handle new cases

Author: righettod

src/main/java/eu/righettod/SecurityUtils.java

@@ -1383,7 +1383,7 @@ public static UUID computeUUIDv7() {
     }
 
     /**
-     * Ensure that an XSD file does not contain any include/import instruction (prevent exposure to SSRF).
+     * Ensure that an XSD file does not contain any include/import/redefine instruction (prevent exposure to SSRF).
      *
      * @param xsdFilePath Filename of the XSD file to check.
      * @return True only if the file pass all validations.

src/test/java/eu/righettod/TestSecurityUtils.java

@@ -658,7 +658,7 @@ public void computeUUIDv7() {
 
     @Test
     public void isXSDSafe() {
-        List<String> unsafeFileList = Arrays.asList("test-xsd-with-external-schema-via-import.xsd", "test-xsd-with-external-schema-via-include.xsd");
+        List<String> unsafeFileList = Arrays.asList("test-xsd-with-external-schema-via-import.xsd", "test-xsd-with-external-schema-via-include.xsd", "test-xsd-with-external-schema-via-redefine.xsd");
         unsafeFileList.forEach(f -> {
             String testFile = getTestFilePath(f);
             assertFalse(SecurityUtils.isXSDSafe(testFile), String.format(TEMPLATE_MESSAGE_FALSE_NEGATIVE_FOR_FILE, testFile));

src/test/resources/test-xsd-with-external-schema-via-redefine.xsd

@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" targetNamespace="http://www.example.com/purchaseorder" elementFormDefault="qualified">
+    <xs:redefine schemaLocation="https://righettod.eu/test.xsd"/>
+    <xs:element name="orderId" type="xs:string"/>
+</xs:schema>