package org.geoserver.wfs;

import java.io.File;
import java.util.List;
import org.apache.commons.io.FileUtils;
import org.custommonkey.xmlunit.XMLUnit;
import org.geoserver.config.GeoServerInfo;
import org.geoserver.data.test.MockData;
import org.geoserver.test.GeoServerSystemTestSupport;
import org.geoserver.util.AllowListEntityResolver;
import org.geoserver.util.EntityResolverProvider;
import org.geoserver.wfs.kvp.Filter_1_1_0_KvpParser;
import org.geotools.api.filter.Id;
import org.geotools.api.filter.spatial.Intersects;
import org.junit.Assert;
import org.junit.Test;

/* loaded from: input_file:org/geoserver/wfs/ExternalEntitiesTest.class */
public class ExternalEntitiesTest extends WFSTestSupport {
    private static final String FILTER = "<Filter xmlns=\"http://www.opengis.net/ogc\">\n  <FeatureId fid=\"states.1\"/>\n</Filter>";
    private static final String FILTER_OGC_NAMESPACE = "<ogc:Filter xmlns:ogc=\"http://www.opengis.net/ogc\" xmlns:gml=\"http://www.opengis.net/gml\"><ogc:Intersects><ogc:PropertyName>the_geom</ogc:PropertyName><gml:Polygon><gml:exterior><gml:LinearRing><gml:posList>-112 46 -109 46 -109 47 -112 47 -112 46</gml:posList></gml:LinearRing></gml:exterior></gml:Polygon></ogc:Intersects></ogc:Filter>";
    private static final String FILTER_OGC_SCHEMA_LOCATION = "<Filter xmlns=\"http://www.opengis.net/ogc\"\n      xsi:schemaLocation=\"http://www.opengis.net/ogc http://schemas.opengis.net/filter/1.1.0/filter.xsd\">\n  <FeatureId fid=\"states.1\"/>\n</Filter>";
    private static final String FILTER_RESTRICTED_SCHEMA_SCHEMA_LOCATION = "<Filter xmlns=\"http://invalid/schema\"\n      xsi:schemaLocation=\"http://invalid/schema http://schemas.opengis.net/filter/1.1.0/filter.xsd\">\n  <FeatureId fid=\"states.1\"/>\n</Filter>";
    private static final String FILTER_RESTRICTED_NAMESPACE = "<Filter xmlns=\"http://invalid/schema\"\n      xsi:schemaLocation=\"http://invalid/schema http://schemas.opengis.net/filter/1.1.0/filter.xsd\">\n  <FeatureId fid=\"states.1\"/>\n</Filter>";
    private static final String WFS_1_0_0_REQUEST = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\n<!DOCTYPE wfs:GetFeature [\r\n<!ENTITY c SYSTEM \"FILE:///this/file/does/not/exist?.XSD\">\r\n]>\r\n<wfs:GetFeature service=\"WFS\" version=\"1.0.0\" \r\n  outputFormat=\"GML2\"\r\n  xmlns:cdf=\"http://www.opengis.net/cite/data\"\r\n  xmlns:wfs=\"http://www.opengis.net/wfs\"\r\n  xmlns:ogc=\"http://www.opengis.net/ogc\"\r\n  xmlns:gml=\"http://www.opengis.net/gml\"\r\n  xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\r\n  xsi:schemaLocation=\"http://www.opengis.net/wfs\r\n                      http://schemas.opengis.net/wfs/1.0.0/WFS-basic.xsd\">\r\n  <wfs:Query typeName=\"cdf:Fifteen\" handle=\"test\">\r\n        <ogc:Literal>&c;</ogc:Literal>\r\n    <ogc:Filter>\r\n      <ogc:BBOX>\r\n        <ogc:PropertyName>the_geom</ogc:PropertyName>\r\n        <gml:Box srsName=\"http://www.opengis.net/gml/srs/epsg.xml#4326\">\r\n           <gml:coordinates>-75.102613,40.212597 -72.361859,41.512517</gml:coordinates>\r\n        </gml:Box>\r\n      </ogc:BBOX>\r\n   </ogc:Filter>\r\n  </wfs:Query>\r\n</wfs:GetFeature>";
