alex/PhpSpreadsheet
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Modified XEE security scan to handle UTF-16 charset, and added unit tests for the security scan

Browse Source
This commit is contained in:
MarkBaker 2015-04-29 22:23:14 +01:00
parent 0ab614fd95
commit bc7028ae4e
10 changed files with 69 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
Classes/PHPExcel/Reader/Abstract.php
View File

@ -235,7 +235,8 @@ abstract class PHPExcel_Reader_Abstract implements PHPExcel_Reader_IReader
*/
public function securityScan($xml)
{
if (strpos($xml, '<!ENTITY') !== false) {
$pattern = '/\0?<\0?!\0?E\0?N\0?T\0?I\0?T\0?Y\0?/';
if (preg_match($pattern, $xml)) {
throw new PHPExcel_Reader_Exception('Detected use of ENTITY in XML, spreadsheet file load() aborted to prevent XXE/XEE attacks');
}
return $xml;

55
unitTests/Classes/PHPExcel/Reader/XEEValidatorTest.php Normal file
View File

@ -0,0 +1,55 @@
<?php
class XEEValidatorTest extends PHPUnit_Framework_TestCase
{
public function setUp()
{
if (!defined('PHPEXCEL_ROOT')) {
define('PHPEXCEL_ROOT', APPLICATION_PATH . '/');
}
require_once(PHPEXCEL_ROOT . 'PHPExcel/Autoloader.php');
}
/**
* @dataProvider providerInvalidXML
* @expectedException PHPExcel_Reader_Exception
*/
public function testInvalidXML($filename)
{
$reader = $this->getMockForAbstractClass('PHPExcel_Reader_Abstract');
$expectedResult = 'FAILURE: Should throw an Exception rather than return a value';
$result = $reader->securityScanFile($filename);
$this->assertEquals($expectedResult, $result);
}
public function providerInvalidXML()
{
$tests = [];
foreach(glob('rawTestData/Reader/XEETestInvalid*.xml') as $file) {
$tests[] = [realpath($file), true];
}
return $tests;
}
/**
* @dataProvider providerValidXML
*/
public function testValidXML($filename, $expectedResult)
{
$reader = $this->getMockForAbstractClass('PHPExcel_Reader_Abstract');
$result = $reader->securityScanFile($filename);
$this->assertEquals($expectedResult, $result);
}
public function providerValidXML()
{
$tests = [];
foreach(glob('rawTestData/Reader/XEETestValid*.xml') as $file) {
$tests[] = [realpath($file), file_get_contents($file)];
}
return $tests;
}
}

BIN
unitTests/rawTestData/Reader/XEETestInvalidUTF-16.xml Normal file
View File

Binary file not shown.

BIN
unitTests/rawTestData/Reader/XEETestInvalidUTF-16BE.xml Normal file
View File

Binary file not shown.

BIN
unitTests/rawTestData/Reader/XEETestInvalidUTF-16LE.xml Normal file
View File

Binary file not shown.

8
unitTests/rawTestData/Reader/XEETestInvalidUTF-8.xml Normal file
View File

@ -0,0 +1,8 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!DOCTYPE root [
<!ENTITY x0 "DoS">
]>
<root>
test: (&x0;)
</root>

BIN
unitTests/rawTestData/Reader/XEETestValidUTF-16.xml Normal file
View File

Binary file not shown.

BIN
unitTests/rawTestData/Reader/XEETestValidUTF-16BE.xml Normal file
View File

Binary file not shown.

BIN
unitTests/rawTestData/Reader/XEETestValidUTF-16LE.xml Normal file
View File

Binary file not shown.

4
unitTests/rawTestData/Reader/XEETestValidUTF-8.xml Normal file
View File

@ -0,0 +1,4 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<root>
test: Valid
</root>