package org.mule.runtime.module.xml.transformers.jaxb;

import org.hamcrest.MatcherAssert;
import org.hamcrest.Matchers;
import org.junit.Assert;
import org.junit.Rule;
import org.junit.Test;
import org.mule.functional.junit4.FunctionalTestCase;
import org.mule.runtime.api.metadata.MediaType;
import org.mule.runtime.core.exception.MessagingException;
import org.mule.runtime.core.util.IOUtils;
import org.mule.tck.junit4.rule.DynamicPort;
import org.xml.sax.SAXParseException;

/* loaded from: input_file:org/mule/runtime/module/xml/transformers/jaxb/JaxbSecurityTestCase.class */
public class JaxbSecurityTestCase extends FunctionalTestCase {

    @Rule
    public DynamicPort port = new DynamicPort("port");
    protected final String xmlWithEntities = "<?xml version=\"1.0\"?>\n<!DOCTYPE order [\n<!ELEMENT foo ANY >\n<!ENTITY xxe SYSTEM 'file:%s' >\n<!ENTITY lol \"0101\" >\n]>\n<Foo><bar>&xxe; &lol;</bar></Foo>";

    protected String getConfigFile() {
        return "jaxb-transformer-security.xml";
    }

    protected String getXmlWithEntities() {
        return String.format("<?xml version=\"1.0\"?>\n<!DOCTYPE order [\n<!ELEMENT foo ANY >\n<!ENTITY xxe SYSTEM 'file:%s' >\n<!ENTITY lol \"0101\" >\n]>\n<Foo><bar>&xxe; &lol;</bar></Foo>", IOUtils.getResourceAsUrl("xxe-passwd.txt", getClass()).getPath());
    }

    @Test
    public void externalEntitiesEnabled() throws Exception {
        try {
            System.setProperty("mule.xml.expandExternalEntities", "true");
            System.setProperty("mule.xml.expandInternalEntities", "true");
            String payloadAsString = getPayloadAsString(flowRunner("testFlow").withPayload(getXmlWithEntities()).withMediaType(MediaType.APPLICATION_XML).run().getMessage());
            MatcherAssert.assertThat(payloadAsString, Matchers.containsString("secret"));
            MatcherAssert.assertThat(payloadAsString, Matchers.containsString("0101"));
            System.clearProperty("mule.xml.expandExternalEntities");
            System.clearProperty("mule.xml.expandInternalEntities");
        } catch (Throwable th) {
            System.clearProperty("mule.xml.expandExternalEntities");
            System.clearProperty("mule.xml.expandInternalEntities");
            throw th;
        }
    }

    @Test
    public void expandsEntitiesEnabled() throws Exception {
        try {
            System.setProperty("mule.xml.expandInternalEntities", "true");
            String payloadAsString = getPayloadAsString(flowRunner("testFlow").withPayload(getXmlWithEntities()).withMediaType(MediaType.APPLICATION_XML).run().getMessage());
            MatcherAssert.assertThat(payloadAsString, Matchers.not(Matchers.containsString("secret")));
            MatcherAssert.assertThat(payloadAsString, Matchers.containsString("0101"));
            System.clearProperty("mule.xml.expandInternalEntities");
        } catch (Throwable th) {
            System.clearProperty("mule.xml.expandInternalEntities");
            throw th;
        }
    }

    @Test
    public void expandsEntitiesWhenDisabled() throws Exception {
        try {
            getPayloadAsString(flowRunner("testFlow").withPayload(getXmlWithEntities()).withMediaType(MediaType.APPLICATION_XML).run().getMessage());
            Assert.fail("Should've thrown exception");
        } catch (MessagingException e) {
            MatcherAssert.assertThat(e.getCauseException(), Matchers.instanceOf(SAXParseException.class));
        }
    }
}