    private static final String WFS_1_1_0_REQUEST = "<!DOCTYPE wfs:GetFeature [\r\n<!ELEMENT wfs:GetFeature (wfs:Query*)>\r\n<!ATTLIST wfs:GetFeature\r\n                service CDATA #FIXED \"WFS\"\r\n                version CDATA #FIXED \"1.1.0\"\r\n        xmlns:wfs CDATA #FIXED \"http://www.opengis.net/wfs\"\r\n                xmlns:ogc CDATA #FIXED \"http://www.opengis.net/ogc\">\r\n<!ELEMENT wfs:Query (wfs:PropertyName*,ogc:Filter?)>\r\n<!ATTLIST wfs:Query typeName CDATA #FIXED \"cdf:Fifteen\">\r\n<!ELEMENT wfs:PropertyName (#PCDATA) >\r\n<!ELEMENT ogc:Filter (ogc:FeatureId*)>\r\n<!ELEMENT ogc:FeatureId EMPTY>\r\n<!ATTLIST ogc:FeatureId fid CDATA #FIXED \"states.3\">\r\n\r\n<!ENTITY passwd  SYSTEM \"FILE:///this/file/does/not/exist?.XSD\">]>\r\n<wfs:GetFeature service=\"WFS\" version=\"1.1.0\" \r\n  xmlns:wfs=\"http://www.opengis.net/wfs\"\r\n  xmlns:ogc=\"http://www.opengis.net/ogc\">\r\n  <wfs:Query typeName=\"cdf:Fifteen\">\r\n    <wfs:PropertyName>&passwd;</wfs:PropertyName>\r\n        <ogc:Filter>\r\n       <ogc:FeatureId fid=\"states.3\"/>\r\n    </ogc:Filter>\r\n  </wfs:Query>\r\n</wfs:GetFeature>";
    private static final String WFS_2_0_0_REQUEST = "<?xml version=\"1.0\" ?>\r\n<!DOCTYPE wfs:GetFeature [\r\n<!ELEMENT wfs:GetFeature (wfs:Query*)>\r\n<!ATTLIST wfs:GetFeature\r\n                service   CDATA #FIXED \"WFS\"\r\n                version   CDATA #FIXED \"2.0.0\"\r\n                outputFormat CDATA #FIXED \"application/gml+xml; version=3.2\"\r\n        xmlns:wfs CDATA #FIXED \"http://www.opengis.net/wfs\"\r\n                xmlns:ogc CDATA #FIXED \"http://www.opengis.net/ogc\"\r\n                xmlns:fes CDATA #FIXED \"http://www.opengis.net/fes/2.0\">\r\n<!ELEMENT wfs:Query (wfs:PropertyName*,ogc:Filter?)>\r\n<!ATTLIST wfs:Query typeName CDATA #FIXED \"cdf:Fifteen\">\r\n<!ELEMENT wfs:PropertyName (#PCDATA) >\r\n<!ELEMENT ogc:Filter (fes:ResourceId*)>\r\n<!ELEMENT fes:ResourceId EMPTY>\r\n<!ATTLIST fes:ResourceId rid CDATA #FIXED \"states.3\">\r\n\r\n<!ENTITY passwd  SYSTEM \"FILE:///thisfiledoesnotexist?.XSD\">\r\n]>\r\n<wfs:GetFeature service=\"WFS\" version=\"2.0.0\" outputFormat=\"application/gml+xml; version=3.2\"\r\n        xmlns:wfs=\"http://www.opengis.net/wfs/2.0\"\r\n        xmlns:fes=\"http://www.opengis.net/fes/2.0\">\r\n        <wfs:Query typeName=\"cdf:Fifteen\">\r\n                <wfs:PropertyName>&passwd;</wfs:PropertyName>\r\n                <fes:Filter>\r\n                        <fes:ResourceId rid=\"states.3\"/>\r\n                </fes:Filter>\r\n        </wfs:Query>\r\n</wfs:GetFeature>";

