Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
1.3.0, 1.4.0, 1.2.5, 1.1.9, 2.0.0-alpha-1
-
None
Description
The test added in HBASE-17424 is overly specific:
@Test public void testFailOnExternalEntities() throws Exception { final String externalEntitiesXml = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" + " <!DOCTYPE foo [ <!ENTITY xxe SYSTEM \"/tmp/foo\"> ] >" + " <ClusterVersion>&xee;</ClusterVersion>"; Client client = mock(Client.class); RemoteAdmin admin = new RemoteAdmin(client, HBaseConfiguration.create(), null); Response resp = new Response(200, null, externalEntitiesXml.getBytes()); when(client.get("/version/cluster", Constants.MIMETYPE_XML)).thenReturn(resp); try { admin.getClusterVersion(); fail("Expected getClusterVersion() to throw an exception"); } catch (IOException e) { final String exceptionText = StringUtils.stringifyException(e); final String expectedText = "The entity \"xee\" was referenced, but not declared."; LOG.error("exception text: " + exceptionText, e); assertTrue("Exception does not contain expected text", exceptionText.contains(expectedText)); } }
Specifically, when running against Hadoop 3.0.0-beta1 this test fails because the exception text is different, though I'm still figuring out why.
Attachments
Attachments
Issue Links
- is related to
-
HBASE-17424 Protect REST client against malicious XML responses.
- Closed