OneLogin_Saml2_Utils::loadXML PHP Method

OneLogin_Saml2_Utils Class Documentation Usage Examples Of OneLogin_Saml2_Utils::loadXML Show file Open project: onelogin/php-saml

loadXML() public static method

Prevent XEE/XXE Attacks
public static loadXML ( DOMDocument $dom, string $xml ) : DOMDocument
$dom DOMDocument The document where load the xml.
$xml string The XML string to be loaded.
return DOMDocument $dom The result of load the XML at the DomDocument 
    public static function loadXML($dom, $xml)
    {
        assert('$dom instanceof DOMDocument');
        assert('is_string($xml)');
        if (strpos($xml, '<!ENTITY') !== false) {
            throw new Exception('Detected use of ENTITY in XML, disabled to prevent XXE/XEE attacks');
        }
        $oldEntityLoader = libxml_disable_entity_loader(true);
        $res = $dom->loadXML($xml);
        libxml_disable_entity_loader($oldEntityLoader);
        if (!$res) {
            return false;
        } else {
            return $dom;
        }
    }

Usage Example

Example #1
0
 /**
  * Tests the loadXML method of the OneLogin_Saml2_Utils
  *
  * @covers OneLogin_Saml2_Utils::loadXML
  */
 public function testXMLAttacks()
 {
     $dom = new DOMDocument();
     $attackXXE = '<?xml version="1.0" encoding="ISO-8859-1"?>
                   <!DOCTYPE foo [  
                   <!ELEMENT foo ANY >
                   <!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo>';
     try {
         $res = OneLogin_Saml2_Utils::loadXML($dom, $attackXXE);
         $this->assertTrue(false);
     } catch (Exception $e) {
         $this->assertEquals('Detected use of ENTITY in XML, disabled to prevent XXE/XEE attacks', $e->getMessage());
     }
     $xmlWithDTD = '<?xml version="1.0"?>
                       <!DOCTYPE results [
                         <!ELEMENT results (result+)>
                         <!ELEMENT result (#PCDATA)>
                       ]>
                       <results>
                         <result>test</result>
                       </results>';
     $res2 = OneLogin_Saml2_Utils::loadXML($dom, $xmlWithDTD);
     $this->assertTrue($res2 instanceof DOMDocument);
     $attackXEE = '<?xml version="1.0"?>
                   <!DOCTYPE results [<!ENTITY harmless "completely harmless">]>
                   <results>
                     <result>This result is &harmless;</result>
                   </results>';
     try {
         $res3 = OneLogin_Saml2_Utils::loadXML($dom, $attackXEE);
         $this->assertTrue(false);
     } catch (Exception $e) {
         $this->assertEquals('Detected use of ENTITY in XML, disabled to prevent XXE/XEE attacks', $e->getMessage());
     }
 }
All Usage Examples Of OneLogin_Saml2_Utils::loadXML
OneLogin_Saml2_Utils
addSign
buildWithBaseURLPath
calculateX509Fingerprint
castKey
decryptElement
deleteLocalSession
extractOriginalQueryParam
formatCert
formatFingerPrint
formatPrivateKey
generateNameId
generateUniqueID
getBaseURLPath
getExpireTime
getProxyVars
getRawHost
getSelfHost
getSelfPort
getSelfProtocol
getSelfRoutedURLNoQuery
getSelfURL
getSelfURLNoQuery
getSelfURLhost
getStatus
get_string_between
isHTTPS
isSessionStarted
loadXML
parseDuration
parseSAML2Time
parseTime2SAML
query
redirect
setBaseURL
setBaseURLPath
setProxyVars
setSelfHost
setSelfPort
setSelfProtocol
t
validateSign
validateXML