    @Test
    public void testAllowListFilter() throws Exception {
        GeoServerInfo global = getGeoServer().getGlobal();
        try {
            EntityResolverProvider.setEntityResolver(new AllowListEntityResolver(getGeoServer(), "http://localhost:8080/"));
            Filter_1_1_0_KvpParser filter_1_1_0_KvpParser = new Filter_1_1_0_KvpParser(getGeoServer());
            List list = (List) filter_1_1_0_KvpParser.parse(FILTER);
            Assert.assertEquals("parsed id filter", 1L, list.size());
            Assert.assertTrue("parsed id filter", ((Id) list.get(0)).getIDs().contains("states.1"));
            List list2 = (List) filter_1_1_0_KvpParser.parse(FILTER_OGC_NAMESPACE);
            Assert.assertEquals("parsed intsersect filter", 1L, list2.size());
            Assert.assertEquals("parsed intsersect filter", "the_geom", ((Intersects) list2.get(0)).getExpression1().getPropertyName());
            List list3 = (List) filter_1_1_0_KvpParser.parse(FILTER_OGC_SCHEMA_LOCATION);
            Assert.assertEquals("parsed ogc filter", 1L, list3.size());
            Assert.assertTrue("parsed ogc filter", ((Id) list3.get(0)).getIDs().contains("states.1"));
            List list4 = (List) filter_1_1_0_KvpParser.parse("<Filter xmlns=\"http://invalid/schema\"\n      xsi:schemaLocation=\"http://invalid/schema http://schemas.opengis.net/filter/1.1.0/filter.xsd\">\n  <FeatureId fid=\"states.1\"/>\n</Filter>");
            Assert.assertEquals("parsed restricted filter", 1L, list4.size());
            Assert.assertTrue("parsed restricted filter", ((Id) list4.get(0)).getIDs().contains("states.1"));
            List list5 = (List) filter_1_1_0_KvpParser.parse("<Filter xmlns=\"http://invalid/schema\"\n      xsi:schemaLocation=\"http://invalid/schema http://schemas.opengis.net/filter/1.1.0/filter.xsd\">\n  <FeatureId fid=\"states.1\"/>\n</Filter>");
            Assert.assertEquals("parsed restricted namespace filter", 1L, list5.size());
            Assert.assertTrue("parsed restricted namespace filter", ((Id) list5.get(0)).getIDs().contains("states.1"));
            Assert.assertTrue(((List) filter_1_1_0_KvpParser.parse("<dmt xmlns=\"http://a.b/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:schemaLocation=\"http://a.b/ http://localhost:8080/dmt.xsd\">dmt</dmt>")).isEmpty());
            EntityResolverProvider.setEntityResolver(new AllowListEntityResolver(getGeoServer()));
            Assert.assertTrue(((List) filter_1_1_0_KvpParser.parse("<dmt xmlns=\"http://a.b/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:schemaLocation=\"http://a.b/ http://localhost:8080/dmt.xsd\">dmt</dmt>")).isEmpty());
            global.setXmlExternalEntitiesEnabled((Boolean) null);
            getGeoServer().save(global);
            EntityResolverProvider.setEntityResolver(GeoServerSystemTestSupport.RESOLVE_DISABLED_PROVIDER_DEVMODE);
        } catch (Throwable th) {
            global.setXmlExternalEntitiesEnabled((Boolean) null);
            getGeoServer().save(global);
            EntityResolverProvider.setEntityResolver(GeoServerSystemTestSupport.RESOLVE_DISABLED_PROVIDER_DEVMODE);
            throw th;
        }
    }

