Software `/` code `/` prosody

Annotate

spec/util_serialization_spec.lua @ 12181:783056b4e448 0.11 0.11.12

util.xml: Do not allow doctypes, comments or processing instructions Yes. This is as bad as it sounds. CVE pending. In Prosody itself, this only affects mod_websocket, which uses util.xml to parse the <open/> frame, thus allowing unauthenticated remote DoS using Billion Laughs. However, third-party modules using util.xml may also be affected by this. This commit installs handlers which disallow the use of doctype declarations and processing instructions without any escape hatch. It, by default, also introduces such a handler for comments, however, there is a way to enable comments nontheless. This is because util.xml is used to parse human-facing data, where comments are generally a desirable feature, and also because comments are generally harmless.

author	Jonas Schäfer <jonas@wielicki.name>
date	Mon, 10 Jan 2022 18:23:54 +0100
parent	9567:dbfa286cfa88

rev	line source
9342 83e4596c2824 util.serialization: Add brief initial tests Kim Alvefur <zash@zash.se> parents: diff changeset	1 local serialization = require "util.serialization";
83e4596c2824 util.serialization: Add brief initial tests Kim Alvefur <zash@zash.se> parents: diff changeset	2
83e4596c2824 util.serialization: Add brief initial tests Kim Alvefur <zash@zash.se> parents: diff changeset	3 describe("util.serialization", function ()
83e4596c2824 util.serialization: Add brief initial tests Kim Alvefur <zash@zash.se> parents: diff changeset	4 describe("serialize", function ()
83e4596c2824 util.serialization: Add brief initial tests Kim Alvefur <zash@zash.se> parents: diff changeset	5 it("makes a string", function ()
83e4596c2824 util.serialization: Add brief initial tests Kim Alvefur <zash@zash.se> parents: diff changeset	6 assert.is_string(serialization.serialize({}));
83e4596c2824 util.serialization: Add brief initial tests Kim Alvefur <zash@zash.se> parents: diff changeset	7 assert.is_string(serialization.serialize(nil));
83e4596c2824 util.serialization: Add brief initial tests Kim Alvefur <zash@zash.se> parents: diff changeset	8 assert.is_string(serialization.serialize(1));
83e4596c2824 util.serialization: Add brief initial tests Kim Alvefur <zash@zash.se> parents: diff changeset	9 assert.is_string(serialization.serialize(true));
83e4596c2824 util.serialization: Add brief initial tests Kim Alvefur <zash@zash.se> parents: diff changeset	10 end);
83e4596c2824 util.serialization: Add brief initial tests Kim Alvefur <zash@zash.se> parents: diff changeset	11
9480 006a71a83e6a util.serialization: Make errors fatal by default (like the previous implementation) Kim Alvefur <zash@zash.se> parents: 9343 diff changeset	12 it("rejects function by default", function ()
006a71a83e6a util.serialization: Make errors fatal by default (like the previous implementation) Kim Alvefur <zash@zash.se> parents: 9343 diff changeset	13 assert.has_error(function ()
006a71a83e6a util.serialization: Make errors fatal by default (like the previous implementation) Kim Alvefur <zash@zash.se> parents: 9343 diff changeset	14 serialization.serialize(function () end)
006a71a83e6a util.serialization: Make errors fatal by default (like the previous implementation) Kim Alvefur <zash@zash.se> parents: 9343 diff changeset	15 end);
006a71a83e6a util.serialization: Make errors fatal by default (like the previous implementation) Kim Alvefur <zash@zash.se> parents: 9343 diff changeset	16 end);
006a71a83e6a util.serialization: Make errors fatal by default (like the previous implementation) Kim Alvefur <zash@zash.se> parents: 9343 diff changeset	17
006a71a83e6a util.serialization: Make errors fatal by default (like the previous implementation) Kim Alvefur <zash@zash.se> parents: 9343 diff changeset	18 it("makes a string in debug mode", function ()
006a71a83e6a util.serialization: Make errors fatal by default (like the previous implementation) Kim Alvefur <zash@zash.se> parents: 9343 diff changeset	19 assert.is_string(serialization.serialize(function () end, "debug"));
006a71a83e6a util.serialization: Make errors fatal by default (like the previous implementation) Kim Alvefur <zash@zash.se> parents: 9343 diff changeset	20 end);
006a71a83e6a util.serialization: Make errors fatal by default (like the previous implementation) Kim Alvefur <zash@zash.se> parents: 9343 diff changeset	21
9481 f34c635c5f42 util.serialization: Test that it rejects tables wit cycles Kim Alvefur <zash@zash.se> parents: 9480 diff changeset	22 it("rejects cycles", function ()
f34c635c5f42 util.serialization: Test that it rejects tables wit cycles Kim Alvefur <zash@zash.se> parents: 9480 diff changeset	23 assert.has_error(function ()
