/*
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright (c) 2013, 2017, Oracle and/or its affiliates. All rights reserved.
*
* The contents of this file are subject to the terms of either the GNU
* General Public License Version 2 only ("GPL") or the Common Development
* and Distribution License("CDDL") (collectively, the "License"). You
* may not use this file except in compliance with the License. You can
* obtain a copy of the License at
* https://glassfish.dev.java.net/public/CDDL+GPL_1_1.html
* or packager/legal/LICENSE.txt. See the License for the specific
* language governing permissions and limitations under the License.
*
* When distributing the software, include this License Header Notice in each
* file and include the License file at packager/legal/LICENSE.txt.
*
* GPL Classpath Exception:
* Oracle designates this particular file as subject to the "Classpath"
* exception as provided by Oracle in the GPL Version 2 section of the License
* file that accompanied this code.
*
* Modifications:
* If applicable, add the following below the License Header, with the fields
* enclosed by brackets [] replaced by your own identifying information:
* "Portions Copyright [year] [name of copyright owner]"
*
* Contributor(s):
* If you wish your version of this file to be governed by only the CDDL or
* only the GPL Version 2, indicate your decision by adding "[Contributor]
* elects to include this software in this distribution under the [CDDL or GPL
* Version 2] license." If you don't indicate a single choice of license, a
* recipient has the option to distribute your version of this file under
* either the CDDL, the GPL Version 2 or to extend the choice of license to
* its licensees as provided above. However, if you add GPL Version 2 code
* and therefore, elected the GPL Version 2 license, then the option applies
* only if the new code is made subject to such option by the copyright
* holder.
*/
package com.sun.org.apache.xerces.internal.utils;
import com.sun.org.apache.xerces.internal.impl.Constants;
import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager.Limit;
import java.util.Formatter;
import java.util.HashMap;
import java.util.Map;
A helper for analyzing entity expansion limits
Author: Joe Wang Oracle Corp.
/**
* A helper for analyzing entity expansion limits
*
* @author Joe Wang Oracle Corp.
*
*/
public final class XMLLimitAnalyzer {
Map old property names with the new ones
/**
* Map old property names with the new ones
*/
public static enum NameMap {
ENTITY_EXPANSION_LIMIT(Constants.SP_ENTITY_EXPANSION_LIMIT, Constants.ENTITY_EXPANSION_LIMIT),
MAX_OCCUR_NODE_LIMIT(Constants.SP_MAX_OCCUR_LIMIT, Constants.MAX_OCCUR_LIMIT),
ELEMENT_ATTRIBUTE_LIMIT(Constants.SP_ELEMENT_ATTRIBUTE_LIMIT, Constants.ELEMENT_ATTRIBUTE_LIMIT);
final String newName;
final String oldName;
NameMap(String newName, String oldName) {
this.newName = newName;
this.oldName = oldName;
}
String getOldName(String newName) {
if (newName.equals(this.newName)) {
return oldName;
}
return null;
}
}
Max value accumulated for each property
/**
* Max value accumulated for each property
*/
private final int[] values;
Names of the entities corresponding to their max values
/**
* Names of the entities corresponding to their max values
*/
private final String[] names;
Total value of accumulated entities
/**
* Total value of accumulated entities
*/
private final int[] totalValue;
Maintain values of the top 10 elements in the process of parsing
/**
* Maintain values of the top 10 elements in the process of parsing
*/
private final Map<String, Integer>[] caches;
private String entityStart, entityEnd;
Default constructor. Establishes default values for known security
vulnerabilities.
/**
* Default constructor. Establishes default values for known security
* vulnerabilities.
