| /* |
| * Copyright (c) 2014, 2016, Oracle and/or its affiliates. All rights reserved. |
| * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
| * |
| * This code is free software; you can redistribute it and/or modify it |
| * under the terms of the GNU General Public License version 2 only, as |
| * published by the Free Software Foundation. |
| * |
| * This code is distributed in the hope that it will be useful, but WITHOUT |
| * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
| * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
| * version 2 for more details (a copy is included in the LICENSE file that |
| * accompanied this code). |
| * |
| * You should have received a copy of the GNU General Public License version |
| * 2 along with this work; if not, write to the Free Software Foundation, |
| * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
| * |
| * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
| * or visit www.oracle.com if you need additional information or have any |
| * questions. |
| */ |
| |
| package parsers; |
| |
| import static jaxp.library.JAXPTestUtilities.clearSystemProperty; |
| import static jaxp.library.JAXPTestUtilities.setSystemProperty; |
| |
| import java.io.File; |
| import java.io.InputStream; |
| |
| import javax.xml.XMLConstants; |
| import javax.xml.parsers.DocumentBuilder; |
| import javax.xml.parsers.DocumentBuilderFactory; |
| import javax.xml.parsers.SAXParser; |
| import javax.xml.parsers.SAXParserFactory; |
| |
| import org.testng.Assert; |
| import org.testng.annotations.Listeners; |
| import org.testng.annotations.Test; |
| import org.w3c.dom.Document; |
| import org.xml.sax.SAXParseException; |
| |
| /* |
| * @test |
| * @bug 6309988 |
| * @library /javax/xml/jaxp/libs /javax/xml/jaxp/unittest |
| * @run testng/othervm -DrunSecMngr=true parsers.Bug6309988 |
| * @run testng/othervm parsers.Bug6309988 |
| * @summary Test elementAttributeLimit, maxOccurLimit, entityExpansionLimit. |
| */ |
| @Test(singleThreaded = true) |
| @Listeners({jaxp.library.FilePolicy.class}) |
| public class Bug6309988 { |
| |
| DocumentBuilderFactory dbf = null; |
| |
| /* |
| * Given XML document has more than 10000 attributes. Exception is expected |
| */ |
| public void testDOMParserElementAttributeLimit() { |
| try { |
| dbf = DocumentBuilderFactory.newInstance(); |
| DocumentBuilder parser = dbf.newDocumentBuilder(); |
| Document doc = parser.parse(this.getClass().getResourceAsStream("DosTest.xml")); |
| Assert.fail("SAXParserException is expected, as given XML document contains more than 10000 attributes"); |
| } catch (SAXParseException e) { |
| System.out.println(e.getMessage()); |
| } catch (Exception e) { |
| Assert.fail("Exception " + e.getMessage()); |
| } |
| } |
| |
| /* |
| * Given XML document has more than 10000 attributes. It should report an |
| * error. |
| */ |
| public void testDOMNSParserElementAttributeLimit() { |
| try { |
| dbf = DocumentBuilderFactory.newInstance(); |
| dbf.setNamespaceAware(true); |
| DocumentBuilder parser = dbf.newDocumentBuilder(); |
| Document doc = parser.parse(this.getClass().getResourceAsStream("DosTest.xml")); |
| Assert.fail("SAXParserException is expected, as given XML document contains more than 10000 attributes"); |
| } catch (SAXParseException e) { |
| System.out.println(e.getMessage()); |
| } catch (Exception e) { |
| Assert.fail("Exception " + e.getMessage()); |
| } |
| } |
| |
| /* |
| * Given XML document has more than 10000 attributes. Parsing this XML |
| * document in non-secure mode, should not report any error. |
| */ |
| public void testDOMNSParserElementAttributeLimitWithoutSecureProcessing() { |
| if (isSecureMode()) |
| return; // jaxp secure feature can not be turned off when security |
| // manager is present |
| try { |
| dbf = DocumentBuilderFactory.newInstance(); |
| dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, false); |
| dbf.setNamespaceAware(true); |
| DocumentBuilder parser = dbf.newDocumentBuilder(); |
| Document doc = parser.parse(this.getClass().getResourceAsStream("DosTest.xml")); |
| |
| } catch (SAXParseException e) { |
| Assert.fail(e.getMessage()); |
| } catch (Exception e) { |
| Assert.fail("Exception " + e.getMessage()); |
| } |
| } |
| |
| /* |
| * Before 8014530: Given XML document has 3 attributes and System property |
| * is set to 2. Parsing this XML document in non-secure mode, should not |
| * report an error. |
| * After 8014530: System properties will override FSP, the result of this |
| * test should be the same as |
| * testSystemElementAttributeLimitWithSecureProcessing |
| */ |
| public void testSystemElementAttributeLimitWithoutSecureProcessing() { |
| if (isSecureMode()) |
| return; // jaxp secure feature can not be turned off when security |
| // manager is present |
