#include <math.h>
#include <stdio.h>
#include <string.h>
#include "expat_config.h"
#include "expat.h"
#include "internal.h"
#include "common.h"
#include "minicheck.h"
#include "chardata.h"
#include "handlers.h"
#include "acc_tests.h"
#if XML_GE == 1
START_TEST(test_accounting_precision) {
struct AccountingTestCase cases[] = {
{"<e/>", NULL, NULL, 0},
{"<e></e>", NULL, NULL, 0},
{"<e k1=\"v2\" k2=\"v2\"/>", NULL, NULL, 0},
{"<e k1=\"v2\" k2=\"v2\"></e>", NULL, NULL, 0},
{"<p:e xmlns:p=\"https://domain.invalid/\" />", NULL, NULL, 0},
{"<e k=\"&'><"\" />", NULL, NULL,
sizeof(XML_Char) * 5 },
{"<e1 xmlns='https://example.org/'>\n"
" <e2 xmlns=''/>\n"
"</e1>",
NULL, NULL, 0},
{"<e>text</e>", NULL, NULL, 0},
{"<e1><e2>text1<e3/>text2</e2></e1>", NULL, NULL, 0},
{"<e>&'><"</e>", NULL, NULL,
sizeof(XML_Char) * 5 },
{"<e>A)</e>", NULL, NULL, 0},
{"<?xml version=\"1.0\"?><root/>", NULL, NULL, 0},
{" <e1> <e2> </e2> </e1> ", NULL, NULL, 0},
{"<e1 ><e2 /></e1 >", NULL, NULL, 0},
{"<e1><e2 k = \"v\"/><e3 k = 'v'/></e1>", NULL, NULL, 0},
{"<!-- Comment --><e><!-- Comment --></e>", NULL, NULL, 0},
{"<?xml-stylesheet type=\"text/xsl\" href=\"https://domain.invalid/\" media=\"all\"?><e/>",
NULL, NULL, 0},
{"<?pi0?><?pi1 ?><?pi2 ?><r/><?pi4?>", NULL, NULL, 0},
# ifdef XML_DTD
{"<?pi0?><?pi1 ?><?pi2 ?><!DOCTYPE r SYSTEM 'first.ent'><r/>",
"<?pi3?><!ENTITY % e1 SYSTEM 'second.ent'><?pi4?>%e1;<?pi5?>", "<?pi6?>",
0},
# endif
{"<e><![CDATA[one two three]]></e>", NULL, NULL, 0},
{"<!DOCTYPE r [\n"
"<!ENTITY e \"111<![CDATA[2 <= 2]]>333\">\n"
"]>\n"
"<r>&e;</r>\n",
NULL, NULL, sizeof(XML_Char) * strlen("111<![CDATA[2 <= 2]]>333")},
# ifdef XML_DTD
{"<!DOCTYPE r [\n"
"<!ENTITY % draft 'INCLUDE'>\n"
"<!ENTITY % final 'IGNORE'>\n"
"<!ENTITY % import SYSTEM \"first.ent\">\n"
"%import;\n"
"]>\n"
"<r/>\n",
"<![%draft;[<!--1-->]]>\n"
"<![%final;[<!--22-->]]>",
NULL, sizeof(XML_Char) * (strlen("INCLUDE") + strlen("IGNORE"))},
# endif
{"<!DOCTYPE root [\n"
"<!ENTITY nine \"123456789\">\n"
"]>\n"
"<root>&nine;</root>",
NULL, NULL, sizeof(XML_Char) * strlen("123456789")},
{"<!DOCTYPE root [\n"
"<!ENTITY nine \"123456789\">\n"
"]>\n"
"<root k1=\"&nine;\"/>",
NULL, NULL, sizeof(XML_Char) * strlen("123456789")},
{"<!DOCTYPE root [\n"
"<!ENTITY nine \"123456789\">\n"
"<!ENTITY nine2 \"&nine;&nine;\">\n"
"]>\n"
"<root>&nine2;&nine2;&nine2;</root>",
NULL, NULL,
sizeof(XML_Char) * 3 * 2
* (strlen("&nine;") + strlen("123456789"))},
{"<!DOCTYPE r [\n"
" <!ENTITY five SYSTEM 'first.ent'>\n"
"]>\n"
"<r>&five;</r>",
"12345", NULL, 0},
{"<!DOCTYPE r [\n"
" <!ENTITY five SYSTEM 'first.ent'>\n"
"]>\n"
"<r>&five;</r>",
"\xEF\xBB\xBF" , NULL, 0},
# ifdef XML_DTD
{"<!DOCTYPE r [\n"
"<!ENTITY % comment \"<!---->\">\n"
"%comment;\n"
"]>\n"
"<r/>",
NULL, NULL, sizeof(XML_Char) * strlen("<!---->")},
{"<!DOCTYPE r [\n"
"<!ENTITY % ninedef \"<!ENTITY nine "123456789">\">\n"
