Support for additional callback in XML Security Scanner

2018-11-25 14:00:35 +01:00 · 2018-11-25 14:00:35 +01:00 · 41bcf9a21c
parent c708411529
commit 41bcf9a21c
3 changed files with 43 additions and 0 deletions
--- a/src/PhpSpreadsheet/Reader/Security/XmlScanner.php
+++ b/src/PhpSpreadsheet/Reader/Security/XmlScanner.php
@ -27,6 +27,8 @@ class XmlScanner
     */
    private $pattern;

+    private $callback;
+
    private function __construct($pattern = '<!DOCTYPE')
    {
        $this->pattern = $pattern;
@ -77,6 +79,11 @@ class XmlScanner
        return false;
    }

+    public function setAdditionalCallback(callable $callback)
+    {
+        $this->callback = $callback;
+    }
+
    /**
     * Scan the XML for use of <!ENTITY to prevent XXE/XEE attacks.
     *
@ -102,6 +109,10 @@ class XmlScanner
            throw new Reader\Exception('Detected use of ENTITY in XML, spreadsheet file load() aborted to prevent XXE/XEE attacks');
        }

+        if ($this->callback !== null && is_callable($this->callback)) {
+            $xml = call_user_func($this->callback, $xml);
+        }
+
        return $xml;
    }

--- a/tests/PhpSpreadsheetTests/Reader/Security/XmlScannerTest.php
+++ b/tests/PhpSpreadsheetTests/Reader/Security/XmlScannerTest.php
@ -75,4 +75,29 @@ class XmlScannerTest extends TestCase
        //    Must return a null...
        $this->assertNull($scanner);
    }
+
+    /**
+     * @dataProvider providerValidXMLForCallback
+     *
+     * @param mixed $filename
+     */
+    public function testSecurityScanWithCallback($filename, $expectedResult)
+    {
+        $fileReader = new Xlsx();
+        $scanner = $fileReader->getSecuritySCanner();
+        $scanner->setAdditionalCallback('strrev');
+        $xml = $scanner->scanFile($filename);
+
+        $this->assertEquals(strrev($expectedResult), $xml);
+    }
+
+    public function providerValidXMLForCallback()
+    {
+        $tests = [];
+        foreach (glob(__DIR__ . '/../../../data/Reader/Xml/SecurityScannerWithCallback*.xml') as $file) {
+            $tests[basename($file)] = [realpath($file), file_get_contents($file)];
+        }
+
+        return $tests;
+    }
 }
--- a/tests/data/Reader/Xml/SecurityScannerWithCallbackExample.xml
+++ b/tests/data/Reader/Xml/SecurityScannerWithCallbackExample.xml
@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<note>
+    <to>Users</to>
+    <from>Mark</from>
+    <heading>Reminder</heading>
+    <body>Don't forget PHPSpreadsheet Security!</body>
+</note>