use of com.zimbra.common.soap.SoapProtocol in project zm-mailbox by Zimbra.
the class TestGetSignature method getSignature.
@Test
public void getSignature() throws Exception {
Account acct = provUtil.createAccount(genAcctNameLocalPart(), domain);
boolean csrfEnabled = Boolean.FALSE;
SoapTransport transport = authUser(acct.getName(), csrfEnabled, Boolean.FALSE);
String sigContent = "xss<script>alert(\"XSS\")</script><a href=javascript:alert(\"XSS\")><";
Signature sig = new Signature(null, "testSig", sigContent, "text/html");
CreateSignatureRequest req = new CreateSignatureRequest(sig);
SoapProtocol proto = SoapProtocol.Soap12;
Element sigReq = JaxbUtil.jaxbToElement(req, proto.getFactory());
try {
Element element = transport.invoke(sigReq, false, false, null);
String sigt = element.getElement("signature").getAttribute("id");
assertNotNull(sigt);
} catch (SoapFaultException e) {
e.printStackTrace();
assertNull(e);
}
GetSignaturesRequest getSigReq = new GetSignaturesRequest();
sigReq = JaxbUtil.jaxbToElement(getSigReq, proto.getFactory());
try {
Element element = transport.invoke(sigReq, false, false, null);
String sigtContent = element.getElement("signature").getElement("content").getText();
assertNotNull(sigContent);
int index = sigtContent.indexOf("alert(\"XSS\")");
Assert.assertEquals(-1, index);
} catch (SoapFaultException e) {
e.printStackTrace();
assertNull(e);
}
}
use of com.zimbra.common.soap.SoapProtocol in project zm-mailbox by Zimbra.
the class TestBatchRequest method batchReqWithoutCsrfToken.
@Test
public void batchReqWithoutCsrfToken() throws Exception {
Account acct = provUtil.createAccount(genAcctNameLocalPart(), domain);
boolean csrfEnabled = Boolean.TRUE;
SoapTransport transport = authUser(acct.getName(), csrfEnabled, Boolean.FALSE);
Element request = new Element.XMLElement(ZimbraNamespace.E_BATCH_REQUEST);
String sigContent = "xss<script>alert(\"XSS\")</script><a href=javascript:alert(\"XSS\")><";
Signature sig = new Signature("test_id", "testSig", sigContent, "text/html");
CreateSignatureRequest req = new CreateSignatureRequest(sig);
SoapProtocol proto = SoapProtocol.Soap12;
Element sigReq = JaxbUtil.jaxbToElement(req, proto.getFactory());
request.addElement(sigReq);
try {
transport.invoke(request, false, false, null);
} catch (SoapFaultException e) {
assertNotNull(e);
Assert.assertEquals(true, e.getCode().contains("AUTH_REQUIRED"));
}
}
use of com.zimbra.common.soap.SoapProtocol in project zm-mailbox by Zimbra.
the class TestBatchRequest method batchReqWithCsrfToken.
@Test
public void batchReqWithCsrfToken() throws Exception {
Account acct = provUtil.createAccount(genAcctNameLocalPart(), domain);
boolean csrfEnabled = Boolean.TRUE;
SoapTransport transport = authUser(acct.getName(), csrfEnabled, Boolean.TRUE);
Element request = new Element.XMLElement(ZimbraNamespace.E_BATCH_REQUEST);
String sigContent = "xss<script>alert(\"XSS\")</script><a href=javascript:alert(\"XSS\")><";
Signature sig = new Signature(null, "testSig", sigContent, "text/html");
CreateSignatureRequest req = new CreateSignatureRequest(sig);
SoapProtocol proto = SoapProtocol.Soap12;
Element sigReq = JaxbUtil.jaxbToElement(req, proto.getFactory());
request.addElement(sigReq);
try {
Element sigResp = transport.invoke(request, false, false, null);
String sigt = sigResp.getElement("CreateSignatureResponse").getElement("signature").getAttribute("id");
assertNotNull(sigt);
} catch (SoapFaultException e) {
assertNull(e);
}
}
use of com.zimbra.common.soap.SoapProtocol in project zm-mailbox by Zimbra.
the class TestCsrfRequest method getCreateSigWithCsrfFeatureDisbaledAndAuthTokenIsCsrfEnabled.
