Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Resolve potential NPE in SchemaResourceResolver #2296

Merged
merged 3 commits into from Aug 19, 2021
Merged

Resolve potential NPE in SchemaResourceResolver #2296

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
5840d84
test: move the test from 3c95d44 to be within a test class
flavorjones Aug 18, 2021
dc61332
test: repro for #2296
flavorjones Aug 18, 2021
88911fe
Resolve potential NPE in SchemaResourceResolver
pepijnve Jul 26, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
2 changes: 1 addition & 1 deletion ext/java/nokogiri/XmlSchema.java
View file
Open in desktop
Expand Up @@ -276,7 +276,7 @@ private class SchemaResourceResolver implements LSResourceResolver
String systemId,
String baseURI)
{
if (noNet && (systemId.startsWith("http://") || systemId.startsWith("ftp://"))) {
if (noNet && systemId != null && (systemId.startsWith("http://") || systemId.startsWith("ftp://"))) {
if (systemId.startsWith(XMLConstants.W3C_XML_SCHEMA_NS_URI)) {
return null; // use default resolver
}
Expand Down
26 changes: 12 additions & 14 deletions test/html4/test_node.rb
View file
Open in desktop
Expand Up @@ -187,21 +187,19 @@ def test_to_html_does_not_contain_entities
nokogiri.at("p").to_html.gsub(/ /, '')
end
end
end

def test_GH_1042
file = File.join(ASSETS_DIR, 'GH_1042.html');
html = Nokogiri::HTML(File.read(file))
table = html.xpath("//table")[1]
trs = table.xpath("tr").drop(1)

# the jruby inplementation of drop uses dup() on the IRubyObject (which
# is NOT the same dup() method on the ruby Object) which produces a
# shallow clone. a shallow of valid XMLNode triggers several
# NullPointerException on inspect() since loads of invariants
# are not set. the fix for GH1042 ensures a proper working clone.
assert_nothing_raised do
trs.inspect
def test_GH_1042
file = File.join(ASSETS_DIR, 'GH_1042.html');
html = Nokogiri::HTML(File.read(file))
table = html.xpath("//table")[1]
trs = table.xpath("tr").drop(1)

# the jruby inplementation of drop uses dup() on the IRubyObject (which
# is NOT the same dup() method on the ruby Object) which produces a
# shallow clone. a shallow of valid XMLNode triggers several
# NullPointerException on inspect() since loads of invariants
# are not set. the fix for GH1042 ensures a proper working clone.
trs.inspect # assert_nothing_raised
end
end
end
Expand Down
15 changes: 15 additions & 0 deletions test/xml/test_schema.rb
View file
Open in desktop
Expand Up @@ -214,6 +214,21 @@ def test_xsd_with_dtd
end
end

def test_xsd_import_with_no_systemid
# https://github.com/sparklemotion/nokogiri/pull/2296
xsd = <<~EOF
<?xml version="1.0" encoding="UTF-8"?>
<xs:schema
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns="http://www.w3.org/1998/Math/MathML"
targetNamespace="http://www.w3.org/1998/Math/MathML"
>
<xs:import/>
</xs:schema>
EOF
Nokogiri::XML::Schema(xsd) # assert_nothing_raised
end

describe "CVE-2020-26247" do
# https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vr8q-g5c7-m54m
let(:schema) do
Expand Down