public function getRequest($path) { $content = file_get_contents(__DIR__ . DIRECTORY_SEPARATOR . 'testdata' . DIRECTORY_SEPARATOR . 'requests' . DIRECTORY_SEPARATOR . str_replace('/', DIRECTORY_SEPARATOR, $path . '.xml')); $decoder = new \fpoirotte\XRL\Decoder(new \DateTimeZone("Europe/Dublin"), true); $request = $decoder->decodeRequest('data://;base64,' . base64_encode($content)); $this->assertInstanceOf('\\fpoirotte\\XRL\\Request', $request); return $request; }
/** * Launch an XML bomb against the server. * Such an attack can be used to cause a Denial of Service * by consuming all available resources on the machine. * * In this case, we try to allocate a bit less than 30 GB * of memory in the XML parser, which should be enough to * consume all available memory in case the attack works. * See https://en.wikipedia.org/wiki/Billion_laughs for more information. * * Technically, the document is still well-formed, but the decoder * should reject internal entities to avoid this attack. * Only the 5 default entities may be used. * * @expectedException \fpoirotte\XRL\Faults\NotWellFormedException * @expectedExceptionMessage parse error. not well formed */ public function testServerXmlBomb() { $content = file_get_contents(__DIR__ . DIRECTORY_SEPARATOR . 'testdata' . DIRECTORY_SEPARATOR . 'attacks' . DIRECTORY_SEPARATOR . 'server' . DIRECTORY_SEPARATOR . 'bomb.xml'); $decoder = new \fpoirotte\XRL\Decoder(); $response = $decoder->decodeRequest('data://;base64,' . base64_encode($content)); }