def testXXE(self): file = '../../xml_files_windows/xxe.xml' tagName = "data" with self.assertRaises(EntitiesForbidden): doc = _DEFUSED.parse(file) for event, node in doc: if event == _PULLDOM.START_ELEMENT and node.tagName == tagName: doc.expandNode(node)
def testXXE(self):
file = '../../xml_files_windows/xxe/xxe.xml'
tagName = "data"
with self.assertRaises(EntitiesForbidden):
doc = _DEFUSED.parse(file)
for event, node in doc:
if event == _PULLDOM.START_ELEMENT and node.tagName == tagName:
doc.expandNode(node)
def testXInclude(self):
file = '../../xml_files_windows/xinclude.xml'
tagName = "data"
doc = _DEFUSED.parse(file)
for event, node in doc:
if event == _PULLDOM.START_ELEMENT and node.tagName == tagName:
doc.expandNode(node)
self.assertEqual("xi:include", node.firstChild.nodeName )
def testParameterEntity_doctype(self): file = '../../xml_files_windows/parameterEntity_doctype.xml' tagName = "data" with self.assertRaises(ExternalReferenceForbidden): doc = _DEFUSED.parse(file) for event, node in doc: if event == _PULLDOM.START_ELEMENT and node.tagName == tagName: doc.expandNode(node)
def testParameterEntity_doctype(self):
file = '../../xml_files_windows/xxep/parameterEntity_doctype.xml'
tagName = "data"
with self.assertRaises(ExternalReferenceForbidden):
doc = _DEFUSED.parse(file)
for event, node in doc:
if event == _PULLDOM.START_ELEMENT and node.tagName == tagName:
doc.expandNode(node)
def testInternalSubset_PEReferenceInDTD(self):
file = '../../xml_files_windows/xxep/internalSubset_PEReferenceInDTD.xml'
tagName = "data"
with self.assertRaises(EntitiesForbidden):
doc = _DEFUSED.parse(file)
for event, node in doc:
if event == _PULLDOM.START_ELEMENT and node.tagName == tagName:
doc.expandNode(node)
def testXSLT(self):
file = '../../xml_files_windows/optional/xslt.xsl'
tagName = "xsl:stylesheet"
doc = _DEFUSED.parse(file)
for event, node in doc:
if event == _PULLDOM.START_ELEMENT and node.tagName == tagName:
doc.expandNode(node)
self.assertEqual("xsl:stylesheet", node.nodeName)
def testXInclude(self):
file = '../../xml_files_windows/xinclude.xml'
tagName = "data"
doc = _DEFUSED.parse(file)
for event, node in doc:
if event == _PULLDOM.START_ELEMENT and node.tagName == tagName:
doc.expandNode(node)
self.assertEqual("xi:include", node.firstChild.nodeName)
def testXSLT(self):
file = '../../xml_files_windows/optional/xslt.xsl'
tagName = "xsl:stylesheet"
doc = _DEFUSED.parse(file)
for event, node in doc:
if event == _PULLDOM.START_ELEMENT and node.tagName == tagName:
doc.expandNode(node)
self.assertEqual("xsl:stylesheet", node.nodeName)
def testInternalSubset_PEReferenceInDTD(self): file = '../../xml_files_windows/internalSubset_PEReferenceInDTD.xml' tagName = "data" with self.assertRaises(EntitiesForbidden): doc = _DEFUSED.parse(file) for event, node in doc: if event == _PULLDOM.START_ELEMENT and node.tagName == tagName: doc.expandNode(node)
def testDefault_noAttack(self):
file = '../../xml_files_windows/standard.xml'
tagName = "data"
doc = _DEFUSED.parse(file)
for event, node in doc:
if event == _PULLDOM.START_ELEMENT and node.tagName == tagName:
doc.expandNode(node)
self.assertEqual("data",node.nodeName)
self.assertEqual("4",node.firstChild.data)
def testDefault_noAttack(self):
file = '../../xml_files_windows/standard.xml'
tagName = "data"
doc = _DEFUSED.parse(file)
