1 /* 2 * Copyright (c) 2014, 2016, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. 8 * 9 * This code is distributed in the hope that it will be useful, but WITHOUT 10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 12 * version 2 for more details (a copy is included in the LICENSE file that 13 * accompanied this code). 14 * 15 * You should have received a copy of the GNU General Public License version 16 * 2 along with this work; if not, write to the Free Software Foundation, 17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 18 * 19 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 20 * or visit www.oracle.com if you need additional information or have any 21 * questions. 22 */ 23 24 package transform; 25 26 import java.io.FilePermission; 27 import java.io.InputStream; 28 import java.io.StringWriter; 29 30 import javax.xml.XMLConstants; 31 import javax.xml.transform.Transformer; 32 import javax.xml.transform.TransformerConfigurationException; 33 import javax.xml.transform.TransformerException; 34 import javax.xml.transform.TransformerFactory; 35 import javax.xml.transform.stream.StreamResult; 36 import javax.xml.transform.stream.StreamSource; 37 38 import jaxp.library.JAXPTestUtilities; 39 40 import org.testng.Assert; 41 import org.testng.annotations.Test; 42 43 /* 44 * @summary Test XSLT shall report TransformerException for unsafe xsl when FEATURE_SECURE_PROCESSING is true. 45 */ 46 @Test(singleThreaded = true) 47 public class SecureProcessingTest { 48 public void runWithSecurityManager() throws Exception { 49 JAXPTestUtilities.tryRunWithPolicyManager(() -> testSecureProcessing(), 50 new FilePermission(System.getProperty("test.src") + "/-", "read")); 51 } 52 53 public void runWithoutSecurityManager() throws Exception { 54 testSecureProcessing(); 55 } 56 57 private final void testSecureProcessing() { 58 boolean _isSecureMode = System.getSecurityManager() != null; 59 // SECURE_PROCESSING == false 60 61 // the style sheet 62 InputStream xslStream = this.getClass().getResourceAsStream("SecureProcessingTest.xsl"); 63 StreamSource xslSource = new StreamSource(xslStream); 64 65 // the xml source 66 InputStream xmlStream = this.getClass().getResourceAsStream("SecureProcessingTest.xml"); 67 StreamSource xmlSource = new StreamSource(xmlStream); 68 69 // the xml result 70 StringWriter xmlResultString = new StringWriter(); 71 StreamResult xmlResultStream = new StreamResult(xmlResultString); 72 73 // the transformer 74 TransformerFactory transformerFactory = null; 75 Transformer transformer = null; 76 77 // transform with a non-secure Transformer 78 // expect success 79 String xmlResult; 80 if (!_isSecureMode) { // jaxp secure feature can not be turned off when 81 // security manager is present 82 try { 83 transformerFactory = TransformerFactory.newInstance(); 84 transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, false); 85 transformer = transformerFactory.newTransformer(xslSource); 86 transformer.transform(xmlSource, xmlResultStream); 87 } catch (TransformerConfigurationException ex) { 88 ex.printStackTrace(); 89 Assert.fail(ex.toString()); 90 } catch (TransformerException ex) { 91 ex.printStackTrace(); 92 Assert.fail(ex.toString()); 93 } 94 95 // expected success 96 // and the result is ... 97 xmlResult = xmlResultString.toString(); 98 System.out.println("Transformation result (SECURE_PROCESSING == false) = \"" + xmlResult + "\""); 99 } 100 101 // now do same transformation but with SECURE_PROCESSING == true 102 // expect Exception 103 boolean exceptionCaught = false; 104 105 // the style sheet 106 xslStream = this.getClass().getResourceAsStream("SecureProcessingTest.xsl"); 107 xslSource = new StreamSource(xslStream); 108 109 // the xml source 110 xmlStream = this.getClass().getResourceAsStream("SecureProcessingTest.xml"); 111 xmlSource = new StreamSource(xmlStream); 112 113 // the xml result 114 xmlResultString = new StringWriter(); 115 xmlResultStream = new StreamResult(xmlResultString); 116 117 // the transformer 118 transformerFactory = null; 119 transformer = null; 120 121 // transform with a secure Transformer 122 try { 123 transformerFactory = TransformerFactory.newInstance(); 124 transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); 125 transformer = transformerFactory.newTransformer(xslSource); 126 transformer.transform(xmlSource, xmlResultStream); 127 } catch (TransformerConfigurationException ex) { 128 ex.printStackTrace(); 129 Assert.fail(ex.toString()); 130 } catch (TransformerException ex) { 131 // expected failure 132 System.out.println("expected failure: " + ex.toString()); 133 ex.printStackTrace(System.out); 134 exceptionCaught = true; 135 } 136 137 // unexpected success? 138 if (!exceptionCaught) { 139 // and the result is ... 140 xmlResult = xmlResultString.toString(); 141 System.err.println("Transformation result (SECURE_PROCESSING == true) = \"" + xmlResult + "\""); 142 Assert.fail("SECURITY_PROCESSING == true, expected failure but got result: \"" + xmlResult + "\""); 143 } 144 } 145 }