    @Test
    public void testWfs1_0() throws Exception {
        GeoServerInfo global = getGeoServer().getGlobal();
        try {
            global.setXmlExternalEntitiesEnabled(true);
            getGeoServer().save(global);
            Assert.assertTrue(string(post("wfs", WFS_1_0_0_REQUEST)).indexOf("java.io.FileNotFoundException") > -1);
            global.setXmlExternalEntitiesEnabled(false);
            getGeoServer().save(global);
            Assert.assertTrue(string(post("wfs", WFS_1_0_0_REQUEST)).indexOf("Entity resolution disallowed") > -1);
            global.setXmlExternalEntitiesEnabled((Boolean) null);
            getGeoServer().save(global);
            Assert.assertTrue(string(post("wfs", WFS_1_0_0_REQUEST)).indexOf("Entity resolution disallowed") > -1);
        } finally {
            global.setXmlExternalEntitiesEnabled((Boolean) null);
            getGeoServer().save(global);
        }
    }

    @Test
    public void testWfs1_1() throws Exception {
        GeoServerInfo global = getGeoServer().getGlobal();
        try {
            global.setXmlExternalEntitiesEnabled(true);
            getGeoServer().save(global);
            Assert.assertTrue(string(post("wfs", WFS_1_1_0_REQUEST)).indexOf("java.io.FileNotFoundException") > -1);
            global.setXmlExternalEntitiesEnabled(false);
            getGeoServer().save(global);
            Assert.assertTrue(string(post("wfs", WFS_1_1_0_REQUEST)).indexOf("Entity resolution disallowed") > -1);
            global.setXmlExternalEntitiesEnabled((Boolean) null);
            getGeoServer().save(global);
            Assert.assertTrue(string(post("wfs", WFS_1_1_0_REQUEST)).indexOf("Entity resolution disallowed") > -1);
        } finally {
            global.setXmlExternalEntitiesEnabled((Boolean) null);
            getGeoServer().save(global);
        }
    }

    @Test
    public void testWfs2_0() throws Exception {
        GeoServerInfo global = getGeoServer().getGlobal();
        try {
            global.setXmlExternalEntitiesEnabled(true);
            getGeoServer().save(global);
            Assert.assertTrue(string(post("wfs", WFS_2_0_0_REQUEST)).indexOf("thisfiledoesnotexist") > -1);
            global.setXmlExternalEntitiesEnabled(false);
            getGeoServer().save(global);
            String string = string(post("wfs", WFS_2_0_0_REQUEST));
            Assert.assertTrue(string.indexOf("Request parsing failed") > -1);
            Assert.assertTrue(string.contains("Entity resolution disallowed for "));
            global.setXmlExternalEntitiesEnabled((Boolean) null);
            getGeoServer().save(global);
            String string2 = string(post("wfs", WFS_2_0_0_REQUEST));
            Assert.assertTrue(string2.indexOf("Request parsing failed") > -1);
            Assert.assertTrue(string2.contains("Entity resolution disallowed for "));
        } finally {
            global.setXmlExternalEntitiesEnabled((Boolean) null);
            getGeoServer().save(global);
        }
    }

    @Test
    public void testKvpEntityExpansion() throws Exception {
        File file = new File("./target/message.txt");
        FileUtils.writeStringToFile(file, "broken!", "UTF-8");
        Assert.assertTrue(XMLUnit.newXpathEngine().evaluate("//ogc:ServiceException", getAsDOM("wfs?request=GetFeature&SERVICE=WFS&VERSION=1.0.0&TYPENAME=" + getLayerId(MockData.FIFTEEN) + "&FILTER=" + ("%3C%3Fxml%20version%3D%221.0%22%20encoding%3D%22ISO-8859-1%22%3F%3E%20%3C!DOCTYPE%20foo%20%5B%20%3C!ENTITY%20xxe%20SYSTEM%20%22file%3A%2F%2F" + file.getCanonicalPath().replace('\\', '/').replace("/", "%2F") + "%22%20%3E%5D%3E%3CFilter%20%3E%3E%3CPropertyIsEqualTo%3E%3CPropertyName%3E%26xxe%3B%3C%2FPropertyName%3E%3CLiteral%3EUtrecht%3C%2FLiteral%3E%3C%2FPropertyIsEqualTo%3E%3C%2FFilter%3E"))).contains("Entity resolution disallowed for "));
    }
}