for event, node in doc:
if event == _PULLDOM.START_ELEMENT and node.tagName == tagName:
doc.expandNode(node)
self.assertEqual("data", node.nodeName)
self.assertEqual("4", node.firstChild.data)
def testURLInvocation_noNamespaceSchemaLocation(self):
#Reset the server back to "0"
r = requests.get(self._URL_+"/reset")
r = requests.get(self._URL_ +"/getCounter")
request_content = r.text.replace("\r\n","")
self.assertEqual("0", request_content)
file = '../../xml_files_windows/url_invocation_noNamespaceSchemaLocation.xml'
tagName = "data"
doc = _DEFUSED.parse(file)
for event, node in doc:
if event == _PULLDOM.START_ELEMENT and node.tagName == tagName:
doc.expandNode(node)
#Check if a request has been made
r = requests.get(self._URL_ +"/getCounter")
request_content = r.text.replace("\r\n","")
self.assertEqual("0", request_content)
def testURLInvocation_noNamespaceSchemaLocation(self):
#Reset the server back to "0"
r = requests.get(self._URL_ + "/reset")
r = requests.get(self._URL_ + "/getCounter")
request_content = r.text.replace("\r\n", "")
self.assertEqual("0", request_content)
file = '../../xml_files_windows/ssrf/url_invocation_noNamespaceSchemaLocation.xml'
tagName = "data"
doc = _DEFUSED.parse(file)
for event, node in doc:
if event == _PULLDOM.START_ELEMENT and node.tagName == tagName:
doc.expandNode(node)
#Check if a request has been made
r = requests.get(self._URL_ + "/getCounter")
request_content = r.text.replace("\r\n", "")
self.assertEqual("0", request_content)
def testURLInvocation_parameterEntity(self):
#Reset the server back to "0"
r = requests.get(self._URL_+"/reset")
r = requests.get(self._URL_ +"/getCounter")
request_content = r.text.replace("\r\n","")
self.assertEqual("0", request_content)
file = '../../xml_files_windows/ssrf/url_invocation_parameterEntity.xml'
tagName = "data"
with self.assertRaises(EntitiesForbidden):
doc = _DEFUSED.parse(file)
for event, node in doc:
if event == _PULLDOM.START_ELEMENT and node.tagName == tagName:
doc.expandNode(node)
#Check if a request has been made
r = requests.get(self._URL_ +"/getCounter")
request_content = r.text.replace("\r\n","")
self.assertEqual("0", request_content)
import xml.dom.pulldom as _PULLDOM
import defusedxml.pulldom as _DEFUSED
import xml.sax as _SAX
doc = _DEFUSED.parse('../../xml_files_windows/standard.xml')
'''
parser = _SAX.make_parser()
doc = _DEFUSED.parse('../../xml_files_windows/standard.xml')
'''
for event, node in doc:
if event == _PULLDOM.START_ELEMENT and node.tagName == "data":
doc.expandNode(node)
print node.nodeName
#access the first child elements name
print node.firstChild.nodeName
#access the first child elements value
print node.firstChild.data
# print out the node including child elements
print node.toxml()
import xml.dom.pulldom as _PULLDOM
import defusedxml.pulldom as _DEFUSED
import xml.sax as _SAX
doc = _DEFUSED.parse('../../xml_files_windows/standard.xml')
'''
parser = _SAX.make_parser()
doc = _DEFUSED.parse('../../xml_files_windows/standard.xml')
'''
for event, node in doc:
if event == _PULLDOM.START_ELEMENT and node.tagName == "data":
doc.expandNode(node)
print node.nodeName
#access the first child elements name
print node.firstChild.nodeName
#access the first child elements value
print node.firstChild.data
# print out the node including child elements
print node.toxml()