f34c635c5f42 util.serialization: Test that it rejects tables wit cycles Kim Alvefur <zash@zash.se> parents: 9480 diff changeset	24 local t = {}
f34c635c5f42 util.serialization: Test that it rejects tables wit cycles Kim Alvefur <zash@zash.se> parents: 9480 diff changeset	25 t[t] = { t };
f34c635c5f42 util.serialization: Test that it rejects tables wit cycles Kim Alvefur <zash@zash.se> parents: 9480 diff changeset	26 serialization.serialize(t)
f34c635c5f42 util.serialization: Test that it rejects tables wit cycles Kim Alvefur <zash@zash.se> parents: 9480 diff changeset	27 end);
9567 dbfa286cfa88 util.serialization: Add option for allowing multiple references to the same table (but not cycles) Kim Alvefur <zash@zash.se> parents: 9566 diff changeset	28 -- also with multirefs allowed
dbfa286cfa88 util.serialization: Add option for allowing multiple references to the same table (but not cycles) Kim Alvefur <zash@zash.se> parents: 9566 diff changeset	29 assert.has_error(function ()
dbfa286cfa88 util.serialization: Add option for allowing multiple references to the same table (but not cycles) Kim Alvefur <zash@zash.se> parents: 9566 diff changeset	30 local t = {}
dbfa286cfa88 util.serialization: Add option for allowing multiple references to the same table (but not cycles) Kim Alvefur <zash@zash.se> parents: 9566 diff changeset	31 t[t] = { t };
dbfa286cfa88 util.serialization: Add option for allowing multiple references to the same table (but not cycles) Kim Alvefur <zash@zash.se> parents: 9566 diff changeset	32 serialization.serialize(t, { multirefs = true })
dbfa286cfa88 util.serialization: Add option for allowing multiple references to the same table (but not cycles) Kim Alvefur <zash@zash.se> parents: 9566 diff changeset	33 end);
9481 f34c635c5f42 util.serialization: Test that it rejects tables wit cycles Kim Alvefur <zash@zash.se> parents: 9480 diff changeset	34 end);
9480 006a71a83e6a util.serialization: Make errors fatal by default (like the previous implementation) Kim Alvefur <zash@zash.se> parents: 9343 diff changeset	35
9566 dad29508d0f2 util.serialization: Test rejection of multiple references to same table Kim Alvefur <zash@zash.se> parents: 9485 diff changeset	36 it("rejects multiple references to same table", function ()
dad29508d0f2 util.serialization: Test rejection of multiple references to same table Kim Alvefur <zash@zash.se> parents: 9485 diff changeset	37 assert.has_error(function ()
dad29508d0f2 util.serialization: Test rejection of multiple references to same table Kim Alvefur <zash@zash.se> parents: 9485 diff changeset	38 local t1 = {};
dad29508d0f2 util.serialization: Test rejection of multiple references to same table Kim Alvefur <zash@zash.se> parents: 9485 diff changeset	39 local t2 = { t1, t1 };
9567 dbfa286cfa88 util.serialization: Add option for allowing multiple references to the same table (but not cycles) Kim Alvefur <zash@zash.se> parents: 9566 diff changeset	40 serialization.serialize(t2, { multirefs = false });
dbfa286cfa88 util.serialization: Add option for allowing multiple references to the same table (but not cycles) Kim Alvefur <zash@zash.se> parents: 9566 diff changeset	41 end);
dbfa286cfa88 util.serialization: Add option for allowing multiple references to the same table (but not cycles) Kim Alvefur <zash@zash.se> parents: 9566 diff changeset	42 end);
dbfa286cfa88 util.serialization: Add option for allowing multiple references to the same table (but not cycles) Kim Alvefur <zash@zash.se> parents: 9566 diff changeset	43
dbfa286cfa88 util.serialization: Add option for allowing multiple references to the same table (but not cycles) Kim Alvefur <zash@zash.se> parents: 9566 diff changeset	44 it("optionally allows multiple references to same table", function ()
dbfa286cfa88 util.serialization: Add option for allowing multiple references to the same table (but not cycles) Kim Alvefur <zash@zash.se> parents: 9566 diff changeset	45 assert.has_error(function ()
dbfa286cfa88 util.serialization: Add option for allowing multiple references to the same table (but not cycles) Kim Alvefur <zash@zash.se> parents: 9566 diff changeset	46 local t1 = {};
dbfa286cfa88 util.serialization: Add option for allowing multiple references to the same table (but not cycles) Kim Alvefur <zash@zash.se> parents: 9566 diff changeset	47 local t2 = { t1, t1 };
dbfa286cfa88 util.serialization: Add option for allowing multiple references to the same table (but not cycles) Kim Alvefur <zash@zash.se> parents: 9566 diff changeset	48 serialization.serialize(t2, { multirefs = true });
