mirror of
https://github.com/dgtlmoon/changedetection.io.git
synced 2026-04-30 23:00:30 +00:00
dgtlmoon
36 lines
1.1 KiB
Python
36 lines
1.1 KiB
Python
#!/usr/bin/env python3
|
|
|
|
# run from dir above changedetectionio/ dir
|
|
# python3 -m pytest changedetectionio/tests/unit/test_xml_security.py
|
|
|
|
import pytest
|
|
from changedetectionio import html_tools
|
|
|
|
|
|
def _xxe_payload(file_path: str) -> str:
|
|
return f"""<?xml version="1.0"?>
|
|
<!DOCTYPE root [
|
|
<!ENTITY xxe SYSTEM "file://{file_path}">
|
|
]>
|
|
<root><item>&xxe;</item></root>"""
|
|
|
|
|
|
def test_xxe_not_expanded_xpath_filter(tmp_path):
|
|
"""xpath_filter must not expand external entities (CVE-2026-41895)."""
|
|
sentinel_file = tmp_path / "sentinel.txt"
|
|
sentinel = "xxe_sentinel_should_never_appear_in_output"
|
|
sentinel_file.write_text(sentinel)
|
|
|
|
result = html_tools.xpath_filter("//item", _xxe_payload(sentinel_file), is_xml=True)
|
|
assert sentinel not in result
|
|
|
|
|
|
def test_xxe_not_expanded_xpath1_filter(tmp_path):
|
|
"""xpath1_filter must not expand external entities (CVE-2026-41895)."""
|
|
sentinel_file = tmp_path / "sentinel.txt"
|
|
sentinel = "xxe_sentinel_should_never_appear_in_output"
|
|
sentinel_file.write_text(sentinel)
|
|
|
|
result = html_tools.xpath1_filter("//item", _xxe_payload(sentinel_file), is_xml=True)
|
|
assert sentinel not in result
|