"%ninedef;\n"
"]>\n"
"<r>&nine;</r>",
NULL, NULL,
sizeof(XML_Char)
* (strlen("<!ENTITY nine \"123456789\">") + strlen("123456789"))},
{"<!DOCTYPE r [\n"
"<!ENTITY % comment \"<!--1-->\">\n"
"<!ENTITY % comment2 \"%comment;<!--22-->%comment;\">\n"
"%comment2;\n"
"]>\n"
"<r/>\n",
NULL, NULL,
sizeof(XML_Char)
* (strlen("%comment;<!--22-->%comment;") + 2 * strlen("<!--1-->"))},
{"<!DOCTYPE r [\n"
" <!ENTITY % five \"12345\">\n"
" <!ENTITY % five2def \"<!ENTITY five2 "[%five;][%five;]]]]">\">\n"
" %five2def;\n"
"]>\n"
"<r>&five2;</r>",
NULL, NULL,
sizeof(XML_Char)
* (strlen("<!ENTITY five2 \"[%five;][%five;]]]]\">")
+ 2 * strlen("12345")
+ strlen("[12345][12345]]]]"))},
{"<!DOCTYPE r SYSTEM \"first.ent\">\n"
"<r/>",
"<!ENTITY % comment '<!--1-->'>\n"
"<!ENTITY % comment2 '<!--22-->%comment;<!--22-->%comment;<!--22-->'>\n"
"%comment2;",
NULL,
sizeof(XML_Char)
* (strlen("<!--22-->%comment;<!--22-->%comment;<!--22-->")
+ 2 * strlen("<!---->"))},
{"<!DOCTYPE r SYSTEM 'first.ent'>\n"
"<r/>",
"<!ENTITY % e1 PUBLIC 'foo' 'second.ent'>\n"
"<!ENTITY % e2 '<!--22-->%e1;<!--22-->'>\n"
"%e2;\n",
"<!--1-->", sizeof(XML_Char) * strlen("<!--22--><!--1--><!--22-->")},
{
"<!DOCTYPE r SYSTEM 'first.ent'>\n"
"<r/>",
"<!ENTITY % e1 SYSTEM 'second.ent'>\n"
"<!ENTITY % e2 '%e1;'>",
"<?xml version='1.0' encoding='utf-8'?>\n"
"hello\n"
"xml" ,
0,
},
{
"<!DOCTYPE r SYSTEM 'first.ent'>\n"
"<r/>",
"<!ENTITY % e1 SYSTEM 'second.ent'>\n"
"<!ENTITY % e2 '%e1;'>",
"<?xml version='1.0' encoding='utf-8'?>\n"
"hello\n"
"xml\n" ,
0,
},
{"<!DOCTYPE doc SYSTEM 'first.ent'>\n"
"<doc></doc>\n",
"<!ELEMENT doc EMPTY>\n"
"<!ENTITY % e1 SYSTEM 'second.ent'>\n"
"<!ENTITY % e2 '%e1;'>\n"
"%e1;\n",
"\xEF\xBB\xBF<!ATTLIST doc a1 CDATA 'value'>" ,
strlen("\xEF\xBB\xBF<!ATTLIST doc a1 CDATA 'value'>")},
# endif
};
const size_t countCases = sizeof(cases) / sizeof(cases[0]);
size_t u = 0;
for (; u < countCases; u++) {
const unsigned long long expectedCountBytesDirect
= strlen(cases[u].primaryText);
const unsigned long long expectedCountBytesIndirect
= (cases[u].firstExternalText ? strlen(cases[u].firstExternalText) : 0)
+ (cases[u].secondExternalText ? strlen(cases[u].secondExternalText)
: 0)
+ cases[u].expectedCountBytesIndirectExtra;
XML_Parser parser = XML_ParserCreate(NULL);
XML_SetParamEntityParsing(parser, XML_PARAM_ENTITY_PARSING_ALWAYS);
if (cases[u].firstExternalText) {
XML_SetExternalEntityRefHandler(parser,
accounting_external_entity_ref_handler);
XML_SetUserData(parser, (void *)&cases[u]);
}
enum XML_Status status
= _XML_Parse_SINGLE_BYTES(parser, cases[u].primaryText,
(int)strlen(cases[u].primaryText), XML_TRUE);
if (status != XML_STATUS_OK) {
_xml_failure(parser, __FILE__, __LINE__);
}
const unsigned long long actualCountBytesDirect
= testingAccountingGetCountBytesDirect(parser);
const unsigned long long actualCountBytesIndirect
