KEYCLOAK-6773 XML vulnerability test

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/AbstractSAMLServletsAdapterTest.java

@@ -105,6 +105,7 @@ import org.w3c.dom.NodeList;
 import static org.hamcrest.Matchers.*;
 import static org.junit.Assert.*;
 import static org.keycloak.representations.idm.CredentialRepresentation.PASSWORD;
+import static org.keycloak.testsuite.AbstractAuthTest.createUserRepresentation;
 import static org.keycloak.testsuite.admin.ApiUtil.createUserAndResetPasswordWithAdminClient;
 import static org.keycloak.testsuite.admin.Users.setPasswordFor;
 import static org.keycloak.testsuite.auth.page.AuthRealm.SAMLSERVLETDEMO;
@@ -800,6 +801,48 @@ public abstract class AbstractSAMLServletsAdapterTest extends AbstractServletsAd
         testSuccessfulAndUnauthorizedLogin(salesPostSigEmailServletPage, testRealmSAMLPostLoginPage, "principal=bburke@redhat.com");
     }
 
+    @Test
+    public void salesPostSigStaxParsingFlawEmailTest() {
+        UserRepresentation user = createUserRepresentation("bburke-additional-domain", "bburke@redhat.com.additional.domain", "Bill", "Burke", true);
+        setPasswordFor(user, PASSWORD);
+
+        String resultPage = new SamlClientBuilder()
+          .navigateTo(salesPostSigEmailServletPage.buildUri())
+          .processSamlResponse(Binding.POST).build()
+          .login().user(user).build()
+          .processSamlResponse(Binding.POST)
+            .transformString(s -> {
+                assertThat(s, org.hamcrest.Matchers.containsString(">bburke@redhat.com.additional.domain<"));
+                s = s.replaceAll("bburke@redhat.com.additional.domain", "bburke@redhat.com<!-- comment -->.additional.domain");
+                return s;
+            })
+            .build()
+          .executeAndTransform(resp -> EntityUtils.toString(resp.getEntity()));
+
+        assertThat(resultPage, org.hamcrest.Matchers.containsString("principal=bburke@redhat.com.additional.domain"));
+    }
+
+    @Test
+    public void salesPostSigChangeContents() {
+        UserRepresentation user = createUserRepresentation("bburke-additional-domain", "bburke@redhat.com.additional.domain", "Bill", "Burke", true);
+        setPasswordFor(user, PASSWORD);
+
+        String resultPage = new SamlClientBuilder()
+          .navigateTo(salesPostSigEmailServletPage.buildUri())
+          .processSamlResponse(Binding.POST).build()
+          .login().user(user).build()
+          .processSamlResponse(Binding.POST)
+            .transformString(s -> {
+                assertThat(s, org.hamcrest.Matchers.containsString(">bburke@redhat.com.additional.domain<"));
+                s = s.replaceAll("bburke@redhat.com.additional.domain", "bburke@redhat.com");
+                return s;
+            })
+            .build()
+          .executeAndTransform(resp -> EntityUtils.toString(resp.getEntity()));
+
+        assertThat(resultPage, org.hamcrest.Matchers.containsString("INVALID_SIGNATURE"));
+    }
+
     @Test
     public void salesPostSigPersistentTest() {
         salesPostSigPersistentServletPage.navigateTo();

testsuite/integration-arquillian/tests/base/src/test/resources/adapter-test/keycloak-saml/testsaml.json

@@ -36,6 +36,23 @@
                 "http://localhost:8081/employee2/": [ "employee" ]
             }
         },
+        {
+            "username" : "bburke-additional-domain",
+            "enabled": true,
+            "email" : "bburke@redhat.com.additional.domain",
+            "credentials" : [
+                { "type" : "password",
+                    "value" : "password" }
+            ],
+            "attributes" : {
+                "phone": "617"
+            },
+            "realmRoles": ["manager", "user"],
+            "applicationRoles": {
+                "http://localhost:8081/employee/": [ "employee" ],
+                "http://localhost:8081/employee2/": [ "employee" ]
+            }
+        },
         {
             "username" : "unauthorized",
             "enabled": true,