Support for additional callback in XML Security Scanner
This commit is contained in:
parent
c708411529
commit
41bcf9a21c
|
@ -27,6 +27,8 @@ class XmlScanner
|
||||||
*/
|
*/
|
||||||
private $pattern;
|
private $pattern;
|
||||||
|
|
||||||
|
private $callback;
|
||||||
|
|
||||||
private function __construct($pattern = '<!DOCTYPE')
|
private function __construct($pattern = '<!DOCTYPE')
|
||||||
{
|
{
|
||||||
$this->pattern = $pattern;
|
$this->pattern = $pattern;
|
||||||
|
@ -77,6 +79,11 @@ class XmlScanner
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public function setAdditionalCallback(callable $callback)
|
||||||
|
{
|
||||||
|
$this->callback = $callback;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Scan the XML for use of <!ENTITY to prevent XXE/XEE attacks.
|
* Scan the XML for use of <!ENTITY to prevent XXE/XEE attacks.
|
||||||
*
|
*
|
||||||
|
@ -102,6 +109,10 @@ class XmlScanner
|
||||||
throw new Reader\Exception('Detected use of ENTITY in XML, spreadsheet file load() aborted to prevent XXE/XEE attacks');
|
throw new Reader\Exception('Detected use of ENTITY in XML, spreadsheet file load() aborted to prevent XXE/XEE attacks');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if ($this->callback !== null && is_callable($this->callback)) {
|
||||||
|
$xml = call_user_func($this->callback, $xml);
|
||||||
|
}
|
||||||
|
|
||||||
return $xml;
|
return $xml;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -75,4 +75,29 @@ class XmlScannerTest extends TestCase
|
||||||
// Must return a null...
|
// Must return a null...
|
||||||
$this->assertNull($scanner);
|
$this->assertNull($scanner);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @dataProvider providerValidXMLForCallback
|
||||||
|
*
|
||||||
|
* @param mixed $filename
|
||||||
|
*/
|
||||||
|
public function testSecurityScanWithCallback($filename, $expectedResult)
|
||||||
|
{
|
||||||
|
$fileReader = new Xlsx();
|
||||||
|
$scanner = $fileReader->getSecuritySCanner();
|
||||||
|
$scanner->setAdditionalCallback('strrev');
|
||||||
|
$xml = $scanner->scanFile($filename);
|
||||||
|
|
||||||
|
$this->assertEquals(strrev($expectedResult), $xml);
|
||||||
|
}
|
||||||
|
|
||||||
|
public function providerValidXMLForCallback()
|
||||||
|
{
|
||||||
|
$tests = [];
|
||||||
|
foreach (glob(__DIR__ . '/../../../data/Reader/Xml/SecurityScannerWithCallback*.xml') as $file) {
|
||||||
|
$tests[basename($file)] = [realpath($file), file_get_contents($file)];
|
||||||
|
}
|
||||||
|
|
||||||
|
return $tests;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -0,0 +1,7 @@
|
||||||
|
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
|
||||||
|
<note>
|
||||||
|
<to>Users</to>
|
||||||
|
<from>Mark</from>
|
||||||
|
<heading>Reminder</heading>
|
||||||
|
<body>Don't forget PHPSpreadsheet Security!</body>
|
||||||
|
</note>
|
Loading…
Reference in New Issue