def testXXE(self): file = '../../xml_files_windows/xxe.xml' tagName = "data" with self.assertRaises(EntitiesForbidden): doc = _DEFUSED.parse(file) for event, node in doc: if event == _PULLDOM.START_ELEMENT and node.tagName == tagName: doc.expandNode(node)
def testXXE(self): file = '../../xml_files_windows/xxe/xxe.xml' tagName = "data" with self.assertRaises(EntitiesForbidden): doc = _DEFUSED.parse(file) for event, node in doc: if event == _PULLDOM.START_ELEMENT and node.tagName == tagName: doc.expandNode(node)
def testXInclude(self): file = '../../xml_files_windows/xinclude.xml' tagName = "data" doc = _DEFUSED.parse(file) for event, node in doc: if event == _PULLDOM.START_ELEMENT and node.tagName == tagName: doc.expandNode(node) self.assertEqual("xi:include", node.firstChild.nodeName )
def testParameterEntity_doctype(self): file = '../../xml_files_windows/parameterEntity_doctype.xml' tagName = "data" with self.assertRaises(ExternalReferenceForbidden): doc = _DEFUSED.parse(file) for event, node in doc: if event == _PULLDOM.START_ELEMENT and node.tagName == tagName: doc.expandNode(node)
def testParameterEntity_doctype(self): file = '../../xml_files_windows/xxep/parameterEntity_doctype.xml' tagName = "data" with self.assertRaises(ExternalReferenceForbidden): doc = _DEFUSED.parse(file) for event, node in doc: if event == _PULLDOM.START_ELEMENT and node.tagName == tagName: doc.expandNode(node)
def testInternalSubset_PEReferenceInDTD(self): file = '../../xml_files_windows/xxep/internalSubset_PEReferenceInDTD.xml' tagName = "data" with self.assertRaises(EntitiesForbidden): doc = _DEFUSED.parse(file) for event, node in doc: if event == _PULLDOM.START_ELEMENT and node.tagName == tagName: doc.expandNode(node)
def testXSLT(self): file = '../../xml_files_windows/optional/xslt.xsl' tagName = "xsl:stylesheet" doc = _DEFUSED.parse(file) for event, node in doc: if event == _PULLDOM.START_ELEMENT and node.tagName == tagName: doc.expandNode(node) self.assertEqual("xsl:stylesheet", node.nodeName)
def testXInclude(self): file = '../../xml_files_windows/xinclude.xml' tagName = "data" doc = _DEFUSED.parse(file) for event, node in doc: if event == _PULLDOM.START_ELEMENT and node.tagName == tagName: doc.expandNode(node) self.assertEqual("xi:include", node.firstChild.nodeName)
def testInternalSubset_PEReferenceInDTD(self): file = '../../xml_files_windows/internalSubset_PEReferenceInDTD.xml' tagName = "data" with self.assertRaises(EntitiesForbidden): doc = _DEFUSED.parse(file) for event, node in doc: if event == _PULLDOM.START_ELEMENT and node.tagName == tagName: doc.expandNode(node)
def testDefault_noAttack(self): file = '../../xml_files_windows/standard.xml' tagName = "data" doc = _DEFUSED.parse(file) for event, node in doc: if event == _PULLDOM.START_ELEMENT and node.tagName == tagName: doc.expandNode(node) self.assertEqual("data",node.nodeName) self.assertEqual("4",node.firstChild.data)
def testDefault_noAttack(self): file = '../../xml_files_windows/standard.xml' tagName = "data" doc = _DEFUSED.parse(file) for event, node in doc: if event == _PULLDOM.START_ELEMENT and node.tagName == tagName: doc.expandNode(node) self.assertEqual("data", node.nodeName) self.assertEqual("4", node.firstChild.data)
def testURLInvocation_noNamespaceSchemaLocation(self): #Reset the server back to "0" r = requests.get(self._URL_+"/reset") r = requests.get(self._URL_ +"/getCounter") request_content = r.text.replace("\r\n","") self.assertEqual("0", request_content) file = '../../xml_files_windows/url_invocation_noNamespaceSchemaLocation.xml' tagName = "data" doc = _DEFUSED.parse(file) for event, node in doc: if event == _PULLDOM.START_ELEMENT and node.tagName == tagName: doc.expandNode(node) #Check if a request has been made r = requests.get(self._URL_ +"/getCounter") request_content = r.text.replace("\r\n","") self.assertEqual("0", request_content)
def testURLInvocation_noNamespaceSchemaLocation(self): #Reset the server back to "0" r = requests.get(self._URL_ + "/reset") r = requests.get(self._URL_ + "/getCounter") request_content = r.text.replace("\r\n", "") self.assertEqual("0", request_content) file = '../../xml_files_windows/ssrf/url_invocation_noNamespaceSchemaLocation.xml' tagName = "data" doc = _DEFUSED.parse(file) for event, node in doc: if event == _PULLDOM.START_ELEMENT and node.tagName == tagName: doc.expandNode(node) #Check if a request has been made r = requests.get(self._URL_ + "/getCounter") request_content = r.text.replace("\r\n", "") self.assertEqual("0", request_content)
def testURLInvocation_parameterEntity(self): #Reset the server back to "0" r = requests.get(self._URL_+"/reset") r = requests.get(self._URL_ +"/getCounter") request_content = r.text.replace("\r\n","") self.assertEqual("0", request_content) file = '../../xml_files_windows/ssrf/url_invocation_parameterEntity.xml' tagName = "data" with self.assertRaises(EntitiesForbidden): doc = _DEFUSED.parse(file) for event, node in doc: if event == _PULLDOM.START_ELEMENT and node.tagName == tagName: doc.expandNode(node) #Check if a request has been made r = requests.get(self._URL_ +"/getCounter") request_content = r.text.replace("\r\n","") self.assertEqual("0", request_content)
import xml.dom.pulldom as _PULLDOM import defusedxml.pulldom as _DEFUSED import xml.sax as _SAX doc = _DEFUSED.parse('../../xml_files_windows/standard.xml') ''' parser = _SAX.make_parser() doc = _DEFUSED.parse('../../xml_files_windows/standard.xml') ''' for event, node in doc: if event == _PULLDOM.START_ELEMENT and node.tagName == "data": doc.expandNode(node) print node.nodeName #access the first child elements name print node.firstChild.nodeName #access the first child elements value print node.firstChild.data # print out the node including child elements print node.toxml()