AkkomaGang/akkoma
AkkomaGang
/
akkoma
12
63
Fork 83
Code Issues 165 Pull Requests 14 Packages Projects 2 Releases 13 Wiki Activity

Add unit test for external entity loading
ci/woodpecker/push/build-amd64 Pipeline is pending Details
ci/woodpecker/push/build-arm64 Pipeline is pending Details
ci/woodpecker/push/docs Pipeline is pending Details
ci/woodpecker/push/test Pipeline is pending Details

This commit is contained in:
FloatingGhost 2023-08-04 22:24:32 +01:00
parent 1f54bea564
commit 9c7409808f
3 changed files with 14 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG.md
View File

@ -39,6 +39,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
## Security
- Add `no_new_privs` hardening to OpenRC and systemd service files
- Ensured that XML parsers cannot load external entities (thanks @Mae@is.badat.dev!)
## Removed

3
test/fixtures/xml_external_entities.xml vendored Normal file
View File

@ -0,0 +1,3 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<stockCheck><productId>&xxe;</productId></stockCheck>

10
test/pleroma/web/xml_test.exs Normal file
View File

@ -0,0 +1,10 @@
defmodule Pleroma.Web.XMLTest do
use Pleroma.DataCase, async: true
alias Pleroma.Web.XML
test "refuses to load external entities from XML" do
data = File.read!("test/fixtures/xml_external_entities.xml")
assert(:error == XML.parse_document(data))
end
end