/* * Copyright (c) 2014, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License version 2 only, as * published by the Free Software Foundation. * * This code is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * version 2 for more details (a copy is included in the LICENSE file that * accompanied this code). * * You should have received a copy of the GNU General Public License version * 2 along with this work; if not, write to the Free Software Foundation, * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. * * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA * or visit www.oracle.com if you need additional information or have any * questions. */ package javax.xml.parsers; import java.io.File; import java.io.InputStream; import javax.xml.XMLConstants; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.SAXParser; import javax.xml.parsers.SAXParserFactory; import org.testng.Assert; import org.testng.annotations.Test; import org.w3c.dom.Document; import org.xml.sax.SAXParseException; /* * @bug 6309988 * @summary Test elementAttributeLimit, maxOccurLimit, entityExpansionLimit. */ public class Bug6309988 { DocumentBuilderFactory dbf = null; static boolean _isSecureMode = false; static { if (System.getSecurityManager() != null) { _isSecureMode = true; System.out.println("Security Manager is present"); } else { System.out.println("Security Manager is NOT present"); } } /* * Given XML document has more than 10000 attributes. Exception is expected */ @Test public void testDOMParserElementAttributeLimit() { try { dbf = DocumentBuilderFactory.newInstance(); DocumentBuilder parser = dbf.newDocumentBuilder(); Document doc = parser.parse(this.getClass().getResourceAsStream("DosTest.xml")); Assert.fail("SAXParserException is expected, as given XML document contains more than 10000 attributes"); } catch (SAXParseException e) { System.out.println(e.getMessage()); } catch (Exception e) { Assert.fail("Exception " + e.getMessage()); } } /* * Given XML document has more than 10000 attributes. It should report an * error. */ @Test public void testDOMNSParserElementAttributeLimit() { try { dbf = DocumentBuilderFactory.newInstance(); dbf.setNamespaceAware(true); DocumentBuilder parser = dbf.newDocumentBuilder(); Document doc = parser.parse(this.getClass().getResourceAsStream("DosTest.xml")); Assert.fail("SAXParserException is expected, as given XML document contains more than 10000 attributes"); } catch (SAXParseException e) { System.out.println(e.getMessage()); } catch (Exception e) { Assert.fail("Exception " + e.getMessage()); } } /* * Given XML document has more than 10000 attributes. Parsing this XML * document in non-secure mode, should not report any error. */ @Test public void testDOMNSParserElementAttributeLimitWithoutSecureProcessing() { if (_isSecureMode) return; // jaxp secure feature can not be turned off when security // manager is present try { dbf = DocumentBuilderFactory.newInstance(); dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, false); dbf.setNamespaceAware(true); DocumentBuilder parser = dbf.newDocumentBuilder(); Document doc = parser.parse(this.getClass().getResourceAsStream("DosTest.xml")); } catch (SAXParseException e) { Assert.fail(e.getMessage()); } catch (Exception e) { Assert.fail("Exception " + e.getMessage()); } } /* * Before 8014530: Given XML document has 3 attributes and System property * is set to 2. Parsing this XML document in non-secure mode, should not * report an error. * After 8014530: System properties will override FSP, the result of this * test should be the same as * testSystemElementAttributeLimitWithSecureProcessing */ @Test public void testSystemElementAttributeLimitWithoutSecureProcessing() { if (_isSecureMode) return; // jaxp secure feature can not be turned off when security // manager is present try { dbf = DocumentBuilderFactory.newInstance(); dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, false); dbf.setNamespaceAware(true); System.setProperty("elementAttributeLimit", "2"); DocumentBuilder parser = dbf.newDocumentBuilder(); Document doc = parser.parse(this.getClass().getResourceAsStream("DosTest3.xml")); Assert.fail("SAXParserException