9566 dad29508d0f2 util.serialization: Test rejection of multiple references to same table Kim Alvefur <zash@zash.se> parents: 9485 diff changeset	49 end);
dad29508d0f2 util.serialization: Test rejection of multiple references to same table Kim Alvefur <zash@zash.se> parents: 9485 diff changeset	50 end);
dad29508d0f2 util.serialization: Test rejection of multiple references to same table Kim Alvefur <zash@zash.se> parents: 9485 diff changeset	51
9342 83e4596c2824 util.serialization: Add brief initial tests Kim Alvefur <zash@zash.se> parents: diff changeset	52 it("roundtrips", function ()
83e4596c2824 util.serialization: Add brief initial tests Kim Alvefur <zash@zash.se> parents: diff changeset	53 local function test(data)
83e4596c2824 util.serialization: Add brief initial tests Kim Alvefur <zash@zash.se> parents: diff changeset	54 local serialized = serialization.serialize(data);
83e4596c2824 util.serialization: Add brief initial tests Kim Alvefur <zash@zash.se> parents: diff changeset	55 assert.is_string(serialized);
9343 e767da06399d util.serialization: Use deserialize instead of envload directly Kim Alvefur <zash@zash.se> parents: 9342 diff changeset	56 local deserialized, err = serialization.deserialize(serialized);
e767da06399d util.serialization: Use deserialize instead of envload directly Kim Alvefur <zash@zash.se> parents: 9342 diff changeset	57 assert.same(data, deserialized, err);
9342 83e4596c2824 util.serialization: Add brief initial tests Kim Alvefur <zash@zash.se> parents: diff changeset	58 end
83e4596c2824 util.serialization: Add brief initial tests Kim Alvefur <zash@zash.se> parents: diff changeset	59
83e4596c2824 util.serialization: Add brief initial tests Kim Alvefur <zash@zash.se> parents: diff changeset	60 test({});
83e4596c2824 util.serialization: Add brief initial tests Kim Alvefur <zash@zash.se> parents: diff changeset	61 test({hello="world"});
83e4596c2824 util.serialization: Add brief initial tests Kim Alvefur <zash@zash.se> parents: diff changeset	62 test("foobar")
83e4596c2824 util.serialization: Add brief initial tests Kim Alvefur <zash@zash.se> parents: diff changeset	63 test("\0\1\2\3");
83e4596c2824 util.serialization: Add brief initial tests Kim Alvefur <zash@zash.se> parents: diff changeset	64 test("nödåtgärd");
83e4596c2824 util.serialization: Add brief initial tests Kim Alvefur <zash@zash.se> parents: diff changeset	65 test({1,2,3,4});
83e4596c2824 util.serialization: Add brief initial tests Kim Alvefur <zash@zash.se> parents: diff changeset	66 test({foo={[100]={{"bar"},{baz=1}}}});
9482 8791bfa3984a util.serialization: Test table keys that are Lua keywords Kim Alvefur <zash@zash.se> parents: 9481 diff changeset	67 test({["goto"] = {["function"]={["do"]="keywords"}}});
9342 83e4596c2824 util.serialization: Add brief initial tests Kim Alvefur <zash@zash.se> parents: diff changeset	68 end);
9485 c667887d78ad util.serialization: Simpler metatable pre-processing Kim Alvefur <zash@zash.se> parents: 9482 diff changeset	69
c667887d78ad util.serialization: Simpler metatable pre-processing Kim Alvefur <zash@zash.se> parents: 9482 diff changeset	70 it("can serialize with metatables", function ()
c667887d78ad util.serialization: Simpler metatable pre-processing Kim Alvefur <zash@zash.se> parents: 9482 diff changeset	71 local s = serialization.new({ freeze = true });
c667887d78ad util.serialization: Simpler metatable pre-processing Kim Alvefur <zash@zash.se> parents: 9482 diff changeset	72 local t = setmetatable({ a = "hi" }, { __freeze = function (t) return { t.a } end });
c667887d78ad util.serialization: Simpler metatable pre-processing Kim Alvefur <zash@zash.se> parents: 9482 diff changeset	73 local rt = serialization.deserialize(s(t));
c667887d78ad util.serialization: Simpler metatable pre-processing Kim Alvefur <zash@zash.se> parents: 9482 diff changeset	74 assert.same({"hi"}, rt);
c667887d78ad util.serialization: Simpler metatable pre-processing Kim Alvefur <zash@zash.se> parents: 9482 diff changeset	75 end);
c667887d78ad util.serialization: Simpler metatable pre-processing Kim Alvefur <zash@zash.se> parents: 9482 diff changeset	76
9342 83e4596c2824 util.serialization: Add brief initial tests Kim Alvefur <zash@zash.se> parents: diff changeset	77 end);
83e4596c2824 util.serialization: Add brief initial tests Kim Alvefur <zash@zash.se> parents: diff changeset	78 end);
83e4596c2824 util.serialization: Add brief initial tests Kim Alvefur <zash@zash.se> parents: diff changeset	79

prosody

0.11.12

spec/util_serialization_spec.lua

Software / code / prosody

Annotate

spec/util_serialization_spec.lua @ 12181:783056b4e448 0.11 0.11.12

Software `/` code `/` prosody