search

jensdietrich / xshady

vulnerabilities found in shaded projects
Apache License 2.0
5 stars 2 forks source link

5 CVE-2016-5394 POV fails the same way before and after vuln fixed #6

Closed wtwhite closed 1 year ago

wtwhite commented 1 year ago

The issue was that the order of the arguments to 3-argument assertEquals() changed between JUnit4 and JUnit5, and when the expected and actual arguments are strings, type checking does not catch this!

With the fix, we now get 2 "normal" test failures at org.apache.sling:org.apache.sling.xss:1.0.8:

$ cd CVE-2016-5394
$ mvn test
-- snip --
[ERROR] Failures: 
[ERROR]   XSSAPIImplTest.testEncodeForJSString:426 Encoding 'break"out' ==> expected: <break\x22out> but was: <break\"out>
[ERROR]   XSSAPIImplTest.testGetValidJSToken:459 Validating Javascript token ''literal'); junk'' ==> expected: <'literal\x27); junk'> but was: <'literal\'); junk'>
[INFO] 
[ERROR] Tests run: 2, Failures: 2, Errors: 0, Skipped: 0
-- snip --

and test success at v1.0.12, as expected.