1 /* 2 * Copyright (c) 2014, 2019, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. 8 * 9 * This code is distributed in the hope that it will be useful, but WITHOUT 10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 12 * version 2 for more details (a copy is included in the LICENSE file that 13 * accompanied this code). 14 * 15 * You should have received a copy of the GNU General Public License version 16 * 2 along with this work; if not, write to the Free Software Foundation, 17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 18 * 19 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 20 * or visit www.oracle.com if you need additional information or have any 21 * questions. 22 */ 23 24 package transform; 25 26 import java.io.InputStream; 27 import java.io.StringWriter; 28 29 import javax.xml.XMLConstants; 30 import javax.xml.transform.Transformer; 31 import javax.xml.transform.TransformerConfigurationException; 32 import javax.xml.transform.TransformerException; 33 import javax.xml.transform.TransformerFactory; 34 import javax.xml.transform.stream.StreamResult; 35 import javax.xml.transform.stream.StreamSource; 36 37 import org.testng.Assert; 38 import org.testng.annotations.Listeners; 39 import org.testng.annotations.Test; 40 41 /* 42 * @test 43 * @library /javax/xml/jaxp/libs /javax/xml/jaxp/unittest 44 * @run testng/othervm -DrunSecMngr=true transform.SecureProcessingTest 45 * @run testng/othervm transform.SecureProcessingTest 46 * @summary Test XSLT shall report TransformerException for unsafe xsl when FEATURE_SECURE_PROCESSING is true. 47 */ 48 @Listeners({jaxp.library.FilePolicy.class}) 49 public class SecureProcessingTest { 50 @Test testSecureProcessing()51 public void testSecureProcessing() { 52 boolean _isSecureMode = System.getSecurityManager() != null; 53 // SECURE_PROCESSING == false 54 55 // the style sheet 56 InputStream xslStream = this.getClass().getResourceAsStream("SecureProcessingTest.xsl"); 57 StreamSource xslSource = new StreamSource(xslStream); 58 59 // the xml source 60 InputStream xmlStream = this.getClass().getResourceAsStream("SecureProcessingTest.xml"); 61 StreamSource xmlSource = new StreamSource(xmlStream); 62 63 // the xml result 64 StringWriter xmlResultString = new StringWriter(); 65 StreamResult xmlResultStream = new StreamResult(xmlResultString); 66 67 // the transformer 68 TransformerFactory transformerFactory = null; 69 Transformer transformer = null; 70 71 // transform with a non-secure Transformer 72 // expect success 73 String xmlResult; 74 if (!_isSecureMode) { // jaxp secure feature can not be turned off when 75 // security manager is present 76 try { 77 transformerFactory = TransformerFactory.newInstance(); 78 transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, false); 79 transformer = transformerFactory.newTransformer(xslSource); 80 transformer.transform(xmlSource, xmlResultStream); 81 } catch (TransformerConfigurationException ex) { 82 ex.printStackTrace(); 83 Assert.fail(ex.toString()); 84 } catch (TransformerException ex) { 85 ex.printStackTrace(); 86 Assert.fail(ex.toString()); 87 } 88 89 // expected success 90 // and the result is ... 91 xmlResult = xmlResultString.toString(); 92 System.out.println("Transformation result (SECURE_PROCESSING == false) = \"" + xmlResult + "\""); 93 } 94 95 // now do same transformation but with SECURE_PROCESSING == true 96 // expect Exception 97 boolean exceptionCaught = false; 98 99 // the style sheet 100 xslStream = this.getClass().getResourceAsStream("SecureProcessingTest.xsl"); 101 xslSource = new StreamSource(xslStream); 102 103 // the xml source 104 xmlStream = this.getClass().getResourceAsStream("SecureProcessingTest.xml"); 105 xmlSource = new StreamSource(xmlStream); 106 107 // the xml result 108 xmlResultString = new StringWriter(); 109 xmlResultStream = new StreamResult(xmlResultString); 110 111 // the transformer 112 transformerFactory = null; 113 transformer = null; 114 115 // transform with a secure Transformer 116 try { 117 transformerFactory = TransformerFactory.newInstance(); 118 transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); 119 transformer = transformerFactory.newTransformer(xslSource); 120 transformer.transform(xmlSource, xmlResultStream); 121 } catch (TransformerConfigurationException ex) { 122 ex.printStackTrace(); 123 Assert.fail(ex.toString()); 124 } catch (TransformerException ex) { 125 // expected failure 126 System.out.println("expected failure: " + ex.toString()); 127 ex.printStackTrace(System.out); 128 exceptionCaught = true; 129 } 130 131 // unexpected success? 132 if (!exceptionCaught) { 133 // and the result is ... 134 xmlResult = xmlResultString.toString(); 135 System.err.println("Transformation result (SECURE_PROCESSING == true) = \"" + xmlResult + "\""); 136 Assert.fail("SECURITY_PROCESSING == true, expected failure but got result: \"" + xmlResult + "\""); 137 } 138 } 139 } 140