Using secure processing

RUB-NDS · Jan 19, 2017 · 2d507c4 · 2d507c4
1 parent 6abe8d6
commit 2d507c4
Show file tree

Hide file tree

Showing 7 changed files with 17 additions and 2 deletions.
diff --git a/...ibrary/src/test/java/wsattacker/library/intelligentdos/IntelligentDoSLibraryImplTest.java b/...ibrary/src/test/java/wsattacker/library/intelligentdos/IntelligentDoSLibraryImplTest.java
@@ -32,6 +32,7 @@
 import java.util.Set;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
+import javax.xml.XMLConstants;
 
 import javax.xml.transform.OutputKeys;
 import javax.xml.transform.Transformer;
@@ -379,7 +380,9 @@ private String removePlaceholder( String s )
     private String output( Document toAnalyze )
         throws TransformerException
     {
-        Transformer transformer = TransformerFactory.newInstance().newTransformer();
+        final TransformerFactory tf = TransformerFactory.newInstance();
+        tf.setFeature( XMLConstants.FEATURE_SECURE_PROCESSING, true );
+        Transformer transformer = tf.newTransformer();
         transformer.setOutputProperty( OutputKeys.INDENT, "yes" );
         transformer.setOutputProperty( "{http://xml.apache.org/xslt}indent-amount", "2" );
         // initialize StreamResult with File object to save to file

diff --git a/...rary/src/test/java/wsattacker/library/intelligentdos/position/AnyElementPositionTest.java b/...rary/src/test/java/wsattacker/library/intelligentdos/position/AnyElementPositionTest.java
@@ -18,6 +18,7 @@
  */
 package wsattacker.library.intelligentdos.position;
 
+import javax.xml.XMLConstants;
 import static org.hamcrest.CoreMatchers.is;
 import static org.junit.Assert.assertThat;
 
@@ -86,6 +87,7 @@ public void equalsTest()
         throws ParserConfigurationException
     {
         DocumentBuilderFactory docFactory = DocumentBuilderFactory.newInstance();
+        docFactory.setFeature( XMLConstants.FEATURE_SECURE_PROCESSING, true );
         DocumentBuilder docBuilder = docFactory.newDocumentBuilder();
         // root elements
         Document doc = docBuilder.newDocument();

diff --git a/...lligent_Denial_of_Service_Library/src/test/java/wsattacker/testhelper/IDoSTestHelper.java b/...lligent_Denial_of_Service_Library/src/test/java/wsattacker/testhelper/IDoSTestHelper.java
@@ -23,6 +23,7 @@
 
 import java.io.IOException;
 import java.io.StringReader;
+import javax.xml.XMLConstants;
 
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
@@ -56,6 +57,7 @@ public static Document createTestDocument()
         throws ParserConfigurationException, SAXException, IOException
     {
         DocumentBuilderFactory docFactory = DocumentBuilderFactory.newInstance();
+        docFactory.setFeature( XMLConstants.FEATURE_SECURE_PROCESSING, true );
         DocumentBuilder docBuilder = docFactory.newDocumentBuilder();
 
         InputSource is = new InputSource( new StringReader( template ) );
@@ -68,6 +70,7 @@ public static String createTestString( PayloadPosition payloadPosition )
         throws ParserConfigurationException
     {
         DocumentBuilderFactory docFactory = DocumentBuilderFactory.newInstance();
+        docFactory.setFeature( XMLConstants.FEATURE_SECURE_PROCESSING, true );
         DocumentBuilder docBuilder = docFactory.newDocumentBuilder();
 
         InputSource is = new InputSource( new StringReader( template ) );

diff --git a/...ure_Faking_Library/src/main/java/wsattacker/library/signatureFaking/XmlMessageSigner.java b/...ure_Faking_Library/src/main/java/wsattacker/library/signatureFaking/XmlMessageSigner.java
@@ -33,6 +33,7 @@
 import java.util.Iterator;
 import java.util.LinkedList;
 import java.util.List;
+import javax.xml.XMLConstants;
 import javax.xml.crypto.AlgorithmMethod;
 import javax.xml.crypto.KeySelector;
 import javax.xml.crypto.KeySelectorException;
@@ -126,6 +127,7 @@ public String signMessage(String message, String signedElementId, boolean useEnv
 
             // Instantiate the document to be signed.
             DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+            dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
             dbf.setNamespaceAware(true);
             Document doc = dbf.newDocumentBuilder().parse(new ByteArrayInputStream(message.getBytes()));
 

diff --git a/...ture_Wrapping_Library/src/test/java/wsattacker/library/signatureWrapping/util/Signer.java b/...ture_Wrapping_Library/src/test/java/wsattacker/library/signatureWrapping/util/Signer.java
@@ -26,6 +26,7 @@
 import java.security.cert.X509Certificate;
 import java.util.*;
 import java.util.logging.*;
+import javax.xml.XMLConstants;
 import javax.xml.crypto.MarshalException;
 import javax.xml.crypto.dsig.CanonicalizationMethod;
 import javax.xml.crypto.dsig.DigestMethod;
@@ -124,6 +125,7 @@ public void sign( Document doc, List<String> whatToSign )
 
         // Instantiate the document to be signed.
         DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+        dbf.setFeature( XMLConstants.FEATURE_SECURE_PROCESSING, true );
         // Of course, we need namespaces awereness
         dbf.setNamespaceAware( true );
 

diff --git a/...rary/src/test/java/wsattacker/library/xmlencryptionattack/attackengine/TestCBCOracle.java b/...rary/src/test/java/wsattacker/library/xmlencryptionattack/attackengine/TestCBCOracle.java
@@ -24,6 +24,7 @@
 import javax.crypto.Cipher;
 import javax.crypto.spec.IvParameterSpec;
 import javax.crypto.spec.SecretKeySpec;
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import org.apache.log4j.Logger;
@@ -132,6 +133,7 @@ public OracleResponse queryOracle( OracleRequest request )
 
             // Get the DOM Builder Factory
             DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+            factory.setFeature( XMLConstants.FEATURE_SECURE_PROCESSING, true );
 
             // Get the DOM Builder
             DocumentBuilder builder = factory.newDocumentBuilder();

diff --git a/...ce/src/main/java/wsattacker/plugin/dos/dosExtension/option/OptionTextAreaSoapMessage.java b/...ce/src/main/java/wsattacker/plugin/dos/dosExtension/option/OptionTextAreaSoapMessage.java
@@ -24,6 +24,7 @@
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 import org.xml.sax.SAXException;
+import wsattacker.library.xmlutilities.dom.DomUtilities;
 import wsattacker.main.composition.plugin.option.AbstractOptionString;
 import wsattacker.main.composition.testsuite.CurrentRequestContentChangeObserver;
 import wsattacker.main.composition.testsuite.CurrentRequestObserver;
@@ -200,7 +201,7 @@ public void insertPayloadPlaceholder( String inMessage )
         }
 
         // replace valid placeholder Nodes with placeholder strings
-        preSoapMessage = SoapUtilities.domToString( doc );
+        preSoapMessage = DomUtilities.domToString( doc );
         preSoapMessage = preSoapMessage.replace( "PAYLOAD=\"PAYLOAD\"", "$$PAYLOADATTR$$" );
         preSoapMessage = preSoapMessage.replace( "<PAYLOADELEMENT/>", "$$PAYLOADELEMENT$$" );