Added test for web content doctype check (#300)

* Added test for web content doctype check

* Update sawmill-core/src/test/java/io/logz/sawmill/utilities/DocumentBuilderProviderTest.java

Co-authored-by: DanMelman <33516253+DanMelman@users.noreply.github.com>

* Corrected name

Co-authored-by: DanMelman <33516253+DanMelman@users.noreply.github.com>

sawmill-core/src/test/java/io/logz/sawmill/utilities/DocumentBuilderProviderTest.java

@@ -8,7 +8,8 @@
 
 public class DocumentBuilderProviderTest {
 
-    private static final String XML_FILE = "/test_xml_injection.xml";
+    private static final String XML_WITH_FILE_DOCTYPE = "/test_xml_file_injection.xml";
+    private static final String XML_WITH_WEB_DOCTYPE = "/test_xml_web_injection.xml";
 
     @Test
     public void testDocumentBuilderProviderReturnsNonNullEntity() {
@@ -18,8 +19,17 @@ public void testDocumentBuilderProviderReturnsNonNullEntity() {
     }
 
     @Test
-    public void testParseXml() {
-        InputStream xmlFile = DocumentBuilderProviderTest.class.getResourceAsStream(XML_FILE);
+    public void testParseXmlWithBlockedFileDoctype() {
+        assertXmlWithForbiddenDocTypeThrowsException(XML_WITH_FILE_DOCTYPE);
+    }
+
+    @Test
+    public void testParseXmlWithBlockedWebDoctype() {
+        assertXmlWithForbiddenDocTypeThrowsException(XML_WITH_WEB_DOCTYPE);
+    }
+
+    private void assertXmlWithForbiddenDocTypeThrowsException(String xml) {
+        InputStream xmlFile = DocumentBuilderProviderTest.class.getResourceAsStream(xml);
         assertThatThrownBy(() -> new DocumentBuilderProvider().provide().parse(xmlFile))
                 .hasMessageStartingWith("DOCTYPE is disallowed");
     }

sawmill-core/src/test/resources/test_xml_web_injection.xml

@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "https://repo1.maven.org/maven2/io/logz/sawmill/sawmill/2.0.18/sawmill-2.0.18.pom"> ]>
+<stockCheck><productId>&xxe;</productId></stockCheck>