| try { |
| dbf = DocumentBuilderFactory.newInstance(); |
| dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, false); |
| dbf.setNamespaceAware(true); |
| setSystemProperty("elementAttributeLimit", "2"); |
| DocumentBuilder parser = dbf.newDocumentBuilder(); |
| Document doc = parser.parse(this.getClass().getResourceAsStream("DosTest3.xml")); |
| |
| Assert.fail("SAXParserException is expected, as given XML document contains more than 2 attributes"); |
| } catch (Exception e) { |
| String errMsg = e.getMessage(); |
| Throwable cause = e.getCause(); |
| if (cause != null) { |
| errMsg += cause.getMessage(); |
| } |
| if (errMsg.contains("JAXP0001")) { |
| // expected |
| } else { |
| Assert.fail("Unexpected error: " + e.getMessage()); |
| } |
| } finally { |
| clearSystemProperty("elementAttributeLimit"); |
| } |
| } |
| |
| /* |
| * Given XML document has 3 attributes and System property is set to 2. |
| * Parsing this XML document in secure mode, should report an error. |
| */ |
| public void testSystemElementAttributeLimitWithSecureProcessing() { |
| try { |
| dbf = DocumentBuilderFactory.newInstance(); |
| dbf.setNamespaceAware(true); |
| setSystemProperty("elementAttributeLimit", "2"); |
| DocumentBuilder parser = dbf.newDocumentBuilder(); |
| Document doc = parser.parse(this.getClass().getResourceAsStream("DosTest3.xml")); |
| Assert.fail("SAXParserException is expected, as given XML document contains more than 2 attributes"); |
| } catch (SAXParseException e) { |
| System.out.println(e.getMessage()); |
| } catch (Exception e) { |
| Assert.fail("Exception " + e.getMessage()); |
| } finally { |
| setSystemProperty("elementAttributeLimit", ""); |
| } |
| } |
| |
| /* |
| * Default value for secure processing feature should be true. |
| */ |
| public void testDOMSecureProcessingDefaultValue() { |
| try { |
| dbf = DocumentBuilderFactory.newInstance(); |
| Assert.assertTrue(dbf.getFeature(XMLConstants.FEATURE_SECURE_PROCESSING), "Default value for secureProcessing feature should be true"); |
| |
| } catch (Exception e) { |
| Assert.fail("Exception " + e.getMessage()); |
| } |
| } |
| |
| /* |
| * Default value for secure processing feature should be true. |
| */ |
| public void testSAXSecureProcessingDefaultValue() { |
| try { |
| SAXParserFactory spf = SAXParserFactory.newInstance(); |
| Assert.assertTrue(spf.getFeature(XMLConstants.FEATURE_SECURE_PROCESSING), "Default value for secureProcessing feature should be true"); |
| |
| } catch (Exception e) { |
| Assert.fail("Exception " + e.getMessage()); |
| } |
| } |
| |
| /* |
| * This method sets system property for maxOccurLimit=2 and secure process |
| * feature is off. Given doument contains more than 2 elements and hence an |
| * error should be reported. |
| */ |
| public void testSystemMaxOccurLimitWithoutSecureProcessing() { |
| if (isSecureMode()) |
| return; // jaxp secure feature can not be turned off when security |
| // manager is present |
| try { |
| SAXParserFactory spf = SAXParserFactory.newInstance(); |
| spf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, false); |
| spf.setValidating(true); |
| setSystemProperty("maxOccurLimit", "2"); |
| // Set the properties for Schema Validation |
| String SCHEMA_LANG = "http://java.sun.com/xml/jaxp/properties/schemaLanguage"; |
| String SCHEMA_TYPE = "http://www.w3.org/2001/XMLSchema"; |
| // Get the Schema location as a File object |
| File schemaFile = new File(this.getClass().getResource("toys.xsd").toURI()); |
| // Get the parser |
| SAXParser parser = spf.newSAXParser(); |
| parser.setProperty(SCHEMA_LANG, SCHEMA_TYPE); |
| parser.setProperty("http://java.sun.com/xml/jaxp/properties/schemaSource", schemaFile); |
| |
| InputStream is = this.getClass().getResourceAsStream("toys.xml"); |
| MyErrorHandler eh = new MyErrorHandler(); |
| parser.parse(is, eh); |
| Assert.assertFalse(eh.errorOccured, "Not Expected Error"); |
| setSystemProperty("maxOccurLimit", ""); |
| } catch (Exception e) { |
| Assert.fail("Exception occured: " + e.getMessage()); |
| } |
| } |
| |
| /* |
| * This test will take longer time to execute( abt 120sec). This method |
| * tries to validate a document. This document contains an element whose |
| * maxOccur is '3002'. Since secure processing feature is off, document |
| * should be parsed without any errors. |
| */ |
| public void testValidMaxOccurLimitWithOutSecureProcessing() { |
| if (isSecureMode()) |
| return; // jaxp secure feature can not be turned off when security |
| // manager is present |
| try { |
| SAXParserFactory spf = SAXParserFactory.newInstance(); |
| spf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, false); |
| spf.setValidating(true); |
| // Set the properties for Schema Validation |
| String SCHEMA_LANG = "http://java.sun.com/xml/jaxp/properties/schemaLanguage"; |
