/* * reserved comment block * DO NOT REMOVE OR ALTER! */ /* * Licensed to the Apache Software Foundation (ASF) under one or more * contributor license agreements. See the NOTICE file distributed with * this work for additional information regarding copyright ownership. * The ASF licenses this file to You under the Apache License, Version 2.0 * (the "License"); you may not use this file except in compliance with * the License. You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package com.sun.org.apache.xerces.internal.util; import com.sun.org.apache.xerces.internal.impl.Constants; /** * This class is a container for parser settings that relate to * security, or more specifically, it is intended to be used to prevent denial-of-service * attacks from being launched against a system running Xerces. * Any component that is aware of a denial-of-service attack that can arise * from its processing of a certain kind of document may query its Component Manager * for the property (http://apache.org/xml/properties/security-manager) * whose value will be an instance of this class. * If no value has been set for the property, the component should proceed in the "usual" (spec-compliant) * manner. If a value has been set, then it must be the case that the component in * question needs to know what method of this class to query. This class * will provide defaults for all known security issues, but will also provide * setters so that those values can be tailored by applications that care. * * @author Neil Graham, IBM * */ public final class SecurityManager { // // Constants // // default value for entity expansion limit private final static int DEFAULT_ENTITY_EXPANSION_LIMIT = 64000; /** Default value of number of nodes created. **/ private final static int DEFAULT_MAX_OCCUR_NODE_LIMIT = 5000; // // Data // private final static int DEFAULT_ELEMENT_ATTRIBUTE_LIMIT = 10000; /** Entity expansion limit. **/ private int entityExpansionLimit; /** W3C XML Schema maxOccurs limit. **/ private int maxOccurLimit; private int fElementAttributeLimit; // default constructor. Establishes default values for // all known security holes. /** * Default constructor. Establishes default values * for known security vulnerabilities. */ public SecurityManager() { entityExpansionLimit = DEFAULT_ENTITY_EXPANSION_LIMIT; maxOccurLimit = DEFAULT_MAX_OCCUR_NODE_LIMIT ; fElementAttributeLimit = DEFAULT_ELEMENT_ATTRIBUTE_LIMIT; //We are reading system properties only once , //at the time of creation of this object , readSystemProperties(); } /** *

Sets the number of entity expansions that the * parser should permit in a document.

* * @param limit the number of entity expansions * permitted in a document */ public void setEntityExpansionLimit(int limit) { entityExpansionLimit = limit; } /** *

Returns the number of entity expansions * that the parser permits in a document.

* * @return the number of entity expansions * permitted in a document */ public int getEntityExpansionLimit() { return entityExpansionLimit; } /** *

Sets the limit of the number of content model nodes * that may be created when building a grammar for a W3C * XML Schema that contains maxOccurs attributes with values * other than "unbounded".

* * @param limit the maximum value for maxOccurs other * than "unbounded" */ public void setMaxOccurNodeLimit(int limit){ maxOccurLimit = limit; } /** *

Returns the limit of the number of content model nodes * that may be created when building a grammar for a W3C * XML Schema that contains maxOccurs attributes with values * other than "unbounded".

* * @return the maximum value for maxOccurs other * than "unbounded" */ public int getMaxOccurNodeLimit(){ return maxOccurLimit; } public int getElementAttrLimit(){ return fElementAttributeLimit; } public void setElementAttrLimit(int limit){ fElementAttributeLimit = limit; } private void readSystemProperties(){ try { String value = System.getProperty(Constants.ENTITY_EXPANSION_LIMIT); if(value != null && !value.isEmpty()){ entityExpansionLimit = Integer.parseInt(value); if (entityExpansionLimit < 0) entityExpansionLimit = DEFAULT_ENTITY_EXPANSION_LIMIT; } else entityExpansionLimit = DEFAULT_ENTITY_EXPANSION_LIMIT; }catch(Exception ex){} try { String value = System.getProperty(Constants.MAX_OCCUR_LIMIT); if(value != null && !value.isEmpty()){ maxOccurLimit = Integer.parseInt(value); if (maxOccurLimit < 0) maxOccurLimit = DEFAULT_MAX_OCCUR_NODE_LIMIT; } else maxOccurLimit = DEFAULT_MAX_OCCUR_NODE_LIMIT; }catch(Exception ex){} try { String value = System.getProperty(Constants.ELEMENT_ATTRIBUTE_LIMIT); if(value != null && !value.isEmpty()){ fElementAttributeLimit = Integer.parseInt(value); if ( fElementAttributeLimit < 0) fElementAttributeLimit = DEFAULT_ELEMENT_ATTRIBUTE_LIMIT; } else fElementAttributeLimit = DEFAULT_ELEMENT_ATTRIBUTE_LIMIT; }catch(Exception ex){} } } // class SecurityManager