Search in sources :

Example 6 with SoapProtocol

use of com.zimbra.common.soap.SoapProtocol in project zm-mailbox by Zimbra.

the class TestGetSignature method getSignature.

@Test
public void getSignature() throws Exception {
    Account acct = provUtil.createAccount(genAcctNameLocalPart(), domain);
    boolean csrfEnabled = Boolean.FALSE;
    SoapTransport transport = authUser(acct.getName(), csrfEnabled, Boolean.FALSE);
    String sigContent = "xss<script>alert(\"XSS\")</script><a href=javascript:alert(\"XSS\")><";
    Signature sig = new Signature(null, "testSig", sigContent, "text/html");
    CreateSignatureRequest req = new CreateSignatureRequest(sig);
    SoapProtocol proto = SoapProtocol.Soap12;
    Element sigReq = JaxbUtil.jaxbToElement(req, proto.getFactory());
    try {
        Element element = transport.invoke(sigReq, false, false, null);
        String sigt = element.getElement("signature").getAttribute("id");
        assertNotNull(sigt);
    } catch (SoapFaultException e) {
        e.printStackTrace();
        assertNull(e);
    }
    GetSignaturesRequest getSigReq = new GetSignaturesRequest();
    sigReq = JaxbUtil.jaxbToElement(getSigReq, proto.getFactory());
    try {
        Element element = transport.invoke(sigReq, false, false, null);
        String sigtContent = element.getElement("signature").getElement("content").getText();
        assertNotNull(sigContent);
        int index = sigtContent.indexOf("alert(\"XSS\")");
        Assert.assertEquals(-1, index);
    } catch (SoapFaultException e) {
        e.printStackTrace();
        assertNull(e);
    }
}
Also used : Account(com.zimbra.cs.account.Account) CreateSignatureRequest(com.zimbra.soap.account.message.CreateSignatureRequest) GetSignaturesRequest(com.zimbra.soap.account.message.GetSignaturesRequest) Signature(com.zimbra.soap.account.type.Signature) Element(com.zimbra.common.soap.Element) SoapProtocol(com.zimbra.common.soap.SoapProtocol) SoapTransport(com.zimbra.common.soap.SoapTransport) SoapFaultException(com.zimbra.common.soap.SoapFaultException) Test(org.junit.Test)

Example 7 with SoapProtocol

use of com.zimbra.common.soap.SoapProtocol in project zm-mailbox by Zimbra.

the class TestBatchRequest method batchReqWithoutCsrfToken.

@Test
public void batchReqWithoutCsrfToken() throws Exception {
    Account acct = provUtil.createAccount(genAcctNameLocalPart(), domain);
    boolean csrfEnabled = Boolean.TRUE;
    SoapTransport transport = authUser(acct.getName(), csrfEnabled, Boolean.FALSE);
    Element request = new Element.XMLElement(ZimbraNamespace.E_BATCH_REQUEST);
    String sigContent = "xss<script>alert(\"XSS\")</script><a href=javascript:alert(\"XSS\")><";
    Signature sig = new Signature("test_id", "testSig", sigContent, "text/html");
    CreateSignatureRequest req = new CreateSignatureRequest(sig);
    SoapProtocol proto = SoapProtocol.Soap12;
    Element sigReq = JaxbUtil.jaxbToElement(req, proto.getFactory());
    request.addElement(sigReq);
    try {
        transport.invoke(request, false, false, null);
    } catch (SoapFaultException e) {
        assertNotNull(e);
        Assert.assertEquals(true, e.getCode().contains("AUTH_REQUIRED"));
    }
}
Also used : Account(com.zimbra.cs.account.Account) CreateSignatureRequest(com.zimbra.soap.account.message.CreateSignatureRequest) Element(com.zimbra.common.soap.Element) Signature(com.zimbra.soap.account.type.Signature) SoapProtocol(com.zimbra.common.soap.SoapProtocol) SoapTransport(com.zimbra.common.soap.SoapTransport) SoapFaultException(com.zimbra.common.soap.SoapFaultException) Test(org.junit.Test)

Example 8 with SoapProtocol

use of com.zimbra.common.soap.SoapProtocol in project zm-mailbox by Zimbra.

the class TestBatchRequest method batchReqWithCsrfToken.

