1 /*
2 * Copyright (c) 2014, 2016, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation.
8 *
9 * This code is distributed in the hope that it will be useful, but WITHOUT
10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
12 * version 2 for more details (a copy is included in the LICENSE file that
13 * accompanied this code).
14 *
15 * You should have received a copy of the GNU General Public License version
16 * 2 along with this work; if not, write to the Free Software Foundation,
17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
18 *
19 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
20 * or visit www.oracle.com if you need additional information or have any
21 * questions.
22 */
23
24 package xpath;
25
26 import java.io.FilePermission;
27 import java.io.IOException;
28 import java.io.InputStream;
29 import java.util.Iterator;
30 import java.util.List;
31
32 import javax.xml.XMLConstants;
33 import javax.xml.namespace.NamespaceContext;
34 import javax.xml.namespace.QName;
35 import javax.xml.parsers.DocumentBuilder;
36 import javax.xml.parsers.DocumentBuilderFactory;
37 import javax.xml.parsers.ParserConfigurationException;
38 import javax.xml.xpath.XPath;
39 import javax.xml.xpath.XPathExpressionException;
40 import javax.xml.xpath.XPathFactory;
41 import javax.xml.xpath.XPathFactoryConfigurationException;
42 import javax.xml.xpath.XPathFunction;
43 import javax.xml.xpath.XPathFunctionException;
44 import javax.xml.xpath.XPathFunctionResolver;
45
46 import jaxp.library.JAXPTestUtilities;
47
48 import org.testng.Assert;
49 import org.testng.annotations.Test;
50 import org.w3c.dom.Document;
51 import org.xml.sax.SAXException;
52
53 /*
54 * @summary Test when FEATURE_SECURE_PROCESSING is true, calling an external function will cause XPathFunctionException.
55 */
56 @Test(singleThreaded = true)
57 public class SecureProcessingTest {
58 public void runWithSecurityManager() throws Exception {
59 JAXPTestUtilities.tryRunWithPolicyManager(() -> testSecureProcessing(),
60 new FilePermission(System.getProperty("test.src") + "/-", "read"));
61 }
62
63 public void runWithoutSecurityManager() throws Exception {
64 testSecureProcessing();
65 }
66
67 private final void testSecureProcessing() {
68 boolean _isSecureMode = System.getSecurityManager() != null;
69
70 final String XPATH_EXPRESSION = "ext:helloWorld()";
71
72 // the xml source
73 InputStream xmlStream = this.getClass().getResourceAsStream("SecureProcessingTest.xml");
74
75 DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
76 DocumentBuilder documentBuilder = null;
77 Document document = null;
78
79 try {
80 documentBuilder = documentBuilderFactory.newDocumentBuilder();
81 document = documentBuilder.parse(xmlStream);
82 } catch (ParserConfigurationException parserConfigurationException) {
83 parserConfigurationException.printStackTrace();
84 Assert.fail(parserConfigurationException.toString());
85 } catch (SAXException saxException) {
86 saxException.printStackTrace();
87 Assert.fail(saxException.toString());
88 } catch (IOException ioException) {
89 ioException.printStackTrace();
90 Assert.fail(ioException.toString());
91 }
92
93 // the XPath
94 XPathFactory xPathFactory = null;
95 XPath xPath = null;
96 String xPathResult = null;
97
98 // SECURE_PROCESSING == false
99 // evaluate an expression with a user defined function with a non-secure
100 // XPath
101 // expect success
102 if (!_isSecureMode) { // jaxp secure feature can not be turned off when
103 // security manager is present
104 try {
105 xPathFactory = xPathFactory.newInstance();
106 xPathFactory.setXPathFunctionResolver(new MyXPathFunctionResolver());
107 xPathFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, false);
108
109 xPath = xPathFactory.newXPath();
110 xPath.setNamespaceContext(new MyNamespaceContext());
111
112 xPathResult = xPath.evaluate(XPATH_EXPRESSION, document);
113 } catch (XPathFactoryConfigurationException xPathFactoryConfigurationException) {
114 xPathFactoryConfigurationException.printStackTrace();
115 Assert.fail(xPathFactoryConfigurationException.toString());
116 } catch (XPathExpressionException xPathExpressionException) {
117 xPathExpressionException.printStackTrace();
118 Assert.fail(xPathExpressionException.toString());
119 }
120
121 // expected success
122 System.out.println("XPath result (SECURE_PROCESSING == false) = \"" + xPathResult + "\"");
123 }
124 // now try with SECURE_PROCESSING == true
125 // evaluate an expression with a user defined function with a secure
126 // XPath
127 // expect Exception
128 boolean securityException = false;
129 try {
130 xPathFactory = xPathFactory.newInstance();
131 xPathFactory.setXPathFunctionResolver(new MyXPathFunctionResolver());
132 xPathFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
133
134 xPath = xPathFactory.newXPath();
135 xPath.setNamespaceContext(new MyNamespaceContext());
136
137 xPathResult = xPath.evaluate(XPATH_EXPRESSION, document);
138 } catch (XPathFactoryConfigurationException xPathFactoryConfigurationException) {
139 xPathFactoryConfigurationException.printStackTrace();
140 Assert.fail(xPathFactoryConfigurationException.toString());
141 } catch (XPathFunctionException xPathFunctionException) {
142 // expected security exception
143 securityException = true;
144 xPathFunctionException.printStackTrace(System.out);
145 } catch (XPathExpressionException xPathExpressionException) {
146 xPathExpressionException.printStackTrace();
147 Assert.fail(xPathExpressionException.toString());
148 }
149
150 // expected Exception
151 if (!securityException) {
152 Assert.fail("XPath result (SECURE_PROCESSING == true) = \"" + xPathResult + "\"");
153 }
154 }
155
156 private class MyXPathFunctionResolver implements XPathFunctionResolver {
157
158 public XPathFunction resolveFunction(QName functionName, int arity) {
159
160 // not a real ewsolver, always return a default XPathFunction
161 return new MyXPathFunction();
162 }
163 }
164
165 private class MyXPathFunction implements XPathFunction {
166
167 public Object evaluate(List list) throws XPathFunctionException {
168
169 return "Hello World";
170 }
171 }
172
173 private class MyNamespaceContext implements NamespaceContext {
174
175 public String getNamespaceURI(String prefix) {
176 if (prefix == null) {
177 throw new IllegalArgumentException("The prefix cannot be null.");
178 }
179
180 if (prefix.equals("ext")) {
181 return "http://ext.com";
182 } else {
183 return null;
184 }
185 }
186
187 public String getPrefix(String namespace) {
188
189 if (namespace == null) {
190 throw new IllegalArgumentException("The namespace uri cannot be null.");
191 }
192
193 if (namespace.equals("http://ext.com")) {
194 return "ext";
195 } else {
196 return null;
197 }
198 }
199
200 public Iterator getPrefixes(String namespace) {
201 return null;
202 }
203 }
204 }