mirror of
https://github.com/elicpeter/nyx.git
synced 2026-06-09 19:45:13 +02:00
11 lines
356 B
Ruby
11 lines
356 B
Ruby
# Phase 05 (Track J.3) — Ruby XXE vuln fixture.
|
|
#
|
|
# The function feeds attacker XML straight to `REXML::Document.new`
|
|
# without disabling entity expansion, so any `<!ENTITY xxe SYSTEM
|
|
# "file:///…">` in the payload is resolved and its body substituted
|
|
# into the parsed document.
|
|
require 'rexml/document'
|
|
|
|
def run(body)
|
|
REXML::Document.new(body)
|
|
end
|