Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Tests fail on OTP 27 #105

Open
half-shell opened this issue Jan 3, 2025 · 0 comments
Open

Tests fail on OTP 27 #105

half-shell opened this issue Jan 3, 2025 · 0 comments
Labels
chore non-functionnal changes

Comments

@half-shell
Copy link
Member

Description

Tests seem to fail on OTP 27.

This is most likely due to a change in xmerl defaults released in OTP 27, and made in erlang/otp#7539 (c.f. detailed release notes)

  • Some default values in Xmerl has been changed to avoid XML External Entity
    (XXE) vulnerabilities if you're parsing untrusted XML.

xmerl_scan: the default value for allow_entities has changed to false.
xmerl_sax_parser: the default value for external_entities has changed to none.

Own Id: OTP-19079
Application(s): xmerl
Related Id(s): GH-7539

Steps to reproduce

Using the following .tools-version (and any >27 OTP really)

erlang 27.0
elixir 1.17

And launching tests, we get:

$ mix test
Compiling 2 files (.ex)

# Warnings [...]

....................................

  1) test stream: raise on reading /etc/passwd with dtd: :none (Issue71Test)
     test/issue_71_test.exs:33
     Assertion failed, no matching message after 100ms
     The following variables were pinned:
       pid = #PID<0.746.0>
     Showing 1 of 1 message in the mailbox
     code: assert_receive {:EXIT, ^pid, {:fatal, {{:error_fetching_DTD, {_, _}}, _file, _line, _col}}}
     mailbox:
       pattern: {:EXIT, ^pid, {:fatal, {{:error_fetching_DTD, {_, _}}, _file, _line, _col}}}
       value:   {:EXIT, #PID<0.746.0>, {:fatal, {{:error, :entities_not_allowed}, {:file, :file_name_unknown}, {:line, 3}, {:col, 1}}}}
     stacktrace:
       test/issue_71_test.exs:38: (test)



  2) test raise on reading /etc/passwd with dtd: :internal_only (Issue71Test)
     test/issue_71_test.exs:11
     match (=) failed
     code:  assert {:fatal, {{:error_fetching_DTD, {_, _}}, _file, _line, _col}} =
              catch_exit(SweetXml.parse(sneaky_xml, dtd: :internal_only, quiet: true))
     left:  {:fatal, {{:error_fetching_DTD, {_, _}}, _file, _line, _col}}
     right: {:fatal, {{:error, :entities_not_allowed}, {:file, :file_name_unknown}, {:line, 3}, {:col, 1}}}
     stacktrace:
       test/issue_71_test.exs:14: (test)



  3) test raise on reading /etc/passwd with dtd: [only: :banana] (Issue71Test)
     test/issue_71_test.exs:18
     ** (exit) {:fatal, {{:error, :entities_not_allowed}, {:file, :file_name_unknown}, {:line, 3}, {:col, 1}}}
     code: assert_raise RuntimeError, fn ->
     stacktrace:
       (xmerl 2.0) xmerl_scan.erl:4236: :xmerl_scan.fatal/2
       (xmerl 2.0) xmerl_scan.erl:1376: :xmerl_scan.scan_doctype3/3
       (xmerl 2.0) xmerl_scan.erl:828: :xmerl_scan.scan_prolog/4
       (xmerl 2.0) xmerl_scan.erl:669: :xmerl_scan.scan_document/2
       (xmerl 2.0) xmerl_scan.erl:390: :xmerl_scan.string/2
       (sweet_xml 0.7.4) lib/sweet_xml.ex:292: SweetXml.do_parse/2
       (sweet_xml 0.7.4) lib/sweet_xml.ex:281: SweetXml.parse/2
       test/issue_71_test.exs:21: (test)

     The following output was logged:

     10:38:55.783 [error] 1793- fatal: {:error, :entities_not_allowed}




  4) test raise on reading /etc/passwd with dtd: :none (Issue71Test)
     test/issue_71_test.exs:4
     match (=) failed
     code:  assert {:fatal, {{:error_fetching_DTD, {_, _}}, _file, _line, _col}} =
              catch_exit(SweetXml.parse(sneaky_xml, dtd: :none, quiet: true))
     left:  {:fatal, {{:error_fetching_DTD, {_, _}}, _file, _line, _col}}
     right: {:fatal, {{:error, :entities_not_allowed}, {:file, :file_name_unknown}, {:line, 3}, {:col, 1}}}
     stacktrace:
       test/issue_71_test.exs:7: (test)