@Test
public void batchReqWithCsrfToken() throws Exception {
    Account acct = provUtil.createAccount(genAcctNameLocalPart(), domain);
    boolean csrfEnabled = Boolean.TRUE;
    SoapTransport transport = authUser(acct.getName(), csrfEnabled, Boolean.TRUE);
    Element request = new Element.XMLElement(ZimbraNamespace.E_BATCH_REQUEST);
    String sigContent = "xss<script>alert(\"XSS\")</script><a href=javascript:alert(\"XSS\")><";
    Signature sig = new Signature(null, "testSig", sigContent, "text/html");
    CreateSignatureRequest req = new CreateSignatureRequest(sig);
    SoapProtocol proto = SoapProtocol.Soap12;
    Element sigReq = JaxbUtil.jaxbToElement(req, proto.getFactory());
    request.addElement(sigReq);
    try {
        Element sigResp = transport.invoke(request, false, false, null);
        String sigt = sigResp.getElement("CreateSignatureResponse").getElement("signature").getAttribute("id");
        assertNotNull(sigt);
    } catch (SoapFaultException e) {
        assertNull(e);
    }
}
Also used : Account(com.zimbra.cs.account.Account) CreateSignatureRequest(com.zimbra.soap.account.message.CreateSignatureRequest) Element(com.zimbra.common.soap.Element) Signature(com.zimbra.soap.account.type.Signature) SoapProtocol(com.zimbra.common.soap.SoapProtocol) SoapTransport(com.zimbra.common.soap.SoapTransport) SoapFaultException(com.zimbra.common.soap.SoapFaultException) Test(org.junit.Test)

Example 9 with SoapProtocol

use of com.zimbra.common.soap.SoapProtocol in project zm-mailbox by Zimbra.

the class TestCsrfRequest method getCreateSigWithCsrfFeatureDisbaledAndAuthTokenIsCsrfEnabled.

@Test
public void getCreateSigWithCsrfFeatureDisbaledAndAuthTokenIsCsrfEnabled() throws Exception {
    Map<String, Object> attrs = new HashMap<String, Object>();
    attrs.put(Provisioning.A_zimbraCsrfTokenCheckEnabled, "FALSE");
    prov.modifyAttrs(prov.getConfig(), attrs, true);
    Account acct = provUtil.createAccount(genAcctNameLocalPart(), domain);
    boolean csrfEnabled = Boolean.TRUE;
    SoapTransport transport = authUser(acct.getName(), csrfEnabled, Boolean.FALSE);
    String sigContent = "xss&lt;script&gt;alert(\"XSS\")&lt;/script&gt;&lt;a href=javascript:alert(\"XSS\")&gt;&lt;";
    Signature sig = new Signature(null, "testSig", sigContent, "text/html");
    CreateSignatureRequest req = new CreateSignatureRequest(sig);
    SoapProtocol proto = SoapProtocol.Soap12;
    Element sigReq = JaxbUtil.jaxbToElement(req, proto.getFactory());
    try {
        Element element = transport.invoke(sigReq, false, false, null);
        String sigt = element.getElement("signature").getAttribute("id");
        assertNotNull(sigt);
    } catch (SoapFaultException e) {
        e.printStackTrace();
        assertNull(e);
    }
}
Also used : Account(com.zimbra.cs.account.Account) CreateSignatureRequest(com.zimbra.soap.account.message.CreateSignatureRequest) HashMap(java.util.HashMap) Signature(com.zimbra.soap.account.type.Signature) Element(com.zimbra.common.soap.Element) SoapProtocol(com.zimbra.common.soap.SoapProtocol) SoapTransport(com.zimbra.common.soap.SoapTransport) SoapFaultException(com.zimbra.common.soap.SoapFaultException) Test(org.junit.Test)

Example 10 with SoapProtocol

use of com.zimbra.common.soap.SoapProtocol in project zm-mailbox by Zimbra.

the class SoapEngine method chooseFaultProtocolFromBadXml.

