author | joehw |
Wed, 18 Oct 2017 13:25:49 -0700 | |
changeset 47359 | e1a6c0168741 |
parent 47216 | 71c04702a3d5 |
child 49269 | 26c24703e547 |
permissions | -rw-r--r-- |
20968 | 1 |
/* |
2 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER. |
|
3 |
* |
|
47359
e1a6c0168741
8181150: Fix lint warnings in JAXP repo: rawtypes and unchecked
joehw
parents:
47216
diff
changeset
|
4 |
* Copyright (c) 2013, 2017, Oracle and/or its affiliates. All rights reserved. |
20968 | 5 |
* |
6 |
* The contents of this file are subject to the terms of either the GNU |
|
7 |
* General Public License Version 2 only ("GPL") or the Common Development |
|
8 |
* and Distribution License("CDDL") (collectively, the "License"). You |
|
9 |
* may not use this file except in compliance with the License. You can |
|
10 |
* obtain a copy of the License at |
|
11 |
* https://glassfish.dev.java.net/public/CDDL+GPL_1_1.html |
|
12 |
* or packager/legal/LICENSE.txt. See the License for the specific |
|
13 |
* language governing permissions and limitations under the License. |
|
14 |
* |
|
15 |
* When distributing the software, include this License Header Notice in each |
|
16 |
* file and include the License file at packager/legal/LICENSE.txt. |
|
17 |
* |
|
18 |
* GPL Classpath Exception: |
|
19 |
* Oracle designates this particular file as subject to the "Classpath" |
|
20 |
* exception as provided by Oracle in the GPL Version 2 section of the License |
|
21 |
* file that accompanied this code. |
|
22 |
* |
|
23 |
* Modifications: |
|
24 |
* If applicable, add the following below the License Header, with the fields |
|
25 |
* enclosed by brackets [] replaced by your own identifying information: |
|
26 |
* "Portions Copyright [year] [name of copyright owner]" |
|
27 |
* |
|
28 |
* Contributor(s): |
|
29 |
* If you wish your version of this file to be governed by only the CDDL or |
|
30 |
* only the GPL Version 2, indicate your decision by adding "[Contributor] |
|
31 |
* elects to include this software in this distribution under the [CDDL or GPL |
|
32 |
* Version 2] license." If you don't indicate a single choice of license, a |
|
33 |
* recipient has the option to distribute your version of this file under |
|
34 |
* either the CDDL, the GPL Version 2 or to extend the choice of license to |
|
35 |
* its licensees as provided above. However, if you add GPL Version 2 code |
|
36 |
* and therefore, elected the GPL Version 2 license, then the option applies |
|
37 |
* only if the new code is made subject to such option by the copyright |
|
38 |
* holder. |
|
39 |
*/ |
|
40 |
package com.sun.org.apache.xerces.internal.utils; |
|
41 |
||
42 |
import com.sun.org.apache.xerces.internal.impl.Constants; |
|
43 |
import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager.Limit; |
|
44 |
import java.util.Formatter; |
|
45 |
import java.util.HashMap; |
|
46 |
import java.util.Map; |
|
47 |
||
48 |
/** |
|
49 |
* A helper for analyzing entity expansion limits |
|
50 |
* |
|
51 |
* @author Joe Wang Oracle Corp. |
|
52 |
* |
|
53 |
*/ |
|
54 |
public final class XMLLimitAnalyzer { |
|
55 |
||
56 |
/** |
|
57 |
* Map old property names with the new ones |
|
58 |
*/ |
|
59 |
public static enum NameMap { |
|
60 |
ENTITY_EXPANSION_LIMIT(Constants.SP_ENTITY_EXPANSION_LIMIT, Constants.ENTITY_EXPANSION_LIMIT), |
|
61 |
MAX_OCCUR_NODE_LIMIT(Constants.SP_MAX_OCCUR_LIMIT, Constants.MAX_OCCUR_LIMIT), |
|
62 |
ELEMENT_ATTRIBUTE_LIMIT(Constants.SP_ELEMENT_ATTRIBUTE_LIMIT, Constants.ELEMENT_ATTRIBUTE_LIMIT); |
|
63 |
||
64 |
final String newName; |
|
65 |
final String oldName; |
|
66 |
||
67 |
NameMap(String newName, String oldName) { |
|
68 |
this.newName = newName; |
|
69 |
this.oldName = oldName; |