| String SCHEMA_TYPE = "http://www.w3.org/2001/XMLSchema"; |
| // Get the Schema location as a File object |
| File schemaFile = new File(this.getClass().getResource("toys3002.xsd").toURI()); |
| // Get the parser |
| SAXParser parser = spf.newSAXParser(); |
| parser.setProperty(SCHEMA_LANG, SCHEMA_TYPE); |
| parser.setProperty("http://java.sun.com/xml/jaxp/properties/schemaSource", schemaFile); |
| |
| InputStream is = this.getClass().getResourceAsStream("toys.xml"); |
| MyErrorHandler eh = new MyErrorHandler(); |
| parser.parse(is, eh); |
| Assert.assertFalse(eh.errorOccured, "Expected Error as maxOccurLimit is exceeded"); |
| |
| } catch (Exception e) { |
| Assert.fail("Exception occured: " + e.getMessage()); |
| } |
| } |
| |
| /* |
| * Before 8014530: System property is set to 2. Given XML document has more |
| * than 2 entity references. Parsing this document in non-secure mode, |
| * should *not* report an error. |
| * After 8014530: System properties will override FSP, the result of this |
| * test should be the same as |
| * testSystemElementAttributeLimitWithSecureProcessing |
| */ |
| public void testSystemEntityExpansionLimitWithOutSecureProcessing() { |
| if (isSecureMode()) |
| return; // jaxp secure feature can not be turned off when security |
| // manager is present |
| try { |
| setSystemProperty("entityExpansionLimit", "2"); |
| dbf = DocumentBuilderFactory.newInstance(); |
| dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, false); |
| dbf.setValidating(true); |
| DocumentBuilder parser = dbf.newDocumentBuilder(); |
| Document doc = parser.parse(this.getClass().getResourceAsStream("entity.xml")); |
| Assert.fail("SAXParserException is expected, as given XML document contains more 2 entity references"); |
| } catch (Exception e) { |
| String errMsg = e.getMessage(); |
| Throwable cause = e.getCause(); |
| if (cause != null) { |
| errMsg += cause.getMessage(); |
| } |
| if (errMsg.contains("JAXP0001")) { |
| // expected |
| } else { |
| Assert.fail("Unexpected error: " + e.getMessage()); |
| } |
| } finally { |
| clearSystemProperty("entityExpansionLimit"); |
| } |
| } |
| |
| /* |
| * System property is set to 2. Given XML document has more than 2 entity |
| * references. Parsing this document in secure mode, should report an error. |
| */ |
| public void testSystemEntityExpansionLimitWithSecureProcessing() { |
| try { |
| dbf = DocumentBuilderFactory.newInstance(); |
| dbf.setValidating(true); |
| setSystemProperty("entityExpansionLimit", "2"); |
| DocumentBuilder parser = dbf.newDocumentBuilder(); |
| Document doc = parser.parse(this.getClass().getResourceAsStream("entity.xml")); |
| Assert.fail("SAXParserException is expected, as given XML document contains more 2 entity references"); |
| |
| } catch (SAXParseException e) { |
| System.out.println(e.getMessage()); |
| } catch (Exception e) { |
| Assert.fail("Exception " + e.getMessage()); |
| } finally { |
| setSystemProperty("entityExpansionLimit", ""); |
| } |
| } |
| |
| /* |
| * Given XML document has more than 64000 entity references. Parsing this |
| * document in secure mode, should report an error. |
| */ |
| public void testEntityExpansionLimitWithSecureProcessing() { |
| try { |
| dbf = DocumentBuilderFactory.newInstance(); |
| dbf.setValidating(true); |
| DocumentBuilder parser = dbf.newDocumentBuilder(); |
| Document doc = parser.parse(this.getClass().getResourceAsStream("entity64K.xml")); |
| Assert.fail("SAXParserException is expected, as given XML document contains more 2 entity references"); |
| |
| } catch (SAXParseException e) { |
| System.out.println(e.getMessage()); |
| } catch (Exception e) { |
| Assert.fail("Exception " + e.getMessage()); |
| } finally { |
| setSystemProperty("entityExpansionLimit", ""); |
| } |
| } |
| |
| /* |
| * Given XML document has more than 64000 entity references. Parsing this |
| * document in non-secure mode, should not report any error. |
| */ |
| public void testEntityExpansionLimitWithOutSecureProcessing() { |
| if (isSecureMode()) |
| return; // jaxp secure feature can not be turned off when security |
| // manager is present |
| try { |
| dbf = DocumentBuilderFactory.newInstance(); |
| dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, false); |
| dbf.setValidating(true); |
| DocumentBuilder parser = dbf.newDocumentBuilder(); |
| Document doc = parser.parse(this.getClass().getResourceAsStream("entity64K.xml")); |
| |
| } catch (SAXParseException e) { |
| Assert.fail("Exception " + e.getMessage()); |
| } catch (Exception e) { |
| Assert.fail("Exception " + e.getMessage()); |
| } finally { |
| setSystemProperty("entityExpansionLimit", ""); |
| } |
| } |
| |
| private boolean isSecureMode() { |
| return System.getSecurityManager() != null; |
| } |
| } |