public void BillionLaughs_DoctypeEnabled() { var testdata = @"<?xml version=""1.0""?> <!DOCTYPE lolz [ <!ENTITY lol ""lol""> <!ENTITY lol2 ""&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;""> <!ENTITY lol3 ""&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;""> <!ENTITY lol4 ""&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;""> <!ENTITY lol5 ""&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;""> <!ENTITY lol6 ""&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;""> <!ENTITY lol7 ""&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;""> <!ENTITY lol8 ""&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;""> <!ENTITY lol9 ""&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;""> ]> <lolz>&lol9;</lolz>"; var options = new Options.ParseOptions(); // enable doctype options.DisallowDoctype = false; XmpException e = null; try { XmpMetaFactory.ParseFromString(testdata, options); } catch (XmpException ex) { e = ex; } Assert.NotNull(e); Assert.True(e.InnerException.Message.StartsWith("The input document has exceeded a limit set by MaxCharactersFromEntities")); }
public void BillionLaughs_DoctypeDisabled() { var testdata = @"<?xml version=""1.0""?> <!DOCTYPE lolz [ <!ENTITY lol ""lol""> <!ENTITY lol2 ""&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;""> <!ENTITY lol3 ""&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;""> <!ENTITY lol4 ""&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;""> <!ENTITY lol5 ""&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;""> <!ENTITY lol6 ""&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;""> <!ENTITY lol7 ""&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;""> <!ENTITY lol8 ""&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;""> <!ENTITY lol9 ""&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;""> ]> <lolz>&lol9;</lolz>"; XmpException e = null; try { // doctype not allowed by default XmpMetaFactory.ParseFromString(testdata); } catch (XmpException ex) { e = ex; } Assert.NotNull(e); Assert.True(e.InnerException.Message.StartsWith("For security reasons DTD is prohibited")); }
public virtual void XxeTestFromByteBuffer() { XmpException ex = Assert.Throws <XmpException>(delegate { XmpMetaParser.Parse(System.Text.Encoding.UTF8.GetBytes(XMP_WITH_XXE), null); }); Assert.AreEqual("Unsupported Encoding", ex.Message); }
public virtual void XxeTestFromInputStream() { Stream inputStream = new MemoryStream(System.Text.Encoding.UTF8.GetBytes(XMP_WITH_XXE)); XmpException ex = Assert.Throws <XmpException>(delegate { XmpMetaParser.Parse(inputStream, null); }); Assert.AreEqual("Unsupported Encoding", ex.Message); }