is expected, as given XML document contains more than 2 attributes"); } catch (Exception e) { String errMsg = e.getMessage(); Throwable cause = e.getCause(); if (cause != null) { errMsg += cause.getMessage(); } if (errMsg.contains("JAXP0001")) { // expected } else { Assert.fail("Unexpected error: " + e.getMessage()); } } finally { System.clearProperty("elementAttributeLimit"); } } /* * Given XML document has 3 attributes and System property is set to 2. * Parsing this XML document in secure mode, should report an error. */ @Test public void testSystemElementAttributeLimitWithSecureProcessing() { try { dbf = DocumentBuilderFactory.newInstance(); dbf.setNamespaceAware(true); System.setProperty("elementAttributeLimit", "2"); DocumentBuilder parser = dbf.newDocumentBuilder(); Document doc = parser.parse(this.getClass().getResourceAsStream("DosTest3.xml")); Assert.fail("SAXParserException is expected, as given XML document contains more than 2 attributes"); } catch (SAXParseException e) { System.out.println(e.getMessage()); } catch (Exception e) { Assert.fail("Exception " + e.getMessage()); } finally { System.setProperty("elementAttributeLimit", ""); } } /* * Default value for secure processing feature should be true. */ @Test public void testDOMSecureProcessingDefaultValue() { try { dbf = DocumentBuilderFactory.newInstance(); Assert.assertTrue(dbf.getFeature(XMLConstants.FEATURE_SECURE_PROCESSING), "Default value for secureProcessing feature should be true"); } catch (Exception e) { Assert.fail("Exception " + e.getMessage()); } } /* * Default value for secure processing feature should be true. */ @Test public void testSAXSecureProcessingDefaultValue() { try { SAXParserFactory spf = SAXParserFactory.newInstance(); Assert.assertTrue(spf.getFeature(XMLConstants.FEATURE_SECURE_PROCESSING), "Default value for secureProcessing feature should be true"); } catch (Exception e) { Assert.fail("Exception " + e.getMessage()); } } /* * This method sets system property for maxOccurLimit=2 and secure process * feature is off. Given doument contains more than 2 elements and hence an * error should be reported. */ @Test public void testSystemMaxOccurLimitWithoutSecureProcessing() { if (_isSecureMode) return; // jaxp secure feature can not be turned off when security // manager is present try { SAXParserFactory spf = SAXParserFactory.newInstance(); spf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, false); spf.setValidating(true); System.setProperty("maxOccurLimit", "2"); // Set the properties for Schema Validation String SCHEMA_LANG = "http://java.sun.com/xml/jaxp/properties/schemaLanguage"; String SCHEMA_TYPE = "http://www.w3.org/2001/XMLSchema"; // Get the Schema location as a File object File schemaFile = new File(this.getClass().getResource("toys.xsd").toURI()); // Get the parser SAXParser parser = spf.newSAXParser(); parser.setProperty(SCHEMA_LANG, SCHEMA_TYPE); parser.setProperty("http://java.sun.com/xml/jaxp/properties/schemaSource", schemaFile); InputStream is = this.getClass().getResourceAsStream("toys.xml"); MyErrorHandler eh = new MyErrorHandler(); parser.parse(is, eh); Assert.assertFalse(eh.errorOccured, "Not Expected Error"); System.setProperty("maxOccurLimit", ""); } catch (Exception e) { Assert.fail("Exception occured: " + e.getMessage()); } } /* * This test will take longer time to execute( abt 120sec). This method * tries to validate a document. This document contains an element whose * maxOccur is '3002'. Since secure processing feature is off, document * should be parsed without any errors. */ @Test public void testValidMaxOccurLimitWithOutSecureProcessing() { if (_isSecureMode) return; // jaxp secure feature can not be turned off when security // manager is present try { SAXParserFactory spf = SAXParserFactory.newInstance(); spf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, false); spf.setValidating(true); // Set the properties for Schema Validation String SCHEMA_LANG = "http://java.sun.com/xml/jaxp/properties/schemaLanguage"; String SCHEMA_TYPE = "http://www.w3.org/2001/XMLSchema"; // Get the Schema location