1 /*
2 * Copyright (c) 2014, 2016, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation.
8 *
9 * This code is distributed in the hope that it will be useful, but WITHOUT
10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
12 * version 2 for more details (a copy is included in the LICENSE file that
13 * accompanied this code).
14 *
15 * You should have received a copy of the GNU General Public License version
16 * 2 along with this work; if not, write to the Free Software Foundation,
17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
18 *
19 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
20 * or visit www.oracle.com if you need additional information or have any
21 * questions.
22 */
23
24 package transform;
25
26 import java.io.FilePermission;
27 import java.io.InputStream;
28 import java.io.StringWriter;
29
30 import javax.xml.XMLConstants;
31 import javax.xml.transform.Transformer;
32 import javax.xml.transform.TransformerConfigurationException;
33 import javax.xml.transform.TransformerException;
34 import javax.xml.transform.TransformerFactory;
35 import javax.xml.transform.stream.StreamResult;
36 import javax.xml.transform.stream.StreamSource;
37
38 import jaxp.library.JAXPTestUtilities;
39
40 import org.testng.Assert;
41 import org.testng.annotations.Test;
42
43 /*
44 * @summary Test XSLT shall report TransformerException for unsafe xsl when FEATURE_SECURE_PROCESSING is true.
45 */
46 @Test(singleThreaded = true)
47 public class SecureProcessingTest {
48 public void runWithSecurityManager() throws Exception {
49 JAXPTestUtilities.tryRunWithPolicyManager(() -> testSecureProcessing(),
50 new FilePermission(System.getProperty("test.src") + "/-", "read"));
51 }
52
53 public void runWithoutSecurityManager() throws Exception {
54 testSecureProcessing();
55 }
56
57 private final void testSecureProcessing() {
58 boolean _isSecureMode = System.getSecurityManager() != null;
59 // SECURE_PROCESSING == false
60
61 // the style sheet
62 InputStream xslStream = this.getClass().getResourceAsStream("SecureProcessingTest.xsl");
63 StreamSource xslSource = new StreamSource(xslStream);
64
65 // the xml source
66 InputStream xmlStream = this.getClass().getResourceAsStream("SecureProcessingTest.xml");
67 StreamSource xmlSource = new StreamSource(xmlStream);
68
69 // the xml result
70 StringWriter xmlResultString = new StringWriter();
71 StreamResult xmlResultStream = new StreamResult(xmlResultString);
72
73 // the transformer
74 TransformerFactory transformerFactory = null;
75 Transformer transformer = null;
76
77 // transform with a non-secure Transformer
78 // expect success
79 String xmlResult;
80 if (!_isSecureMode) { // jaxp secure feature can not be turned off when
81 // security manager is present
82 try {
83 transformerFactory = TransformerFactory.newInstance();
84 transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, false);
85 transformer = transformerFactory.newTransformer(xslSource);
86 transformer.transform(xmlSource, xmlResultStream);
87 } catch (TransformerConfigurationException ex) {
88 ex.printStackTrace();
89 Assert.fail(ex.toString());
90 } catch (TransformerException ex) {
91 ex.printStackTrace();
92 Assert.fail(ex.toString());
93 }
94
95 // expected success
96 // and the result is ...
97 xmlResult = xmlResultString.toString();
98 System.out.println("Transformation result (SECURE_PROCESSING == false) = \"" + xmlResult + "\"");
99 }
100
101 // now do same transformation but with SECURE_PROCESSING == true
102 // expect Exception
103 boolean exceptionCaught = false;
104
105 // the style sheet
106 xslStream = this.getClass().getResourceAsStream("SecureProcessingTest.xsl");
107 xslSource = new StreamSource(xslStream);
108
109 // the xml source
110 xmlStream = this.getClass().getResourceAsStream("SecureProcessingTest.xml");
111 xmlSource = new StreamSource(xmlStream);
112
113 // the xml result
114 xmlResultString = new StringWriter();
115 xmlResultStream = new StreamResult(xmlResultString);
116
117 // the transformer
118 transformerFactory = null;
119 transformer = null;
120
121 // transform with a secure Transformer
122 try {
123 transformerFactory = TransformerFactory.newInstance();
124 transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
125 transformer = transformerFactory.newTransformer(xslSource);
126 transformer.transform(xmlSource, xmlResultStream);
127 } catch (TransformerConfigurationException ex) {
128 ex.printStackTrace();
129 Assert.fail(ex.toString());
130 } catch (TransformerException ex) {
131 // expected failure
132 System.out.println("expected failure: " + ex.toString());
133 ex.printStackTrace(System.out);
134 exceptionCaught = true;
135 }
136
137 // unexpected success?
138 if (!exceptionCaught) {
139 // and the result is ...
140 xmlResult = xmlResultString.toString();
141 System.err.println("Transformation result (SECURE_PROCESSING == true) = \"" + xmlResult + "\"");
142 Assert.fail("SECURITY_PROCESSING == true, expected failure but got result: \"" + xmlResult + "\"");
143 }
144 }
145 }