*/
@SuppressWarnings({"rawtypes", "unchecked"})
public XMLLimitAnalyzer() {
values = new int[Limit.values().length];
totalValue = new int[Limit.values().length];
names = new String[Limit.values().length];
caches = new Map[Limit.values().length];
}
Add the value to the current max count for the specified property
To find the max value of all entities, set no limit
Params: - limit – the type of the property
- entityName – the name of the entity
- value – the value of the entity
/**
* Add the value to the current max count for the specified property
* To find the max value of all entities, set no limit
*
* @param limit the type of the property
* @param entityName the name of the entity
* @param value the value of the entity
*/
public void addValue(Limit limit, String entityName, int value) {
addValue(limit.ordinal(), entityName, value);
}
Add the value to the current count by the index of the property
Params: - index – the index of the property
- entityName – the name of the entity
- value – the value of the entity
/**
* Add the value to the current count by the index of the property
* @param index the index of the property
* @param entityName the name of the entity
* @param value the value of the entity
*/
public void addValue(int index, String entityName, int value) {
if (index == Limit.ENTITY_EXPANSION_LIMIT.ordinal() ||
index == Limit.MAX_OCCUR_NODE_LIMIT.ordinal() ||
index == Limit.ELEMENT_ATTRIBUTE_LIMIT.ordinal() ||
index == Limit.TOTAL_ENTITY_SIZE_LIMIT.ordinal() ||
index == Limit.ENTITY_REPLACEMENT_LIMIT.ordinal()
) {
totalValue[index] += value;
return;
}
if (index == Limit.MAX_ELEMENT_DEPTH_LIMIT.ordinal() ||
index == Limit.MAX_NAME_LIMIT.ordinal()) {
values[index] = value;
totalValue[index] = value;
return;
}
Map<String, Integer> cache;
if (caches[index] == null) {
cache = new HashMap<>(10);
caches[index] = cache;
} else {
cache = caches[index];
}
int accumulatedValue = value;
if (cache.containsKey(entityName)) {
accumulatedValue += cache.get(entityName);
cache.put(entityName, accumulatedValue);
} else {
cache.put(entityName, value);
}
if (accumulatedValue > values[index]) {
values[index] = accumulatedValue;
names[index] = entityName;
}
if (index == Limit.GENERAL_ENTITY_SIZE_LIMIT.ordinal() ||
index == Limit.PARAMETER_ENTITY_SIZE_LIMIT.ordinal()) {
totalValue[Limit.TOTAL_ENTITY_SIZE_LIMIT.ordinal()] += value;
}
}
Return the value of the current max count for the specified property
Params: - limit – the property
Returns: the value of the property
/**
* Return the value of the current max count for the specified property
*
* @param limit the property
* @return the value of the property
*/
public int getValue(Limit limit) {
return getValue(limit.ordinal());
}
public int getValue(int index) {
if (index == Limit.ENTITY_REPLACEMENT_LIMIT.ordinal()) {
return totalValue[index];
}
return values[index];
}
Return the total value accumulated so far
Params: - limit – the property
Returns: the accumulated value of the property
/**
* Return the total value accumulated so far
*
* @param limit the property
* @return the accumulated value of the property
*/
public int getTotalValue(Limit limit) {
return totalValue[limit.ordinal()];
}
public int getTotalValue(int index) {
return totalValue[index];
}
Return the current max value (count or length) by the index of a property
Params: - index – the index of a property
Returns: count of a property
/**
* Return the current max value (count or length) by the index of a property
* @param index the index of a property
* @return count of a property
*/
public int getValueByIndex(int index) {
return values[index];
}
public void startEntity(String name) {
entityStart = name;
}
public boolean isTracking(String name) {
if (entityStart == null) {
return false;
}
return entityStart.equals(name);
}
Stop tracking the entity
Params: - limit – the limit property
- name – the name of an entity
/**
* Stop tracking the entity
* @param limit the limit property
* @param name the name of an entity
*/
public void endEntity(Limit limit, String name) {
entityStart = "";
Map<String, Integer> cache = caches[limit.ordinal()];
if (cache != null) {
cache.remove(name);
}
}
Resets the current value of the specified limit.
Params: - limit – The limit to be reset.
/**
* Resets the current value of the specified limit.
* @param limit The limit to be reset.
*/
public void reset(Limit limit) {
if (limit.ordinal() == Limit.TOTAL_ENTITY_SIZE_LIMIT.ordinal()) {
totalValue[limit.ordinal()] = 0;
} else if (limit.ordinal() == Limit.GENERAL_ENTITY_SIZE_LIMIT.ordinal()) {
names[limit.ordinal()] = null;
values[limit.ordinal()] = 0;
caches[limit.ordinal()] = null;
totalValue[limit.ordinal()] = 0;
}
}
public void debugPrint(XMLSecurityManager securityManager) {
Formatter formatter = new Formatter();
System.out.println(formatter.format("%30s %15s %15s %15s %30s",
"Property","Limit","Total size","Size","Entity Name"));
for (Limit limit : Limit.values()) {
formatter = new Formatter();
System.out.println(formatter.format("%30s %15d %15d %15d %30s",
limit.name(),
securityManager.getLimit(limit),
totalValue[limit.ordinal()],
values[limit.ordinal()],
names[limit.ordinal()]));
}
}
}