|
70 |
} |
|
71 |
||
72 |
String getOldName(String newName) { |
|
73 |
if (newName.equals(this.newName)) { |
|
74 |
return oldName; |
|
75 |
} |
|
76 |
return null; |
|
77 |
} |
|
78 |
} |
|
79 |
||
80 |
/** |
|
81 |
* Max value accumulated for each property |
|
82 |
*/ |
|
83 |
private final int[] values; |
|
84 |
/** |
|
85 |
* Names of the entities corresponding to their max values |
|
86 |
*/ |
|
87 |
private final String[] names; |
|
88 |
/** |
|
89 |
* Total value of accumulated entities |
|
90 |
*/ |
|
91 |
private final int[] totalValue; |
|
92 |
||
93 |
/** |
|
94 |
* Maintain values of the top 10 elements in the process of parsing |
|
95 |
*/ |
|
47359
e1a6c0168741
8181150: Fix lint warnings in JAXP repo: rawtypes and unchecked
joehw
parents:
47216
diff
changeset
|
96 |
private final Map<String, Integer>[] caches; |
20968 | 97 |
|
98 |
private String entityStart, entityEnd; |
|
99 |
/** |
|
100 |
* Default constructor. Establishes default values for known security |
|
101 |
* vulnerabilities. |
|
102 |
*/ |
|
47359
e1a6c0168741
8181150: Fix lint warnings in JAXP repo: rawtypes and unchecked
joehw
parents:
47216
diff
changeset
|
103 |
@SuppressWarnings({"rawtypes", "unchecked"}) |
22418
1ee8fd0184d1
8028111: XML readers share the same entity expansion counter
joehw
parents:
20973
diff
changeset
|
104 |
public XMLLimitAnalyzer() { |
20968 | 105 |
values = new int[Limit.values().length]; |
106 |
totalValue = new int[Limit.values().length]; |
|
107 |
names = new String[Limit.values().length]; |
|
108 |
caches = new Map[Limit.values().length]; |
|
109 |
} |
|
110 |
||
111 |
/** |
|
112 |
* Add the value to the current max count for the specified property |
|
113 |
* To find the max value of all entities, set no limit |
|
114 |
* |
|
115 |
* @param limit the type of the property |
|
116 |
* @param entityName the name of the entity |
|
117 |
* @param value the value of the entity |
|
118 |
*/ |
|
119 |
public void addValue(Limit limit, String entityName, int value) { |
|
120 |
addValue(limit.ordinal(), entityName, value); |
|
121 |
} |
|
122 |
||
123 |
/** |
|
124 |
* Add the value to the current count by the index of the property |
|
125 |
* @param index the index of the property |
|
126 |
* @param entityName the name of the entity |
|
127 |
* @param value the value of the entity |
|
128 |
*/ |
|
129 |
public void addValue(int index, String entityName, int value) { |
|
130 |
if (index == Limit.ENTITY_EXPANSION_LIMIT.ordinal() || |
|
131 |
index == Limit.MAX_OCCUR_NODE_LIMIT.ordinal() || |
|
33352 | 132 |
index == Limit.ELEMENT_ATTRIBUTE_LIMIT.ordinal() || |
39799 | 133 |
index == Limit.TOTAL_ENTITY_SIZE_LIMIT.ordinal() || |
134 |
index == Limit.ENTITY_REPLACEMENT_LIMIT.ordinal() |
|
33352 | 135 |
) { |
20968 | 136 |
totalValue[index] += value; |
137 |
return; |
|
138 |
} |
|
33352 | 139 |
if (index == Limit.MAX_ELEMENT_DEPTH_LIMIT.ordinal() || |
140 |
index == Limit.MAX_NAME_LIMIT.ordinal()) { |
|
39799 | 141 |
values[index] = value; |
25591 | 142 |
totalValue[index] = value; |
143 |
return; |
|
144 |
} |
|
20968 | 145 |
|
146 |
Map<String, Integer> cache; |
|
147 |
if (caches[index] == null) { |
|
33352 | 148 |
cache = new HashMap<>(10); |
20968 | 149 |
caches[index] = cache; |
150 |
} else { |
|
151 |
cache = caches[index]; |
|
152 |
} |
|
153 |
||
154 |
int accumulatedValue = value; |
|
155 |
if (cache.containsKey(entityName)) { |
|
33352 | 156 |
accumulatedValue += cache.get(entityName); |
157 |
cache.put(entityName, accumulatedValue); |
|
20968 | 158 |
} else { |
33352 | 159 |
cache.put(entityName, value); |
20968 | 160 |
} |
161 |
||
162 |
if (accumulatedValue > values[index]) { |
|
163 |
values[index] = accumulatedValue; |
|
164 |
