1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19 package org.apache.wss4j.stax.test;
20
21 import java.io.ByteArrayInputStream;
22 import java.io.ByteArrayOutputStream;
23 import java.io.IOException;
24 import java.io.InputStream;
25 import java.util.ArrayList;
26 import java.util.List;
27 import javax.xml.stream.XMLStreamException;
28
29 import org.apache.wss4j.stax.ext.WSSConstants;
30 import org.apache.wss4j.stax.ext.WSSSecurityProperties;
31 import org.apache.wss4j.stax.setup.WSSec;
32 import org.apache.xml.security.stax.config.Init;
33
34 import org.junit.jupiter.api.BeforeAll;
35 import org.junit.jupiter.api.Test;
36 import static org.junit.jupiter.api.Assertions.assertEquals;
37 import static org.junit.jupiter.api.Assertions.assertTrue;
38 import static org.junit.jupiter.api.Assertions.fail;
39
40 public class VulnerabliltyVectorsDecompressedBytesTest extends AbstractTestBase {
41
42 @BeforeAll
43 public static void setup() throws Exception {
44 WSSec.init();
45 Init.init(VulnerabliltyVectorsDecompressedBytesTest.class.getClassLoader().getResource("wss-config-compression.xml").toURI(),
46 VulnerabliltyVectorsDecompressedBytesTest.class);
47 }
48
49 @Test
50 @SuppressWarnings("unchecked")
51 public void testMaximumAllowedDecompressedBytes() throws Exception {
52
53 try {
54 WSSSecurityProperties outboundSecurityProperties = new WSSSecurityProperties();
55 outboundSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
56 outboundSecurityProperties.setEncryptionUser("receiver");
57 outboundSecurityProperties.loadEncryptionKeystore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
58 outboundSecurityProperties.setSignatureUser("transmitter");
59 outboundSecurityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
60 List<WSSConstants.Action> actions = new ArrayList<>();
61 actions.add(WSSConstants.TIMESTAMP);
62 actions.add(WSSConstants.SIGNATURE);
63 actions.add(WSSConstants.ENCRYPTION);
64 outboundSecurityProperties.setActions(actions);
65 outboundSecurityProperties.setEncryptionCompressionAlgorithm("http://www.apache.org/2012/04/xmlsec/xz");
66
67 InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
68 ByteArrayOutputStream baos = doOutboundSecurity(outboundSecurityProperties, sourceDocument);
69
70
71 WSSSecurityProperties inboundSecurityProperties = new WSSSecurityProperties();
72 inboundSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
73 inboundSecurityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
74 inboundSecurityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
75
76 doInboundSecurity(inboundSecurityProperties,
77 xmlInputFactory.createXMLStreamReader(
78 new ByteArrayInputStream(baos.toByteArray())));
79 fail("Expected XMLStreamException");
80 } catch (XMLStreamException e) {
81 assertTrue(e.getCause() instanceof IOException);
82 assertEquals(e.getCause().getMessage(),
83 "Maximum byte count (101) reached.");
84 }
85 }
86
87 }