LDEV-4348 add xmlFeatures to getApplicationSettings

https://luceeserver.atlassian.net/browse/LDEV-4348
lucee · Jul 21, 2023 · 3a3c1b9 · 3a3c1b9
1 parent 56e6bfc
commit 3a3c1b9
Show file tree

Hide file tree

Showing 4 changed files with 95 additions and 0 deletions.
diff --git a/core/src/main/java/lucee/runtime/functions/system/GetApplicationSettings.java b/core/src/main/java/lucee/runtime/functions/system/GetApplicationSettings.java
@@ -89,6 +89,15 @@ public static Struct call(PageContext pc, boolean suppressFunctions) throws Page
 		sct.setEL("clientManagement", Caster.toBoolean(ac.isSetClientManagement()));
 		sct.setEL("clientStorage", ac.getClientstorage());
 		sct.setEL("sessionStorage", ac.getSessionstorage());
+
+		Struct xmlFeatures = acs.getXmlFeatures();
+		if (xmlFeatures == null) xmlFeatures = new StructImpl();
+		Struct sxml = new StructImpl(Struct.TYPE_LINKED);
+		sxml.setEL("secure", Caster.toBoolean(xmlFeatures.get("secure", true)));
+		sxml.setEL("disallowDoctypeDecl", Caster.toBoolean(xmlFeatures.get("disallowDoctypeDecl", true)));
+		sxml.setEL("externalGeneralEntities", Caster.toBoolean(xmlFeatures.get("externalGeneralEntities", false)));
+		sct.setEL("xmlFeatures", sxml);
+
 		sct.setEL("customTagPaths", toArray(ac.getCustomTagMappings()));
 		sct.setEL("componentPaths", toArray(ac.getComponentMappings()));
 		sct.setEL("loginStorage", AppListenerUtil.translateLoginStorage(ac.getLoginStorage()));

diff --git a/test/tickets/LDEV4348.cfc b/test/tickets/LDEV4348.cfc
@@ -0,0 +1,56 @@
+component extends = "org.lucee.cfml.test.LuceeTestCase" labels="xml" {
+	function beforeAll(){
+		variables.uri = createURI("LDEV4348");
+	}	
+
+	function run( testresults , testbox ) {
+
+		describe( "check combined xmlFeatures getApplicationSettings", function () {
+
+			it( title="Check xmlFeatures default",body = function ( currentSpec ) {
+				local.result = _InternalRequest(
+					template : "#uri#/LDEV4348.cfm",
+					forms :	{
+						scene: "default"
+					}
+				).filecontent.deserializeJson();
+				expect( result.secure ).toBeTrue();
+				expect( result.disallowDoctypeDecl  ).toBeTrue();
+				expect( result.externalGeneralEntities ).toBeFalse();
+			});
+
+			it( title="Check xmlFeatures all secure",body = function ( currentSpec ) {
+				local.result = _InternalRequest(
+					template : "#uri#/LDEV4348.cfm",
+					forms :	{
+						scene: "all-secure"
+					}
+				).filecontent.deserializeJson();
+				expect( result.secure ).toBeTrue();
+				expect( result.disallowDoctypeDecl  ).toBeTrue();
+				expect( result.externalGeneralEntities ).toBeFalse();
+			});
+
+			it( title="Check xmlFeatures all insecure, bad xml",body = function ( currentSpec ) {
+				local.result = _InternalRequest(
+					template : "#uri#/LDEV4348.cfm",
+					forms :	{
+						scene: "all-insecure"
+					}
+				).filecontent.deserializeJson();
+				expect( result.secure ).toBeFalse();
+				expect( result.disallowDoctypeDecl  ).toBeFalse();
+				expect( result.externalGeneralEntities ).toBeTrue();
+			});
+
+		});
+
+	}
+
+	private string function createURI(string calledName){
+		var baseURI="/test/#listLast(getDirectoryFromPath(getCurrenttemplatepath()),"\/")#/";
+		return baseURI&""&calledName;
+	}
+}
+
+
diff --git a/test/tickets/LDEV4348/Application.cfc b/test/tickets/LDEV4348/Application.cfc
@@ -0,0 +1,26 @@
+component {
+	this.name="LDEV4348";
+	param name="FORM.Scene";
+
+	switch (FORM.Scene){
+		case "all-secure":
+			this.xmlFeatures = {
+				"externalGeneralEntities": false,
+				"secure": true,
+				"disallowDoctypeDecl": true
+			};
+			break;
+		case "all-insecure":
+			this.xmlFeatures = {
+				"externalGeneralEntities": true,
+				"secure": false,
+				"disallowDoctypeDecl": false
+			};
+			break;
+		case "default":
+			break;
+		default:
+			throw "unknown scene: #form.scene#";
+			break;
+	}
+}
diff --git a/test/tickets/LDEV4348/LDEV4348.cfm b/test/tickets/LDEV4348/LDEV4348.cfm
@@ -0,0 +1,4 @@
+<cfscript>
+	settings = getApplicationSettings();
+	echo( settings.xmlFeatures.toJson() );
+</cfscript>