  5) test stream: raise on billion_laugh.xml with dtd: :none (Issue71Test)
     test/issue_71_test.exs:41
     Assertion failed, no matching message after 100ms
     The following variables were pinned:
       pid = #PID<0.783.0>
     Showing 1 of 1 message in the mailbox
     code: assert_receive {:EXIT, ^pid, {%RuntimeError{}, _stacktrace}}
     mailbox:
       pattern: {:EXIT, ^pid, {%RuntimeError{}, _stacktrace}}
       value:   {:EXIT, #PID<0.783.0>, {:fatal, {{:error, :entities_not_allowed}, {:file, :file_name_unknown}, {:line, 4}, {:col, 2}}}}
     stacktrace:
       test/issue_71_test.exs:46: (test)



  6) test raise on billion_laugh.xml with dtd: :none (Issue71Test)
     test/issue_71_test.exs:26
     ** (exit) {:fatal, {{:error, :entities_not_allowed}, {:file, :file_name_unknown}, {:line, 4}, {:col, 2}}}
     code: assert_raise RuntimeError, fn ->
     stacktrace:
       (xmerl 2.0) xmerl_scan.erl:4236: :xmerl_scan.fatal/2
       (xmerl 2.0) xmerl_scan.erl:1376: :xmerl_scan.scan_doctype3/3
       (xmerl 2.0) xmerl_scan.erl:828: :xmerl_scan.scan_prolog/4
       (xmerl 2.0) xmerl_scan.erl:669: :xmerl_scan.scan_document/2
       (xmerl 2.0) xmerl_scan.erl:390: :xmerl_scan.string/2
       (sweet_xml 0.7.4) lib/sweet_xml.ex:292: SweetXml.do_parse/2
       (sweet_xml 0.7.4) lib/sweet_xml.ex:281: SweetXml.parse/2
       test/issue_71_test.exs:28: (test)

     The following output was logged:

     10:38:55.887 [error] 1793- fatal: {:error, :entities_not_allowed}


...

  7) test internal only (SweetXmlStreamTest)
     test/sweet_xml_stream_test.exs:109
     Expected exception SweetXml.DTDError but got SweetXml.XmerlFatal ({:error, :entities_not_allowed})
     code: assert_raise SweetXml.DTDError, "no external entity allowed", fn ->
     stacktrace:
       (sweet_xml 0.7.4) lib/sweet_xml.ex:539: anonymous fn/1 in SweetXml.stream!/2
       (elixir 1.17.0-rc.1) lib/stream.ex:1683: Stream.do_resource/5
       (elixir 1.17.0-rc.1) lib/stream.ex:690: Stream.run/1
       test/sweet_xml_stream_test.exs:110: (test)

     The following output was logged:

     10:38:55.942 [error] 1793- fatal: {:error, :entities_not_allowed}


.

  8) test DTD error (SweetXmlStreamTest)
     test/sweet_xml_stream_test.exs:100
     Expected exception SweetXml.DTDError but got SweetXml.XmerlFatal ({:error, :entities_not_allowed})
     code: assert_raise SweetXml.DTDError, "DTD not allowed: lol1", fn ->
     stacktrace:
       (sweet_xml 0.7.4) lib/sweet_xml.ex:539: anonymous fn/1 in SweetXml.stream!/2
       (elixir 1.17.0-rc.1) lib/stream.ex:1683: Stream.do_resource/5
       (elixir 1.17.0-rc.1) lib/stream.ex:690: Stream.run/1
       test/sweet_xml_stream_test.exs:101: (test)

......
Finished in 0.4 seconds (0.00s async, 0.4s sync)
16 doctests, 38 tests, 8 failures
@half-shell half-shell added the chore non-functionnal changes label Jan 3, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
chore non-functionnal changes
Projects
None yet
Development

No branches or pull requests

1 participant