= testingAccountingGetCountBytesIndirect(parser);
XML_ParserFree(parser);
if (actualCountBytesDirect != expectedCountBytesDirect) {
fprintf(
stderr,
"Document " EXPAT_FMT_SIZE_T("") " of " EXPAT_FMT_SIZE_T("") ": Expected " EXPAT_FMT_ULL(
"") " count direct bytes, got " EXPAT_FMT_ULL("") " instead.\n",
u + 1, countCases, expectedCountBytesDirect, actualCountBytesDirect);
fail("Count of direct bytes is off");
}
if (actualCountBytesIndirect != expectedCountBytesIndirect) {
fprintf(
stderr,
"Document " EXPAT_FMT_SIZE_T("") " of " EXPAT_FMT_SIZE_T("") ": Expected " EXPAT_FMT_ULL(
"") " count indirect bytes, got " EXPAT_FMT_ULL("") " instead.\n",
u + 1, countCases, expectedCountBytesIndirect,
actualCountBytesIndirect);
fail("Count of indirect bytes is off");
}
}
}
END_TEST
START_TEST(test_billion_laughs_attack_protection_api) {
XML_Parser parserWithoutParent = XML_ParserCreate(NULL);
XML_Parser parserWithParent = XML_ExternalEntityParserCreate(
parserWithoutParent, XCS("entity123"), NULL);
if (parserWithoutParent == NULL)
fail("parserWithoutParent is NULL");
if (parserWithParent == NULL)
fail("parserWithParent is NULL");
if (XML_SetBillionLaughsAttackProtectionMaximumAmplification(NULL, 123.0f)
== XML_TRUE)
fail("Call with NULL parser is NOT supposed to succeed");
if (XML_SetBillionLaughsAttackProtectionMaximumAmplification(parserWithParent,
123.0f)
== XML_TRUE)
fail("Call with non-root parser is NOT supposed to succeed");
if (XML_SetBillionLaughsAttackProtectionMaximumAmplification(
parserWithoutParent, NAN)
== XML_TRUE)
fail("Call with NaN limit is NOT supposed to succeed");
if (XML_SetBillionLaughsAttackProtectionMaximumAmplification(
parserWithoutParent, -1.0f)
== XML_TRUE)
fail("Call with negative limit is NOT supposed to succeed");
if (XML_SetBillionLaughsAttackProtectionMaximumAmplification(
parserWithoutParent, 0.9f)
== XML_TRUE)
fail("Call with positive limit <1.0 is NOT supposed to succeed");
if (XML_SetBillionLaughsAttackProtectionMaximumAmplification(
parserWithoutParent, 1.0f)
== XML_FALSE)
fail("Call with positive limit >=1.0 is supposed to succeed");
if (XML_SetBillionLaughsAttackProtectionMaximumAmplification(
parserWithoutParent, 123456.789f)
== XML_FALSE)
fail("Call with positive limit >=1.0 is supposed to succeed");
if (XML_SetBillionLaughsAttackProtectionMaximumAmplification(
parserWithoutParent, INFINITY)
== XML_FALSE)
fail("Call with positive limit >=1.0 is supposed to succeed");
if (XML_SetBillionLaughsAttackProtectionActivationThreshold(NULL, 123)
== XML_TRUE)
fail("Call with NULL parser is NOT supposed to succeed");
if (XML_SetBillionLaughsAttackProtectionActivationThreshold(parserWithParent,
123)
== XML_TRUE)
fail("Call with non-root parser is NOT supposed to succeed");
if (XML_SetBillionLaughsAttackProtectionActivationThreshold(
parserWithoutParent, 123)
