selftest dxml on startup:

try to decode some malicious xml on startup; if this succeeds, then force-disable all xml-based features (primarily WebDAV) this is paranoid future-proofing against unanticipated changes in future versions of python, specifically if the importlib or xml.etree.ET behavior changes in a way that somehow reenables entity expansion, which (still hypothetically) would probably be caused by failing to unload the `_elementtree` c-module no past or present python versions are affected by this change
2025-10-03 09:49:29 +02:00 · 2025-01-17 06:06:36 +00:00 · 2025-01-17 06:06:36 +00:00 · b2e8bf6e89
commit b2e8bf6e89
parent 170cbe98c5
4 changed files with 90 additions and 5 deletions
--- a/tests/test_dxml.py
+++ b/tests/test_dxml.py
@ -20,7 +20,8 @@ def _parse(txt):


 class TestDXML(unittest.TestCase):
-    def test1(self):
+    def test_qbe(self):
+        # allowed by default; verify that we stopped it
        txt = r"""<!DOCTYPE qbe [
 <!ENTITY a "nice_bakuretsu">
 ]>
@ -28,7 +29,8 @@ class TestDXML(unittest.TestCase):
        _parse(txt)
        ET.fromstring(txt)

-    def test2(self):
+    def test_ent_file(self):
+        # NOT allowed by default; should still be blocked
        txt = r"""<!DOCTYPE ext [
 <!ENTITY ee SYSTEM "file:///bin/bash">
 ]>
@ -40,6 +42,25 @@ class TestDXML(unittest.TestCase):
        except ET.ParseError:
            pass

+    def test_ent_ext(self):
+        # NOT allowed by default; should still be blocked
+        txt = r"""<!DOCTYPE ext [
+<!ENTITY ee SYSTEM "http://example.com/a.xml">
+]>
+<root>&ee;</root>"""
+        _parse(txt)
+
+    def test_dtd(self):
+        # allowed by default; verify that we stopped it
+        txt = r"""<!DOCTYPE d SYSTEM "a.dtd">
+<root>a</root>"""
+        _parse(txt)
+        ET.fromstring(txt)
+
+    ##
+    ## end of negative/security tests; the rest is functional
+    ##
+
    def test3(self):
        txt = r"""<?xml version="1.0" ?>
 <propfind xmlns="DAV:">