Skip to content

Commit d034df3

Browse files
csalazarcsalazar
committed
Added test against XXE attacks for Sitemap
1 parent c2a424d commit d034df3

File tree

1 file changed

+16
-1
lines changed

1 file changed

+16
-1
lines changed

scrapy/tests/test_utils_sitemap.py

Lines changed: 16 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -188,13 +188,28 @@ def test_alternate(self):
188188
<xhtml:link rel="alternate" hreflang="en"/><!-- wrong tag without href -->
189189
</url>
190190
</urlset>""")
191-
191+
192192
self.assertEqual(list(s), [
193193
{'loc': 'http://www.example.com/english/',
194194
'alternate': ['http://www.example.com/deutsch/', 'http://www.example.com/schweiz-deutsch/', 'http://www.example.com/english/']
195195
}
196196
])
197197

198+
def test_xml_entity_expansion(self):
199+
s = Sitemap("""<?xml version="1.0" encoding="utf-8"?>
200+
<!DOCTYPE foo [
201+
<!ELEMENT foo ANY >
202+
<!ENTITY xxe SYSTEM "file:///etc/passwd" >
203+
]>
204+
<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
205+
<url>
206+
<loc>http://127.0.0.1:8000/&xxe;</loc>
207+
</url>
208+
</urlset>
209+
""")
210+
211+
self.assertEqual(list(s), [{'loc': 'http://127.0.0.1:8000/'}])
212+
198213

199214
if __name__ == '__main__':
200215
unittest.main()

0 commit comments

Comments
 (0)