== XML_FALSE)
fail("Call with non-NULL parentless parser is supposed to succeed");
XML_ParserFree(parserWithParent);
XML_ParserFree(parserWithoutParent);
}
END_TEST
START_TEST(test_helper_unsigned_char_to_printable) {
unsigned char uc = 0;
for (;; uc++) {
set_subtest("char %u", (unsigned)uc);
const char *const printable = unsignedCharToPrintable(uc);
if (printable == NULL)
fail("unsignedCharToPrintable returned NULL");
else if (strlen(printable) < (size_t)1)
fail("unsignedCharToPrintable returned empty string");
if (uc == (unsigned char)-1) {
break;
}
}
set_subtest("char 'A'");
if (strcmp(unsignedCharToPrintable('A'), "A") != 0)
fail("unsignedCharToPrintable result mistaken");
set_subtest("char '\\'");
if (strcmp(unsignedCharToPrintable('\\'), "\\\\") != 0)
fail("unsignedCharToPrintable result mistaken");
}
END_TEST
START_TEST(test_amplification_isolated_external_parser) {
const char doc[] = "<!ENTITY % p1 '123456789_123456789_1234567'>";
const int docLen = (int)sizeof(doc) - 1;
const float maximumToleratedAmplification = 2.0f;
struct TestCase {
int offsetOfThreshold;
enum XML_Status expectedStatus;
};
struct TestCase cases[] = {
{-2, XML_STATUS_ERROR}, {-1, XML_STATUS_ERROR}, {0, XML_STATUS_ERROR},
{+1, XML_STATUS_OK}, {+2, XML_STATUS_OK},
};
for (size_t i = 0; i < sizeof(cases) / sizeof(cases[0]); i++) {
const int offsetOfThreshold = cases[i].offsetOfThreshold;
const enum XML_Status expectedStatus = cases[i].expectedStatus;
const unsigned long long activationThresholdBytes
= docLen + offsetOfThreshold;
set_subtest("offsetOfThreshold=%d, expectedStatus=%d", offsetOfThreshold,
expectedStatus);
XML_Parser parser = XML_ParserCreate(NULL);
assert_true(parser != NULL);
assert_true(XML_SetBillionLaughsAttackProtectionMaximumAmplification(
parser, maximumToleratedAmplification)
== XML_TRUE);
assert_true(XML_SetBillionLaughsAttackProtectionActivationThreshold(
parser, activationThresholdBytes)
== XML_TRUE);
XML_Parser ext_parser = XML_ExternalEntityParserCreate(parser, NULL, NULL);
assert_true(ext_parser != NULL);
const enum XML_Status actualStatus
= _XML_Parse_SINGLE_BYTES(ext_parser, doc, docLen, XML_TRUE);
assert_true(actualStatus == expectedStatus);
if (actualStatus != XML_STATUS_OK) {
assert_true(XML_GetErrorCode(ext_parser)
== XML_ERROR_AMPLIFICATION_LIMIT_BREACH);
}
XML_ParserFree(ext_parser);
XML_ParserFree(parser);
}
}
END_TEST
#endif
void
make_accounting_test_case(Suite *s) {
#if XML_GE == 1
TCase *tc_accounting = tcase_create("accounting tests");
suite_add_tcase(s, tc_accounting);
tcase_add_test(tc_accounting, test_accounting_precision);
tcase_add_test(tc_accounting, test_billion_laughs_attack_protection_api);
tcase_add_test(tc_accounting, test_helper_unsigned_char_to_printable);
tcase_add_test__ifdef_xml_dtd(tc_accounting,
test_amplification_isolated_external_parser);
#else
UNUSED_P(s);
#endif
}
