 59 ++++++++++++++++++++++++
 3 files changed, 123 insertions(+)
 create mode 100644 src/tests/xxe/disable_xxe_dom_disabled_php8.phpt
 create mode 100644 src/tests/xxe/disable_xxe_dom_php8.phpt

(limited to 'src')

diff --git a/src/sp_disable_xxe.c b/src/sp_disable_xxe.c
index 7db2451..b6030c6 100644
--- a/src/sp_disable_xxe.c
+++ b/src/sp_disable_xxe.c
@@ -1,5 +1,7 @@
 #include "php_snuffleupagus.h"
 
+#ifdef HAVE_XML
+
 PHP_FUNCTION(sp_libxml_disable_entity_loader) {
   sp_log_warn("xxe",
               "A call to libxml_disable_entity_loader was tried and nopped");
@@ -39,3 +41,8 @@ int hook_libxml_disable_entity_loader() {
 
   return SUCCESS;
 }
+#else
+int hook_libxml_disable_entity_loader() {
+  sp_log_warn("xxe", "Cannot enable XXE protection. XML support is disabled in PHP.");
+}
+#endif
\ No newline at end of file
diff --git a/src/tests/xxe/disable_xxe_dom_disabled_php8.phpt b/src/tests/xxe/disable_xxe_dom_disabled_php8.phpt
new file mode 100644
index 0000000..01e3349
--- /dev/null
+++ b/src/tests/xxe/disable_xxe_dom_disabled_php8.phpt
@@ -0,0 +1,57 @@
+--TEST--
+Disable XXE (feature disabled)
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus") || !extension_loaded("dom")) print("skip"); ?>
+<?php if (PHP_VERSION_ID < 80000) print "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/disable_xxe_disable.ini
+--EXTENSIONS--
+dom
+--FILE--
+<?php 
+$dir = __DIR__;
+$content = '<content>WARNING, external entity loaded!</content>';
+file_put_contents($dir . '/content.txt', $content);
+
+$xml = <<<EOD
+<?xml version="1.0"?>
+<!DOCTYPE root
+[
+<!ENTITY foo SYSTEM "file://$dir/content.txt">
+]>
+<test><testing>&foo;</testing></test>
+EOD;
+
+file_put_contents($dir . '/content.xml', $xml);
+
+
+$dom = new DOMDocument('1.0');
+$dom->loadXML($xml, LIBXML_DTDATTR|LIBXML_DTDLOAD|LIBXML_NOENT);
+printf("default setting with LIBXML_NOENT: %s\n", $dom->getElementsByTagName('testing')->item(0)->nodeValue);
+
+$dom = new DOMDocument('1.0');
+$dom->loadXML($xml, LIBXML_DTDATTR|LIBXML_DTDLOAD);
+printf("default setting without LIBXML_NOENT: %s\n", $dom->getElementsByTagName('testing')->item(0)->nodeValue);
+
+libxml_set_external_entity_loader(null);
+
+$dom = new DOMDocument('1.0');
+$dom->loadXML($xml, LIBXML_DTDATTR|LIBXML_DTDLOAD|LIBXML_NOENT);
+printf("disabled entity loader with LIBXML_NOENT: %s\n", $dom->getElementsByTagName('testing')->item(0)->nodeValue);
+
+$dom = new DOMDocument('1.0');
+$dom->loadXML($xml, LIBXML_DTDATTR|LIBXML_DTDLOAD);
+printf("disabled entity loader without LIBXML_NOENT: %s\n", $dom->getElementsByTagName('testing')->item(0)->nodeValue);
+
+?>
+--EXPECTF-- 
+default setting with LIBXML_NOENT: WARNING, external entity loaded!
+default setting without LIBXML_NOENT: 
+disabled entity loader with LIBXML_NOENT: WARNING, external entity loaded!
+disabled entity loader without LIBXML_NOENT:
+--CLEAN--
+<?php
+$dir = __DIR__;
+unlink($dir . "/content.xml");
+unlink($dir . "/content.txt");
+?>
diff --git a/src/tests/xxe/disable_xxe_dom_php8.phpt b/src/tests/xxe/disable_xxe_dom_php8.phpt
new file mode 100644
index 0000000..485828f
--- /dev/null
+++ b/src/tests/xxe/disable_xxe_dom_php8.phpt
@@ -0,0 +1,59 @@
+--TEST--
+Disable XXE (feature enabled)
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus") || !extension_loaded("dom")) print("skip"); ?>
+<?php if (PHP_VERSION_ID < 80000) print "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/disable_xxe.ini
+--EXTENSIONS--
+dom
+--FILE--
+<?php 
+$dir = __DIR__;
+$content = '<content>WARNING, external entity loaded!</content>';
+file_put_contents($dir . '/content.txt', $content);
+
+$xml = <<<EOD
+<?xml version="1.0"?>
+<!DOCTYPE root
+[
+<!ENTITY foo SYSTEM "file://$dir/content.txt">
+]>
+<test><testing>&foo;</testing></test>
+EOD;
+
+file_put_contents($dir . '/content.xml', $xml);
+
+
+$dom = new DOMDocument('1.0');
+$dom->loadXML($xml, LIBXML_DTDATTR|LIBXML_DTDLOAD|LIBXML_NOENT);
+printf("default setting with LIBXML_NOENT: %s\n", $dom->getElementsByTagName('testing')->item(0)->nodeValue);
+
+$dom = new DOMDocument('1.0');
+$dom->loadXML($xml, LIBXML_DTDATTR|LIBXML_DTDLOAD);
+printf("default setting without LIBXML_NOENT: %s\n", $dom->getElementsByTagName('testing')->item(0)->nodeValue);
+
+libxml_set_external_entity_loader(null);
+
+$dom = new DOMDocument('1.0');
+$dom->loadXML($xml, LIBXML_DTDATTR|LIBXML_DTDLOAD|LIBXML_NOENT);
+printf("disabled entity loader with LIBXML_NOENT: %s\n", $dom->getElementsByTagName('testing')->item(0)->nodeValue);
+
+$dom = new DOMDocument('1.0');
+$dom->loadXML($xml, LIBXML_DTDATTR|LIBXML_DTDLOAD);
+printf("disabled entity loader without LIBXML_NOENT: %s\n", $dom->getElementsByTagName('testing')->item(0)->nodeValue);
+
+?>
+--EXPECTF-- 
+default setting with LIBXML_NOENT: WARNING, external entity loaded!
+default setting without LIBXML_NOENT: 
+
+Warning: [snuffleupagus][0.0.0.0][xxe][log] A call to libxml_set_external_entity_loader was tried and nopped in %a.php on line 26
+disabled entity loader with LIBXML_NOENT: WARNING, external entity loaded!
+disabled entity loader without LIBXML_NOENT:
+--CLEAN--
+<?php
+$dir = __DIR__;
+unlink($dir . "/content.xml");
+unlink($dir . "/content.txt");
+?>
-- 
cgit v1.3