diff options
Diffstat (limited to 'vendor/ZendXml/tests/ZendXmlTest/SecurityTest.php')
| -rw-r--r-- | vendor/ZendXml/tests/ZendXmlTest/SecurityTest.php | 152 |
1 files changed, 152 insertions, 0 deletions
diff --git a/vendor/ZendXml/tests/ZendXmlTest/SecurityTest.php b/vendor/ZendXml/tests/ZendXmlTest/SecurityTest.php new file mode 100644 index 000000000..0f0fbffba --- /dev/null +++ b/vendor/ZendXml/tests/ZendXmlTest/SecurityTest.php @@ -0,0 +1,152 @@ +<?php +/** + * Zend Framework (http://framework.zend.com/) + * + * @link http://github.com/zendframework/zf2 for the canonical source repository + * @copyright Copyright (c) 2005-2013 Zend Technologies USA Inc. (http://www.zend.com) + * @license http://framework.zend.com/license/new-bsd New BSD License + */ +namespace ZendTest\Xml; + +use ZendXml\Security as XmlSecurity; +use ZendXml\Exception; +use DOMDocument; +use SimpleXMLElement; + +class SecurityTest extends \PHPUnit_Framework_TestCase +{ + /** + * @expectedException ZendXml\Exception\RuntimeException + */ + public function testScanForXEE() + { + $xml = <<<XML +<?xml version="1.0"?> +<!DOCTYPE results [<!ENTITY harmless "completely harmless">]> +<results> + <result>This result is &harmless;</result> +</results> +XML; + + $this->setExpectedException('ZendXml\Exception\RuntimeException'); + $result = XmlSecurity::scan($xml); + } + + public function testScanForXXE() + { + $file = tempnam(sys_get_temp_dir(), 'ZendXml_Security'); + file_put_contents($file, 'This is a remote content!'); + $xml = <<<XML +<?xml version="1.0"?> +<!DOCTYPE root +[ +<!ENTITY foo SYSTEM "file://$file"> +]> +<results> + <result>&foo;</result> +</results> +XML; + + try { + $result = XmlSecurity::scan($xml); + } catch (Exception\RuntimeException $e) { + unlink($file); + return; + } + $this->fail('An expected exception has not been raised.'); + } + + public function testScanSimpleXmlResult() + { + $result = XmlSecurity::scan($this->getXml()); + $this->assertTrue($result instanceof SimpleXMLElement); + $this->assertEquals($result->result, 'test'); + } + + public function testScanDom() + { + $dom = new DOMDocument('1.0'); + $result = XmlSecurity::scan($this->getXml(), $dom); + $this->assertTrue($result instanceof DOMDocument); + $node = $result->getElementsByTagName('result')->item(0); + $this->assertEquals($node->nodeValue, 'test'); + } + + /** + * @requires PHP 5.4 + */ + public function testScanDomHTML() + { + // loadHtml accepts constants in php >= 5.4 + // http://php.net/manual/de/domdocument.loadhtml.php + $dom = new DOMDocument('1.0'); + $html = <<<HTML +<p>a simple test</p> +HTML; + $constants = LIBXML_HTML_NODEFDTD | LIBXML_HTML_NOIMPLIED; + $result = XmlSecurity::scanHtml($html, $dom, $constants); + $this->assertTrue($result instanceof DOMDocument); + $this->assertEquals($html, trim($result->saveHtml())); + } + + public function testScanInvalidXml() + { + $xml = <<<XML +<foo>test</bar> +XML; + + $result = XmlSecurity::scan($xml); + $this->assertFalse($result); + } + + public function testScanInvalidXmlDom() + { + $xml = <<<XML +<foo>test</bar> +XML; + + $dom = new DOMDocument('1.0'); + $result = XmlSecurity::scan($xml, $dom); + $this->assertFalse($result); + } + + public function testScanFile() + { + $file = tempnam(sys_get_temp_dir(), 'ZendXml_Security'); + file_put_contents($file, $this->getXml()); + + $result = XmlSecurity::scanFile($file); + $this->assertTrue($result instanceof SimpleXMLElement); + $this->assertEquals($result->result, 'test'); + unlink($file); + } + + public function testScanXmlWithDTD() + { + $xml = <<<XML +<?xml version="1.0"?> +<!DOCTYPE results [ +<!ELEMENT results (result+)> +<!ELEMENT result (#PCDATA)> +]> +<results> + <result>test</result> +</results> +XML; + + $dom = new DOMDocument('1.0'); + $result = XmlSecurity::scan($xml, $dom); + $this->assertTrue($result instanceof DOMDocument); + $this->assertTrue($result->validate()); + } + + protected function getXml() + { + return <<<XML +<?xml version="1.0"?> +<results> + <result>test</result> +</results> +XML; + } +} |