/**
     * Bug 77304 - If the XML for a Soap Request was bad, look at it to see if enough of it is valid to be able
     * to determine the desired response protocol.
     * Use StAX parsing so that we can stop looking at the XML once we have got past the Envelope Header context.
     */
private SoapProtocol chooseFaultProtocolFromBadXml(InputStream in) {
    SoapProtocol soapProto = SoapProtocol.Soap12;
    /* Default */
    XMLInputFactory xmlInputFactory = XMLInputFactory.newInstance();
    // This disables DTDs entirely for that factory
    xmlInputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
    // disable external entities
    xmlInputFactory.setProperty("javax.xml.stream.isSupportingExternalEntities", false);
    XMLStreamReader xmlReader = null;
    int depth = 0;
    boolean inEnvelope = false;
    boolean inHeader = false;
    boolean inContext = false;
    String localName;
    try {
        xmlReader = xmlInputFactory.createXMLStreamReader(in);
        boolean scanningForFormat = true;
        while (scanningForFormat && xmlReader.hasNext()) {
            int eventType = xmlReader.next();
            switch(eventType) {
                case XMLStreamReader.START_ELEMENT:
                    localName = xmlReader.getLocalName();
                    depth++;
                    if ((depth == 1) && ("Envelope".equals(localName))) {
                        inEnvelope = true;
                        String ns = xmlReader.getNamespaceURI();
                        if (SoapProtocol.Soap11.getNamespace().getStringValue().equals(ns)) {
                            // new default
                            soapProto = SoapProtocol.Soap11;
                        }
                    } else if (inEnvelope && (depth == 2) && ("Header".equals(localName))) {
                        inHeader = true;
                    } else if (inHeader && (depth == 3) && ("context".equals(localName))) {
                        inContext = true;
                    } else if (inContext && (depth == 4) && ("format".equals(localName))) {
                        String respType = xmlReader.getAttributeValue(null, "type");
                        if (respType != null) {
                            if (HeaderConstants.TYPE_JAVASCRIPT.equals(respType)) {
                                soapProto = SoapProtocol.SoapJS;
                            }
                            scanningForFormat = false;
                        }
                    }
                    break;
                case XMLStreamReader.END_ELEMENT:
                    localName = xmlReader.getLocalName();
                    if ((depth == 1) && ("Envelope".equals(localName))) {
                        inEnvelope = false;
                        scanningForFormat = false;
                    /* it wasn't specified, so default it */
                    } else if (inEnvelope && (depth == 2) && ("Header".equals(localName))) {
                        inHeader = false;
                        scanningForFormat = false;
                    /* it wasn't specified, so default it */
                    } else if (inHeader && (depth == 3) && ("context".equals(localName))) {
                        inContext = false;
                        scanningForFormat = false;
                    /* it wasn't specified, so default it */
                    }
                    depth--;
                    break;
            }
        }
    } catch (XMLStreamException e) {
        ZimbraLog.soap.debug("Problem trying to determine response protocol from request XML", e);
    } finally {
        if (xmlReader != null) {
            try {
                xmlReader.close();
            } catch (XMLStreamException e) {
            }
        }
    }
    try {
        in.close();
    } catch (IOException e) {
    }
    return soapProto;
}
Also used : XMLStreamReader(javax.xml.stream.XMLStreamReader) XMLStreamException(javax.xml.stream.XMLStreamException) SoapProtocol(com.zimbra.common.soap.SoapProtocol) IOException(java.io.IOException) XMLInputFactory(javax.xml.stream.XMLInputFactory)

Aggregations

SoapProtocol (com.zimbra.common.soap.SoapProtocol)22 Element (com.zimbra.common.soap.Element)18 SoapFaultException (com.zimbra.common.soap.SoapFaultException)11 Account (com.zimbra.cs.account.Account)11 SoapTransport (com.zimbra.common.soap.SoapTransport)9 CreateSignatureRequest (com.zimbra.soap.account.message.CreateSignatureRequest)9 Signature (com.zimbra.soap.account.type.Signature)9 Test (org.junit.Test)9 ServiceException (com.zimbra.common.service.ServiceException)3 AuthToken (com.zimbra.cs.account.AuthToken)3 AdminDocumentHandler (com.zimbra.cs.service.admin.AdminDocumentHandler)3 IOException (java.io.IOException)3 HashMap (java.util.HashMap)3 SoapHttpTransport (com.zimbra.common.soap.SoapHttpTransport)2 AccountServiceException (com.zimbra.cs.account.AccountServiceException)2 AuthFailedServiceException (com.zimbra.cs.account.AccountServiceException.AuthFailedServiceException)2 Provisioning (com.zimbra.cs.account.Provisioning)2 Mailbox (com.zimbra.cs.mailbox.Mailbox)2 GetSignaturesRequest (com.zimbra.soap.account.message.GetSignaturesRequest)2 HttpServletRequest (javax.servlet.http.HttpServletRequest)2