as a File object File schemaFile = new File(this.getClass().getResource("toys3002.xsd").toURI()); // Get the parser SAXParser parser = spf.newSAXParser(); parser.setProperty(SCHEMA_LANG, SCHEMA_TYPE); parser.setProperty("http://java.sun.com/xml/jaxp/properties/schemaSource", schemaFile); InputStream is = this.getClass().getResourceAsStream("toys.xml"); MyErrorHandler eh = new MyErrorHandler(); parser.parse(is, eh); Assert.assertFalse(eh.errorOccured, "Expected Error as maxOccurLimit is exceeded"); } catch (Exception e) { Assert.fail("Exception occured: " + e.getMessage()); } } /* * Before 8014530: System property is set to 2. Given XML document has more * than 2 entity references. Parsing this document in non-secure mode, * should *not* report an error. * After 8014530: System properties will override FSP, the result of this * test should be the same as * testSystemElementAttributeLimitWithSecureProcessing */ @Test public void testSystemEntityExpansionLimitWithOutSecureProcessing() { if (_isSecureMode) return; // jaxp secure feature can not be turned off when security // manager is present try { System.setProperty("entityExpansionLimit", "2"); dbf = DocumentBuilderFactory.newInstance(); dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, false); dbf.setValidating(true); DocumentBuilder parser = dbf.newDocumentBuilder(); Document doc = parser.parse(this.getClass().getResourceAsStream("entity.xml")); Assert.fail("SAXParserException is expected, as given XML document contains more 2 entity references"); } catch (Exception e) { String errMsg = e.getMessage(); Throwable cause = e.getCause(); if (cause != null) { errMsg += cause.getMessage(); } if (errMsg.contains("JAXP0001")) { // expected } else { Assert.fail("Unexpected error: " + e.getMessage()); } } finally { System.clearProperty("entityExpansionLimit"); } } /* * System property is set to 2. Given XML document has more than 2 entity * references. Parsing this document in secure mode, should report an error. */ @Test public void testSystemEntityExpansionLimitWithSecureProcessing() { try { dbf = DocumentBuilderFactory.newInstance(); dbf.setValidating(true); System.setProperty("entityExpansionLimit", "2"); DocumentBuilder parser = dbf.newDocumentBuilder(); Document doc = parser.parse(this.getClass().getResourceAsStream("entity.xml")); Assert.fail("SAXParserException is expected, as given XML document contains more 2 entity references"); } catch (SAXParseException e) { System.out.println(e.getMessage()); } catch (Exception e) { Assert.fail("Exception " + e.getMessage()); } finally { System.setProperty("entityExpansionLimit", ""); } } /* * Given XML document has more than 64000 entity references. Parsing this * document in secure mode, should report an error. */ @Test public void testEntityExpansionLimitWithSecureProcessing() { try { dbf = DocumentBuilderFactory.newInstance(); dbf.setValidating(true); DocumentBuilder parser = dbf.newDocumentBuilder(); Document doc = parser.parse(this.getClass().getResourceAsStream("entity64K.xml")); Assert.fail("SAXParserException is expected, as given XML document contains more 2 entity references"); } catch (SAXParseException e) { System.out.println(e.getMessage()); } catch (Exception e) { Assert.fail("Exception " + e.getMessage()); } finally { System.setProperty("entityExpansionLimit", ""); } } /* * Given XML document has more than 64000 entity references. Parsing this * document in non-secure mode, should not report any error. */ @Test public void testEntityExpansionLimitWithOutSecureProcessing() { if (_isSecureMode) return; // jaxp secure feature can not be turned off when security // manager is present try { dbf = DocumentBuilderFactory.newInstance(); dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, false); dbf.setValidating(true); DocumentBuilder parser = dbf.newDocumentBuilder(); Document doc = parser.parse(this.getClass().getResourceAsStream("entity64K.xml")); } catch (SAXParseException e) { Assert.fail("Exception " + e.getMessage()); } catch (Exception e) { Assert.fail("Exception " + e.getMessage()); } finally { System.setProperty("entityExpansionLimit", ""); } } }