[시큐어코딩] XML 인젝션 테스트
public String readXML(String name) {
StringBuffer buffer=new StringBuffer();
try {
InputStream is =
this.getClass().getClassLoader().getResourceAsStream("config/address.xml");
DocumentBuilderFactory builderFactory =
DocumentBuilderFactory.newInstance();
DocumentBuilder builder = builderFactory.newDocumentBuilder();
Document xmlDocument = builder.parse(is);
XPath xPath = XPathFactory.newInstance().newXPath();
System.out.println("ccard 출력");
String expression = "/addresses/address[@name='"+name+"']/ccard";
System.out.println("expression: "+expression);
String ccard = xPath.compile(expression).evaluate(xmlDocument);
System.out.println("ccard: "+ccard);
buffer.append("CCARD: "+ccard);
// System.out.println("*************************");
// expression = "/addresses/address/name";
// System.out.println(expression);
// NodeList nodeList = (NodeList) xPath.compile(expression).evaluate(xmlDocument, XPathConstants.NODESET);
// for (int i = 0; i < nodeList.getLength(); i++) {
// System.out.println(nodeList.item(i).getFirstChild().getNodeValue());
// }
//
// System.out.println("*************************");
// expression = "/addresses/address[@type='admin']/name";
// System.out.println(expression);
// nodeList = (NodeList) xPath.compile(expression).evaluate(xmlDocument, XPathConstants.NODESET);
// for (int i = 0; i < nodeList.getLength(); i++) {
// System.out.println(nodeList.item(i).getFirstChild().getNodeValue());
// }
//
// System.out.println("*************************");
// expression = "/addresses/address[@name='"+name+"']";
// System.out.println(expression);
// Node node = (Node) xPath.compile(expression).evaluate(xmlDocument, XPathConstants.NODE);
// if(null != node) {
// NodeList nodeList = node.getChildNodes();
// for (int i = 0;null!=nodeList && i < nodeList.getLength(); i++) {
// Node nod = nodeList.item(i);
// if(nod.getNodeType() == Node.ELEMENT_NODE)
// Sys tem.out.println(nodeList.item(i).getNodeName() + " : " + nod.getFirstChild().getNodeValue());
// }
// }
//
// System.out.println("*************************");
//
//
// System.out.println("*************************");
// expression = "/addresses/address[1]/name";
// System.out.println(expression);
// nodeList = (NodeList) xPath.compile(expression).evaluate(xmlDocument, XPathConstants.NODESET);
// for (int i = 0; i < nodeList.getLength(); i++) {
// System.out.println(nodeList.item(i).getFirstChild().getNodeValue());
// }
// System.out.println("*************************");
// expression = "/addresses/address[position() <= 1]/name";
// System.out.println(expression);
// nodeList = (NodeList) xPath.compile(expression).evaluate(xmlDocument, XPathConstants.NODESET);
// for (int i = 0; i < nodeList.getLength(); i++) {
// System.out.println(nodeList.item(i).getFirstChild().getNodeValue());
// }
//
// System.out.println("*************************");
// expression = "/addresses/address[last()]/name";
// System.out.println(expression);
// nodeList = (NodeList) xPath.compile(expression).evaluate(xmlDocument, XPathConstants.NODESET);
// for (int i = 0; i < nodeList.getLength(); i++) {
// System.out.println(nodeList.item(i).getFirstChild().getNodeValue());
// }
//
// System.out.println("*************************");
} catch (FileNotFoundException e) {
e.printStackTrace();
} catch (SAXException e) {
e.printStackTrace();
} catch (IOException e) {
e.printStackTrace();
} catch (ParserConfigurationException e) {
e.printStackTrace();
} catch (XPathExpressionException e) {
e.printStackTrace();
} catch (Exception e) {
e.printStackTrace();
}finally {
return buffer.toString();
}
}