Testng: [BUG] TestNG by default disables loading DTD from unsecured Urls.

Created on 9 Oct 2020 · 10Comments · Source: cbeust/testng

TestNG Version

<dependency>
    <groupId>org.testng</groupId>
    <artifactId>testng</artifactId>
    <version>7.3.0</version>
</dependency>

Expected behavior

Throw exception after read the testng-1.0.dtd file from resource

Actual behavior

The testng-1.0.dtd file is not readable from resources

Is the issue reproductible on runner?

IntelliJ v2020.2.3 (TestNG IDE plugin ver. 202.7660.26)

Source

shaburov

👍1

Most helpful comment

Right, it looks like an unexpected "replace all" from https://github.com/cbeust/testng/commit/cf22ccfcb2a34f9b0bb4fa8cbedae5297ddd2049

juherr on 23 Oct 2020

👍2

All 10 comments

I think you just need add a VM arguments '-Dtestng.dtd.http=true', or use HTTPS resources. Currently, TestNG need HTTPS as default in suite files.

kobebryant2007 on 10 Oct 2020

@kobebryant2007 There is an obvious bug in the code.

I do not want to add an argument and I do not want the file testng-1.0.dtd to be taken over the network.
If you add a flag, then based on the code, it makes no sense for me to put the file in the resources.

@juherr Pay attention please.

shaburov on 11 Oct 2020

@shaburov -

I do not want to add an argument and I do not want the file testng-1.0.dtd to be taken over the network.

Based on my understanding the reason that TestNG looks for the DTD from the network is to ensure that it retrieves the latest/proper DTD. TestNG will try to retrieve the DTD from the TestNG website ONLY over the https protocol and if its not found, you are going to be seeing that error. The only way to disable that is to use that JVM argument that @kobebryant2007 suggested.

If you add a flag, then based on the code, it makes no sense for me to put the file in the resources.

Can you help me understand what the reason behind this expectation that TestNG is to be reading a file from your local resources ? If its mentioned that way in some place, please point me to the relevant documentation. All said and done, if there are network glitches, then TestNG by default aborts currently. That has been sorted out as part of the PR https://github.com/cbeust/testng/pull/2386 which will fall back to the DTD embedded within the TestNG jar. I am guessing that once the PR gets merged, then you can end up making your testng dtd file in your CLASSPATH which can be fetched as a resource.

krmahadevan on 11 Oct 2020

@shaburov What are you trying to do?

The TestNG jar is already including the DTD and it is the one which is supposed to be used.

juherr on 11 Oct 2020

@juherr Look at the code that I attached to the screenshot and realize that this is not the case.
An exception will be thrown before the file is read from the resources.

shaburov on 12 Oct 2020

I believe the issue is either that IntelliJ is not using HTTPS:

Or that the non-HTTPS URL is not in the URLS list (note that TESTNG_DTD_URL and HTTPS_TESTNG_DTD_URL are exactly the same).

algotastic on 20 Oct 2020

👍2

@algotastic the second, I believe.

@shaburov is right, this is a bug:
https://github.com/cbeust/testng/blob/7.3.0/src/main/java/org/testng/xml/Parser.java#L33
It should be public static final String TESTNG_DTD_URL = "http://testng.org/" + TESTNG_DTD;

And this https://github.com/cbeust/testng/blob/7.3.0/src/main/java/org/testng/xml/Parser.java#L28
should be public static final String OLD_TESTNG_DTD_URL = "http://beust.com/testng/" + TESTNG_DTD;