Open
Description
Description
Tests seem to fail on OTP 27.
This is most likely due to a change in xmerl defaults released in OTP 27, and made in erlang/otp#7539 (c.f. detailed release notes)
- Some default values in Xmerl has been changed to avoid XML External Entity
(XXE) vulnerabilities if you're parsing untrusted XML.xmerl_scan: the default value for allow_entities has changed to false.
xmerl_sax_parser: the default value for external_entities has changed to none.Own Id: OTP-19079
Application(s): xmerl
Related Id(s): GH-7539
Steps to reproduce
Using the following .tools-version (and any >27 OTP really)
erlang 27.0
elixir 1.17
And launching tests, we get:
$ mix test
Compiling 2 files (.ex)
# Warnings [...]
....................................
1) test stream: raise on reading /etc/passwd with dtd: :none (Issue71Test)
test/issue_71_test.exs:33
Assertion failed, no matching message after 100ms
The following variables were pinned:
pid = #PID<0.746.0>
Showing 1 of 1 message in the mailbox
code: assert_receive {:EXIT, ^pid, {:fatal, {{:error_fetching_DTD, {_, _}}, _file, _line, _col}}}
mailbox:
pattern: {:EXIT, ^pid, {:fatal, {{:error_fetching_DTD, {_, _}}, _file, _line, _col}}}
value: {:EXIT, #PID<0.746.0>, {:fatal, {{:error, :entities_not_allowed}, {:file, :file_name_unknown}, {:line, 3}, {:col, 1}}}}
stacktrace:
test/issue_71_test.exs:38: (test)
2) test raise on reading /etc/passwd with dtd: :internal_only (Issue71Test)
test/issue_71_test.exs:11
match (=) failed
code: assert {:fatal, {{:error_fetching_DTD, {_, _}}, _file, _line, _col}} =
catch_exit(SweetXml.parse(sneaky_xml, dtd: :internal_only, quiet: true))
left: {:fatal, {{:error_fetching_DTD, {_, _}}, _file, _line, _col}}
right: {:fatal, {{:error, :entities_not_allowed}, {:file, :file_name_unknown}, {:line, 3}, {:col, 1}}}
stacktrace:
test/issue_71_test.exs:14: (test)
3) test raise on reading /etc/passwd with dtd: [only: :banana] (Issue71Test)
test/issue_71_test.exs:18
** (exit) {:fatal, {{:error, :entities_not_allowed}, {:file, :file_name_unknown}, {:line, 3}, {:col, 1}}}
code: assert_raise RuntimeError, fn ->
stacktrace:
(xmerl 2.0) xmerl_scan.erl:4236: :xmerl_scan.fatal/2
(xmerl 2.0) xmerl_scan.erl:1376: :xmerl_scan.scan_doctype3/3
(xmerl 2.0) xmerl_scan.erl:828: :xmerl_scan.scan_prolog/4
(xmerl 2.0) xmerl_scan.erl:669: :xmerl_scan.scan_document/2
(xmerl 2.0) xmerl_scan.erl:390: :xmerl_scan.string/2
(sweet_xml 0.7.4) lib/sweet_xml.ex:292: SweetXml.do_parse/2
(sweet_xml 0.7.4) lib/sweet_xml.ex:281: SweetXml.parse/2
test/issue_71_test.exs:21: (test)
The following output was logged:
10:38:55.783 [error] 1793- fatal: {:error, :entities_not_allowed}
4) test raise on reading /etc/passwd with dtd: :none (Issue71Test)
test/issue_71_test.exs:4
match (=) failed
code: assert {:fatal, {{:error_fetching_DTD, {_, _}}, _file, _line, _col}} =
catch_exit(SweetXml.parse(sneaky_xml, dtd: :none, quiet: true))
left: {:fatal, {{:error_fetching_DTD, {_, _}}, _file, _line, _col}}
right: {:fatal, {{:error, :entities_not_allowed}, {:file, :file_name_unknown}, {:line, 3}, {:col, 1}}}
stacktrace:
test/issue_71_test.exs:7: (test)
5) test stream: raise on billion_laugh.xml with dtd: :none (Issue71Test)
test/issue_71_test.exs:41
Assertion failed, no matching message after 100ms
The following variables were pinned:
pid = #PID<0.783.0>
Showing 1 of 1 message in the mailbox
code: assert_receive {:EXIT, ^pid, {%RuntimeError{}, _stacktrace}}
mailbox:
pattern: {:EXIT, ^pid, {%RuntimeError{}, _stacktrace}}
value: {:EXIT, #PID<0.783.0>, {:fatal, {{:error, :entities_not_allowed}, {:file, :file_name_unknown}, {:line, 4}, {:col, 2}}}}
stacktrace:
test/issue_71_test.exs:46: (test)
6) test raise on billion_laugh.xml with dtd: :none (Issue71Test)
test/issue_71_test.exs:26
** (exit) {:fatal, {{:error, :entities_not_allowed}, {:file, :file_name_unknown}, {:line, 4}, {:col, 2}}}
code: assert_raise RuntimeError, fn ->
stacktrace:
(xmerl 2.0) xmerl_scan.erl:4236: :xmerl_scan.fatal/2
(xmerl 2.0) xmerl_scan.erl:1376: :xmerl_scan.scan_doctype3/3
(xmerl 2.0) xmerl_scan.erl:828: :xmerl_scan.scan_prolog/4
(xmerl 2.0) xmerl_scan.erl:669: :xmerl_scan.scan_document/2
(xmerl 2.0) xmerl_scan.erl:390: :xmerl_scan.string/2
(sweet_xml 0.7.4) lib/sweet_xml.ex:292: SweetXml.do_parse/2
(sweet_xml 0.7.4) lib/sweet_xml.ex:281: SweetXml.parse/2
test/issue_71_test.exs:28: (test)
The following output was logged:
10:38:55.887 [error] 1793- fatal: {:error, :entities_not_allowed}
...
7) test internal only (SweetXmlStreamTest)
test/sweet_xml_stream_test.exs:109
Expected exception SweetXml.DTDError but got SweetXml.XmerlFatal ({:error, :entities_not_allowed})
code: assert_raise SweetXml.DTDError, "no external entity allowed", fn ->
stacktrace:
(sweet_xml 0.7.4) lib/sweet_xml.ex:539: anonymous fn/1 in SweetXml.stream!/2
(elixir 1.17.0-rc.1) lib/stream.ex:1683: Stream.do_resource/5
(elixir 1.17.0-rc.1) lib/stream.ex:690: Stream.run/1
test/sweet_xml_stream_test.exs:110: (test)
The following output was logged:
10:38:55.942 [error] 1793- fatal: {:error, :entities_not_allowed}
.
8) test DTD error (SweetXmlStreamTest)
test/sweet_xml_stream_test.exs:100
Expected exception SweetXml.DTDError but got SweetXml.XmerlFatal ({:error, :entities_not_allowed})
code: assert_raise SweetXml.DTDError, "DTD not allowed: lol1", fn ->
stacktrace:
(sweet_xml 0.7.4) lib/sweet_xml.ex:539: anonymous fn/1 in SweetXml.stream!/2
(elixir 1.17.0-rc.1) lib/stream.ex:1683: Stream.do_resource/5
(elixir 1.17.0-rc.1) lib/stream.ex:690: Stream.run/1
test/sweet_xml_stream_test.exs:101: (test)
......
Finished in 0.4 seconds (0.00s async, 0.4s sync)
16 doctests, 38 tests, 8 failures