View Javadoc
1   /**
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements. See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership. The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License. You may obtain a copy of the License at
9    *
10   * http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing,
13   * software distributed under the License is distributed on an
14   * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15   * KIND, either express or implied. See the License for the
16   * specific language governing permissions and limitations
17   * under the License.
18   */
19  package org.apache.wss4j.stax.test;
20  
21  import java.io.ByteArrayInputStream;
22  import java.io.ByteArrayOutputStream;
23  import java.io.IOException;
24  import java.io.InputStream;
25  import java.util.ArrayList;
26  import java.util.List;
27  import javax.xml.stream.XMLStreamException;
28  
29  import org.apache.wss4j.stax.ext.WSSConstants;
30  import org.apache.wss4j.stax.ext.WSSSecurityProperties;
31  import org.apache.wss4j.stax.setup.WSSec;
32  import org.apache.xml.security.stax.config.Init;
33  
34  import org.junit.jupiter.api.BeforeAll;
35  import org.junit.jupiter.api.Test;
36  import static org.junit.jupiter.api.Assertions.assertEquals;
37  import static org.junit.jupiter.api.Assertions.assertTrue;
38  import static org.junit.jupiter.api.Assertions.fail;
39  
40  public class VulnerabliltyVectorsDecompressedBytesTest extends AbstractTestBase {
41  
42      @BeforeAll
43      public static void setup() throws Exception {
44          WSSec.init();
45          Init.init(VulnerabliltyVectorsDecompressedBytesTest.class.getClassLoader().getResource("wss-config-compression.xml").toURI(),
46                  VulnerabliltyVectorsDecompressedBytesTest.class);
47      }
48  
49      @Test
50      @SuppressWarnings("unchecked")
51      public void testMaximumAllowedDecompressedBytes() throws Exception {
52  
53          try {
54              WSSSecurityProperties outboundSecurityProperties = new WSSSecurityProperties();
55              outboundSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
56              outboundSecurityProperties.setEncryptionUser("receiver");
57              outboundSecurityProperties.loadEncryptionKeystore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
58              outboundSecurityProperties.setSignatureUser("transmitter");
59              outboundSecurityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
60              List<WSSConstants.Action> actions = new ArrayList<>();
61              actions.add(WSSConstants.TIMESTAMP);
62              actions.add(WSSConstants.SIGNATURE);
63              actions.add(WSSConstants.ENCRYPTION);
64              outboundSecurityProperties.setActions(actions);
65              outboundSecurityProperties.setEncryptionCompressionAlgorithm("http://www.apache.org/2012/04/xmlsec/xz");
66  
67              InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
68              ByteArrayOutputStream baos = doOutboundSecurity(outboundSecurityProperties, sourceDocument);
69  
70  
71              WSSSecurityProperties inboundSecurityProperties = new WSSSecurityProperties();
72              inboundSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
73              inboundSecurityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
74              inboundSecurityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
75  
76              doInboundSecurity(inboundSecurityProperties,
77                      xmlInputFactory.createXMLStreamReader(
78                              new ByteArrayInputStream(baos.toByteArray())));
79              fail("Expected XMLStreamException");
80          } catch (XMLStreamException e) {
81              assertTrue(e.getCause() instanceof IOException);
82              assertEquals(e.getCause().getMessage(),
83                      "Maximum byte count (101) reached.");
84          }
85      }
86  
87  }