forked from 9001/copyparty
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathtest_dxml.py
More file actions
160 lines (137 loc) · 4.98 KB
/
test_dxml.py
File metadata and controls
160 lines (137 loc) · 4.98 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
#!/usr/bin/env python3
# coding: utf-8
from __future__ import print_function, unicode_literals
import re
import unittest
from xml.etree import ElementTree as ET
from copyparty.dxml import BadXML, mkenod, mktnod, parse_xml
ET.register_namespace("D", "DAV:")
def _parse(txt):
try:
parse_xml(txt)
raise Exception("unsafe")
except BadXML:
pass
class TestDXML(unittest.TestCase):
def test_qbe(self):
# allowed by default; verify that we stopped it
txt = r"""<!DOCTYPE qbe [
<!ENTITY a "nice_bakuretsu">
]>
<l>&a;&a;&a;&a;&a;&a;&a;&a;&a;</l>"""
_parse(txt)
ET.fromstring(txt)
def test_ent_file(self):
# NOT allowed by default; should still be blocked
txt = r"""<!DOCTYPE ext [
<!ENTITY ee SYSTEM "file:///bin/bash">
]>
<root>ⅇ</root>"""
_parse(txt)
try:
ET.fromstring(txt)
raise Exception("unsafe2")
except ET.ParseError:
pass
def test_ent_ext(self):
# NOT allowed by default; should still be blocked
txt = r"""<!DOCTYPE ext [
<!ENTITY ee SYSTEM "http://example.com/a.xml">
]>
<root>ⅇ</root>"""
_parse(txt)
def test_dtd(self):
# allowed by default; verify that we stopped it
txt = r"""<!DOCTYPE d SYSTEM "a.dtd">
<root>a</root>"""
_parse(txt)
ET.fromstring(txt)
##
## end of negative/security tests; the rest is functional
##
def test3(self):
txt = r"""<?xml version="1.0" ?>
<propfind xmlns="DAV:">
<prop>
<name/>
<href/>
</prop>
</propfind>
"""
txt = txt.replace("\n", "\r\n")
ET.fromstring(txt)
el = parse_xml(txt)
self.assertListEqual(
[y.tag for y in el.findall(r"./{DAV:}prop/*")],
[r"{DAV:}name", r"{DAV:}href"],
)
def test4(self):
txt = r"""<?xml version="1.0" encoding="utf-8" ?>
<D:propertyupdate xmlns:D="DAV:" xmlns:Z="urn:schemas-microsoft-com:">
<D:set>
<D:prop>
<Z:Win32CreationTime>Thu, 20 Oct 2022 02:16:33 GMT</Z:Win32CreationTime>
<Z:Win32LastAccessTime>Thu, 20 Oct 2022 02:16:35 GMT</Z:Win32LastAccessTime>
<Z:Win32LastModifiedTime>Thu, 20 Oct 2022 02:16:33 GMT</Z:Win32LastModifiedTime>
<Z:Win32FileAttributes>00000000</Z:Win32FileAttributes>
</D:prop>
</D:set>
</D:propertyupdate>"""
ref = r"""<?xml version="1.0" encoding="UTF-8"?>
<D:multistatus xmlns:D="DAV:">
<D:response>
<D:href>/d1/foo.txt</D:href>
<D:propstat>
<D:prop>
<Win32CreationTime xmlns="urn:schemas-microsoft-com:"></Win32CreationTime>
<Win32LastAccessTime xmlns="urn:schemas-microsoft-com:"></Win32LastAccessTime>
<Win32LastModifiedTime xmlns="urn:schemas-microsoft-com:"></Win32LastModifiedTime>
<Win32FileAttributes xmlns="urn:schemas-microsoft-com:"></Win32FileAttributes>
</D:prop>
<D:status>HTTP/1.1 403 Forbidden</D:status>
</D:propstat>
</D:response>
</D:multistatus>"""
txt = re.sub("\n +", "\n", txt)
root = mkenod("a")
root.insert(0, parse_xml(txt))
prop = root.find(r"./{DAV:}propertyupdate/{DAV:}set/{DAV:}prop")
assert prop is not None
assert len(prop)
for el in prop:
el.clear()
res = ET.tostring(prop).decode("utf-8")
want = """<D:prop xmlns:D="DAV:" xmlns:ns1="urn:schemas-microsoft-com:">
<ns1:Win32CreationTime /><ns1:Win32LastAccessTime /><ns1:Win32LastModifiedTime /><ns1:Win32FileAttributes /></D:prop>
"""
self.assertEqual(res, want)
def test5(self):
txt = r"""<?xml version="1.0" encoding="utf-8" ?>
<D:lockinfo xmlns:D="DAV:">
<D:lockscope><D:exclusive/></D:lockscope>
<D:locktype><D:write/></D:locktype>
<D:owner><D:href>DESKTOP-FRS9AO2\ed</D:href></D:owner>
</D:lockinfo>"""
ref = r"""<?xml version="1.0" encoding="utf-8"?>
<D:prop xmlns:D="DAV:"><D:lockdiscovery><D:activelock>
<D:locktype><D:write/></D:locktype>
<D:lockscope><D:exclusive/></D:lockscope>
<D:depth>infinity</D:depth>
<D:owner><D:href>DESKTOP-FRS9AO2\ed</D:href></D:owner>
<D:timeout>Second-3600</D:timeout>
<D:locktoken><D:href>1666199679</D:href></D:locktoken>
<D:lockroot><D:href>/d1/foo.txt</D:href></D:lockroot>
</D:activelock></D:lockdiscovery></D:prop>"""
txt = re.sub("\n +", "\n", txt)
lk = parse_xml(txt)
self.assertEqual(lk.tag, "{DAV:}lockinfo")
if lk.find(r"./{DAV:}depth") is None:
lk.append(mktnod("D:depth", "infinity"))
lk.append(mkenod("D:timeout", mktnod("D:href", "Second-3600")))
lk.append(mkenod("D:locktoken", mktnod("D:href", "56709")))
lk.append(mkenod("D:lockroot", mktnod("D:href", "/foo/bar.txt")))
lk2 = mkenod("D:activelock")
root = mkenod("D:prop", mkenod("D:lockdiscovery", lk2))
for a in lk:
lk2.append(a)
print(ET.tostring(root).decode("utf-8"))