names[index] = entityName; |
|
165 |
} |
|
166 |
||
167 |
||
22418
1ee8fd0184d1
8028111: XML readers share the same entity expansion counter
joehw
parents:
20973
diff
changeset
|
168 |
if (index == Limit.GENERAL_ENTITY_SIZE_LIMIT.ordinal() || |
20968 | 169 |
index == Limit.PARAMETER_ENTITY_SIZE_LIMIT.ordinal()) { |
170 |
totalValue[Limit.TOTAL_ENTITY_SIZE_LIMIT.ordinal()] += value; |
|
171 |
} |
|
172 |
} |
|
173 |
||
174 |
/** |
|
175 |
* Return the value of the current max count for the specified property |
|
176 |
* |
|
177 |
* @param limit the property |
|
178 |
* @return the value of the property |
|
179 |
*/ |
|
180 |
public int getValue(Limit limit) { |
|
39799 | 181 |
return getValue(limit.ordinal()); |
20968 | 182 |
} |
183 |
||
184 |
public int getValue(int index) { |
|
39799 | 185 |
if (index == Limit.ENTITY_REPLACEMENT_LIMIT.ordinal()) { |
186 |
return totalValue[index]; |
|
187 |
} |
|
20968 | 188 |
return values[index]; |
189 |
} |
|
190 |
/** |
|
191 |
* Return the total value accumulated so far |
|
192 |
* |
|
193 |
* @param limit the property |
|
194 |
* @return the accumulated value of the property |
|
195 |
*/ |
|
196 |
public int getTotalValue(Limit limit) { |
|
197 |
return totalValue[limit.ordinal()]; |
|
198 |
} |
|
199 |
||
200 |
public int getTotalValue(int index) { |
|
201 |
return totalValue[index]; |
|
202 |
} |
|
203 |
/** |
|
204 |
* Return the current max value (count or length) by the index of a property |
|
205 |
* @param index the index of a property |
|
206 |
* @return count of a property |
|
207 |
*/ |
|
208 |
public int getValueByIndex(int index) { |
|
209 |
return values[index]; |
|
210 |
} |
|
211 |
||
212 |
public void startEntity(String name) { |
|
213 |
entityStart = name; |
|
214 |
} |
|
215 |
||
216 |
public boolean isTracking(String name) { |
|
20973 | 217 |
if (entityStart == null) { |
218 |
return false; |
|
219 |
} |
|
20968 | 220 |
return entityStart.equals(name); |
221 |
} |
|
222 |
/** |
|
223 |
* Stop tracking the entity |
|
224 |
* @param limit the limit property |
|
225 |
* @param name the name of an entity |
|
226 |
*/ |
|
227 |
public void endEntity(Limit limit, String name) { |
|
228 |
entityStart = ""; |
|
229 |
Map<String, Integer> cache = caches[limit.ordinal()]; |
|
230 |
if (cache != null) { |
|
231 |
cache.remove(name); |
|
232 |
} |
|
233 |
} |
|
234 |
||
33352 | 235 |
/** |
236 |
* Resets the current value of the specified limit. |
|
237 |
* @param limit The limit to be reset. |
|
238 |
*/ |
|
239 |
public void reset(Limit limit) { |
|
240 |
if (limit.ordinal() == Limit.TOTAL_ENTITY_SIZE_LIMIT.ordinal()) { |
|
241 |
totalValue[limit.ordinal()] = 0; |
|
39799 | 242 |
} else if (limit.ordinal() == Limit.GENERAL_ENTITY_SIZE_LIMIT.ordinal()) { |
243 |
names[limit.ordinal()] = null; |
|
244 |
values[limit.ordinal()] = 0; |
|
245 |
caches[limit.ordinal()] = null; |
|
246 |
totalValue[limit.ordinal()] = 0; |
|
33352 | 247 |
} |
248 |
} |
|
249 |
||
22418
1ee8fd0184d1
8028111: XML readers share the same entity expansion counter
joehw
parents:
20973
diff
changeset
|
250 |
public void debugPrint(XMLSecurityManager securityManager) { |
20968 | 251 |
Formatter formatter = new Formatter(); |
252 |
System.out.println(formatter.format("%30s %15s %15s %15s %30s", |
|
253 |
"Property","Limit","Total size","Size","Entity Name")); |
|
254 |
||
255 |
for (Limit limit : Limit.values()) { |
|
256 |
formatter = new Formatter(); |
|
257 |
System.out.println(formatter.format("%30s %15d %15d %15d %30s", |
|
258 |
limit.name(), |
|
259 |
securityManager.getLimit(limit), |
|
260 |
totalValue[limit.ordinal()], |
|
261 |
values[limit.ordinal()], |
|
262 |
names[limit.ordinal()])); |
|
263 |
} |
|
264 |
} |
|
265 |
} |