Support for additional callback in XML Security Scanner

This commit is contained in:
MarkBaker 2018-11-25 14:00:35 +01:00
parent c708411529
commit 41bcf9a21c
3 changed files with 43 additions and 0 deletions

View File

@ -27,6 +27,8 @@ class XmlScanner
*/ */
private $pattern; private $pattern;
private $callback;
private function __construct($pattern = '<!DOCTYPE') private function __construct($pattern = '<!DOCTYPE')
{ {
$this->pattern = $pattern; $this->pattern = $pattern;
@ -77,6 +79,11 @@ class XmlScanner
return false; return false;
} }
public function setAdditionalCallback(callable $callback)
{
$this->callback = $callback;
}
/** /**
* Scan the XML for use of <!ENTITY to prevent XXE/XEE attacks. * Scan the XML for use of <!ENTITY to prevent XXE/XEE attacks.
* *
@ -102,6 +109,10 @@ class XmlScanner
throw new Reader\Exception('Detected use of ENTITY in XML, spreadsheet file load() aborted to prevent XXE/XEE attacks'); throw new Reader\Exception('Detected use of ENTITY in XML, spreadsheet file load() aborted to prevent XXE/XEE attacks');
} }
if ($this->callback !== null && is_callable($this->callback)) {
$xml = call_user_func($this->callback, $xml);
}
return $xml; return $xml;
} }

View File

@ -75,4 +75,29 @@ class XmlScannerTest extends TestCase
// Must return a null... // Must return a null...
$this->assertNull($scanner); $this->assertNull($scanner);
} }
/**
* @dataProvider providerValidXMLForCallback
*
* @param mixed $filename
*/
public function testSecurityScanWithCallback($filename, $expectedResult)
{
$fileReader = new Xlsx();
$scanner = $fileReader->getSecuritySCanner();
$scanner->setAdditionalCallback('strrev');
$xml = $scanner->scanFile($filename);
$this->assertEquals(strrev($expectedResult), $xml);
}
public function providerValidXMLForCallback()
{
$tests = [];
foreach (glob(__DIR__ . '/../../../data/Reader/Xml/SecurityScannerWithCallback*.xml') as $file) {
$tests[basename($file)] = [realpath($file), file_get_contents($file)];
}
return $tests;
}
} }

View File

@ -0,0 +1,7 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<note>
<to>Users</to>
<from>Mark</from>
<heading>Reminder</heading>
<body>Don't forget PHPSpreadsheet Security!</body>
</note>