"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "core/src/test/java/jenkins/xml/XMLUtilsTest.java" between
jenkins-jenkins-2.302.tar.gz and jenkins-jenkins-2.303.tar.gz

About: Jenkins is a automation server (written in Java) which can be used to automate all sorts of tasks related to building, testing, and delivering or deploying software (for e.g. as Continuous Integration and Continuous Delivery server). Weekly release.

XMLUtilsTest.java  (jenkins-jenkins-2.302):XMLUtilsTest.java  (jenkins-jenkins-2.303)
skipping to change at line 44 skipping to change at line 44
import java.io.StringReader; import java.io.StringReader;
import java.io.StringWriter; import java.io.StringWriter;
import java.net.URL; import java.net.URL;
import javax.xml.transform.TransformerException; import javax.xml.transform.TransformerException;
import javax.xml.transform.stream.StreamResult; import javax.xml.transform.stream.StreamResult;
import javax.xml.transform.stream.StreamSource; import javax.xml.transform.stream.StreamSource;
import javax.xml.xpath.XPathExpressionException; import javax.xml.xpath.XPathExpressionException;
import static org.hamcrest.core.StringContains.containsString; import static org.hamcrest.core.StringContains.containsString;
import static org.hamcrest.MatcherAssert.assertThat; import static org.hamcrest.MatcherAssert.assertThat;
import static org.junit.Assert.assertThrows;
import org.jvnet.hudson.test.Issue; import org.jvnet.hudson.test.Issue;
import org.xml.sax.SAXException; import org.xml.sax.SAXException;
public class XMLUtilsTest { public class XMLUtilsTest {
@Issue("SECURITY-167") @Issue("SECURITY-167")
@Test @Test
public void testSafeTransformDoesNotProcessForeignResources() throws Excepti on { public void testSafeTransformDoesNotProcessForeignResources() throws Excepti on {
final String xml = "<?xml version='1.0' encoding='UTF-8'?>\n" + final String xml = "<?xml version='1.0' encoding='UTF-8'?>\n" +
"<!DOCTYPE project[\n" + "<!DOCTYPE project[\n" +
skipping to change at line 118 skipping to change at line 120
@Test @Test
public void testGetValue() throws XPathExpressionException, SAXException, IO Exception { public void testGetValue() throws XPathExpressionException, SAXException, IO Exception {
URL configUrl = getClass().getResource("/jenkins/xml/config.xml"); URL configUrl = getClass().getResource("/jenkins/xml/config.xml");
File configFile = new File(configUrl.getFile()); File configFile = new File(configUrl.getFile());
Assert.assertEquals("1.480.1", XMLUtils.getValue("/hudson/version", conf igFile)); Assert.assertEquals("1.480.1", XMLUtils.getValue("/hudson/version", conf igFile));
Assert.assertEquals("", XMLUtils.getValue("/hudson/unknown-element", con figFile)); Assert.assertEquals("", XMLUtils.getValue("/hudson/unknown-element", con figFile));
} }
@Test @Test
public void testParse_with_XXE() throws IOException { public void testParse_with_XXE() {
try { final String xml = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n" +
final String xml = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n" + "<!DOCTYPE foo [\n" +
"<!DOCTYPE foo [\n" + " <!ELEMENT foo ANY >\n" +
" <!ELEMENT foo ANY >\n" + " <!ENTITY xxe SYSTEM \"http://abc.com/temp/test.jsp\" >]> " +
" <!ENTITY xxe SYSTEM \"http://abc.com/temp/test.jsp\" >]> "<foo>&xxe;</foo>";
" +
"<foo>&xxe;</foo>"; StringReader stringReader = new StringReader(xml);
final SAXException e = assertThrows(SAXException.class, () -> XMLUtils.p
StringReader stringReader = new StringReader(xml); arse(stringReader));
XMLUtils.parse(stringReader); assertThat(e.getMessage(), containsString("\"http://apache.org/xml/featu
Assert.fail("Expecting SAXException for XXE."); res/disallow-doctype-decl\""));
} catch (SAXException e) {
assertThat(e.getMessage(), containsString("\"http://apache.org/xml/f
eatures/disallow-doctype-decl\""));
}
} }
} }
 End of changes. 2 change blocks. 
16 lines changed or deleted 14 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)