XMLParserUtilsTest.java

/**
 * **************************************************************************
 *
 * Contributor(s): 
 *	C. Heazel (WiSC): Added Fortify adjudication changes
 *
 ***************************************************************************
 */
package com.occamlab.te.util;

import static org.junit.Assert.*;

import java.io.File;
import java.io.IOException;

import javax.xml.XMLConstants;
import javax.xml.parsers.SAXParser;

import org.apache.xerces.impl.Constants;
import org.junit.Test;
import org.xml.sax.Attributes;
import org.xml.sax.SAXException;
import org.xml.sax.XMLReader;
import org.xml.sax.helpers.DefaultHandler;

public class XMLParserUtilsTest {

    @Test
    public void xincludeParserNoBaseURIFixup() throws SAXException {
        SAXParser parser = XMLParserUtils.createXIncludeAwareSAXParser(false);
        assertNotNull(parser);
        XMLReader reader = parser.getXMLReader();
        // Fortify mod to prevent External Entity Injections
        reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
        boolean baseURIFixup = reader
                .getFeature(Constants.XERCES_FEATURE_PREFIX
                        + Constants.XINCLUDE_FIXUP_BASE_URIS_FEATURE);
        assertFalse("Expected feature to be false: "
                + Constants.XINCLUDE_FIXUP_BASE_URIS_FEATURE, baseURIFixup);
    }

    @Test
    public void resolveXInclude_omitXMLBase() throws SAXException, IOException {
        File file = new File("src/test/resources/article.xml");
        SAXParser parser = XMLParserUtils.createXIncludeAwareSAXParser(false);
        // Fortify mod to prevent External Entity Injections
        // The SAXParser contains an XMLReader.  getXMLReader returns a handle to the
        // reader.  By setting a Feature on the reader, we also set it on the Parser.          
        XMLReader reader = parser.getXMLReader();
        reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
        // End Fortify mods
        LegalNoticeHandler handler = new LegalNoticeHandler();
        parser.parse(file, handler);
    }

    @Test(expected = AssertionError.class)
    public void resolveXInclude_keepXMLBase() throws SAXException, IOException {
        File file = new File("src/test/resources/article.xml");
        SAXParser parser = XMLParserUtils.createXIncludeAwareSAXParser(true);
        // Fortify mod to prevent External Entity Injections
        // The SAXParser contains an XMLReader.  getXMLReader returns a handle to the
        // reader.  By setting a Feature on the reader, we also set it on the Parser.          
        XMLReader reader = parser.getXMLReader();
        reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
        // End Fortify mods
        LegalNoticeHandler handler = new LegalNoticeHandler();
        parser.parse(file, handler);
    }

    class LegalNoticeHandler extends DefaultHandler {
        public void startElement(String uri, String localName, String qName,
                Attributes attribs) throws SAXException {
            if (localName.equals("legalnotice")
                    && (attribs.getIndex(XMLConstants.XML_NS_URI, "base") > 0)) {
                throw new AssertionError("Found xml:base attribute.");
            }
        }
    }

}