@Test
public void getCreateSigWithCsrfFeatureDisbaledAndAuthTokenIsCsrfEnabled() throws Exception {
Map<String, Object> attrs = new HashMap<String, Object>();
attrs.put(Provisioning.A_zimbraCsrfTokenCheckEnabled, "FALSE");
prov.modifyAttrs(prov.getConfig(), attrs, true);
Account acct = provUtil.createAccount(genAcctNameLocalPart(), domain);
boolean csrfEnabled = Boolean.TRUE;
SoapTransport transport = authUser(acct.getName(), csrfEnabled, Boolean.FALSE);
String sigContent = "xss<script>alert(\"XSS\")</script><a href=javascript:alert(\"XSS\")><";
Signature sig = new Signature(null, "testSig", sigContent, "text/html");
CreateSignatureRequest req = new CreateSignatureRequest(sig);
SoapProtocol proto = SoapProtocol.Soap12;
Element sigReq = JaxbUtil.jaxbToElement(req, proto.getFactory());
try {
Element element = transport.invoke(sigReq, false, false, null);
String sigt = element.getElement("signature").getAttribute("id");
assertNotNull(sigt);
} catch (SoapFaultException e) {
e.printStackTrace();
assertNull(e);
}
}
use of com.zimbra.common.soap.SoapProtocol in project zm-mailbox by Zimbra.
the class SoapEngine method chooseFaultProtocolFromBadXml.
/**
* Bug 77304 - If the XML for a Soap Request was bad, look at it to see if enough of it is valid to be able
* to determine the desired response protocol.
* Use StAX parsing so that we can stop looking at the XML once we have got past the Envelope Header context.
*/
private SoapProtocol chooseFaultProtocolFromBadXml(InputStream in) {
SoapProtocol soapProto = SoapProtocol.Soap12;
/* Default */
XMLInputFactory xmlInputFactory = XMLInputFactory.newInstance();
// This disables DTDs entirely for that factory
xmlInputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
// disable external entities
xmlInputFactory.setProperty("javax.xml.stream.isSupportingExternalEntities", false);
XMLStreamReader xmlReader = null;
int depth = 0;
boolean inEnvelope = false;
boolean inHeader = false;
boolean inContext = false;
String localName;
try {
xmlReader = xmlInputFactory.createXMLStreamReader(in);
boolean scanningForFormat = true;
while (scanningForFormat && xmlReader.hasNext()) {
int eventType = xmlReader.next();
switch(eventType) {
case XMLStreamReader.START_ELEMENT:
localName = xmlReader.getLocalName();
depth++;
if ((depth == 1) && ("Envelope".equals(localName))) {
inEnvelope = true;
String ns = xmlReader.getNamespaceURI();
if (SoapProtocol.Soap11.getNamespace().getStringValue().equals(ns)) {
// new default
soapProto = SoapProtocol.Soap11;
}
} else if (inEnvelope && (depth == 2) && ("Header".equals(localName))) {
inHeader = true;
} else if (inHeader && (depth == 3) && ("context".equals(localName))) {
inContext = true;
} else if (inContext && (depth == 4) && ("format".equals(localName))) {
String respType = xmlReader.getAttributeValue(null, "type");
if (respType != null) {
if (HeaderConstants.TYPE_JAVASCRIPT.equals(respType)) {
soapProto = SoapProtocol.SoapJS;
}
scanningForFormat = false;
}
}
break;
case XMLStreamReader.END_ELEMENT:
localName = xmlReader.getLocalName();
if ((depth == 1) && ("Envelope".equals(localName))) {
inEnvelope = false;
scanningForFormat = false;
/* it wasn't specified, so default it */
} else if (inEnvelope && (depth == 2) && ("Header".equals(localName))) {
inHeader = false;
scanningForFormat = false;
/* it wasn't specified, so default it */
} else if (inHeader && (depth == 3) && ("context".equals(localName))) {
inContext = false;
scanningForFormat = false;
/* it wasn't specified, so default it */
}
depth--;
break;
}
}
} catch (XMLStreamException e) {
ZimbraLog.soap.debug("Problem trying to determine response protocol from request XML", e);
} finally {
if (xmlReader != null) {
try {
xmlReader.close();
} catch (XMLStreamException e) {
}
}
}
try {
in.close();
} catch (IOException e) {
}
return soapProto;
}
Aggregations