blob: 6939817f6ebad91fc45d25916c9941cbd786fd9f [file]
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.commons.xml;
import static org.apache.commons.xml.AttackTestSupport.LEAKED_MARKER;
import static org.apache.commons.xml.AttackTestSupport.resourceUrl;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertThrows;
import static org.junit.jupiter.api.Assertions.assertTrue;
import static org.junit.jupiter.api.Assumptions.assumeTrue;
import javax.xml.XMLConstants;
import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory;
import org.junit.jupiter.api.Tag;
import org.junit.jupiter.api.Test;
import org.xml.sax.Attributes;
import org.xml.sax.InputSource;
import org.xml.sax.SAXException;
import org.xml.sax.XMLReader;
import org.xml.sax.helpers.DefaultHandler;
/**
* Checks that a hardened {@link SAXParserFactory} performing JAXP 1.2 XSD validation does not fetch an external schema named by an
* {@code xsi:noNamespaceSchemaLocation} hint in the instance document.
*
* <p>This is the SAX counterpart of {@link SchemaLocationDomTest}. The instance is empty {@code <root/>}; the referenced schema declares a default {@code leak}
* attribute carrying {@link AttackTestSupport#LEAKED_MARKER}. A parser that fetches the schema augments the element's attributes with that default (the
* permissive control observes it in {@link DefaultHandler#startElement}), while a hardened parser refuses the fetch and fails the parse. The attribution differs
* by implementation (the stock JDK reports an {@code accessExternalSchema} / {@code schema_reference} error; external Xerces' deny-all resolver reports a
* forbidden-fetch error), so the test only asserts the fetch was blocked, not how.</p>
*
* <p>The test runs only where the implementation supports JAXP 1.2 schema-language XSD validation (the stock JDK and external Xerces do; Android does not), so it
* skips on parsers without it.</p>
*/
@Tag("sax")
class SchemaLocationSaxTest {
/** Captures the root element's schema-defaulted {@code leak} attribute, the SAX-visible signal that the external schema was fetched. */
private static final class LeakCapturingHandler extends DefaultHandler {
private String leak;
@Override
public void startElement(final String uri, final String localName, final String qName, final Attributes attributes) {
if ("root".equals(localName) || "root".equals(qName)) {
leak = attributes.getValue("leak");
}
}
}
/** JAXP 1.2 property selecting the schema language used by {@link SAXParserFactory#setValidating(boolean)}. */
private static final String SCHEMA_LANGUAGE = "http://java.sun.com/xml/jaxp/properties/schemaLanguage";
private static final String INSTANCE = "schema-location-instance.xml";
/** Name of the external schema the instance points at; both block mechanisms name it in the failure message. */
private static final String SCHEMA = "schema-location.xsd";
@Test
void hardenedBlocksExternalSchemaFetch() throws Exception {
assumeTrue(supportsSchemaLanguage(), "parser does not support JAXP 1.2 schema-language XSD validation");
final SAXParser parser = newValidatingParser(XmlFactories.newSAXParserFactory());
// The schemaLocation fetch is denied and surfaced as an error rather than a silent fetch. The attribution is implementation-specific, so assert only
// that the failure names the external schema, not the mechanism (accessExternalSchema on the JDK, the deny-all resolver on external Xerces).
final SAXException thrown = assertThrows(SAXException.class, () -> parse(parser, new DefaultHandler()));
assertTrue(thrown.getMessage() != null && thrown.getMessage().contains(SCHEMA),
"Block must reference the external schema, got: " + thrown.getMessage());
}
@Test
void unconfiguredFetchesExternalSchema() throws Exception {
assumeTrue(supportsSchemaLanguage(), "parser does not support JAXP 1.2 schema-language XSD validation");
final SAXParserFactory factory = SAXParserFactory.newInstance();
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, false);
final SAXParser parser = newValidatingParser(factory);
// Positive control: without hardening the external schema is fetched and its default attribute is augmented onto the root element.
final LeakCapturingHandler handler = new LeakCapturingHandler();
parse(parser, handler);
assertEquals(LEAKED_MARKER, handler.leak,
"Permissive parse should have fetched the external schema and augmented its default attribute onto the element.");
}
private static SAXParser newValidatingParser(final SAXParserFactory factory) throws Exception {
factory.setNamespaceAware(true);
factory.setValidating(true);
final SAXParser parser = factory.newSAXParser();
parser.setProperty(SCHEMA_LANGUAGE, XMLConstants.W3C_XML_SCHEMA_NS_URI);
return parser;
}
private static void parse(final SAXParser parser, final DefaultHandler handler) throws Exception {
// Drive the XMLReader directly rather than SAXParser.parse(InputSource, DefaultHandler): the latter calls reader.setEntityResolver(handler), which would
// clobber the hardened deny-all resolver that external Xerces relies on to block the schemaLocation fetch. Reuse AttackTestSupport's shared strict
// reporter as the error handler so a blocked fetch surfaces as a thrown exception rather than a silent recovery.
final XMLReader reader = parser.getXMLReader();
reader.setContentHandler(handler);
AttackTestSupport.strictXMLReader(reader);
reader.parse(new InputSource(resourceUrl(INSTANCE).toString()));
}
private static boolean supportsSchemaLanguage() {
try {
final SAXParserFactory factory = SAXParserFactory.newInstance();
factory.setNamespaceAware(true);
factory.setValidating(true);
factory.newSAXParser().setProperty(SCHEMA_LANGUAGE, XMLConstants.W3C_XML_SCHEMA_NS_URI);
return true;
} catch (final Exception e) {
return false;
}
}
}