8270504: Better Xpath expression handling

Reviewed-by: andrew
Backport-of: b61a2ca626b1da5e555c50e548b643a2daa396c6

Author: Yuri Nesterenko

src/java.xml/share/classes/com/sun/java_cup/internal/runtime/lr_parser.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2022, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -26,6 +26,8 @@
 
 package com.sun.java_cup.internal.runtime;
 
+import com.sun.org.apache.xalan.internal.xsltc.compiler.sym;
+import java.util.Arrays;
 import java.util.Stack;
 
 /** This class implements a skeleton table driven LR parser.  In general,
@@ -134,9 +136,19 @@
  * @see     com.sun.java_cup.internal.runtime.Symbol
  * @see     com.sun.java_cup.internal.runtime.virtual_parse_stack
  * @author  Frank Flannery
+ *
+ * @LastModified: Jan 2022
  */
 
 public abstract class lr_parser {
+    public static final int ID_GROUP = 1;
+    public static final int ID_OPERATOR = 2;
+    public static final int ID_TOTAL_OPERATOR = 3;
+
+    private boolean isLiteral = false;
+    private int grpCount = 0;
+    private int opCount = 0;
+    private int totalOpCount = 0;
 
   /*-----------------------------------------------------------*/
   /*--- Constructor(s) ----------------------------------------*/
@@ -355,8 +367,29 @@ public void user_init() throws java.lang.Exception { }
    *  the "scan with" clause.  Do not recycle objects; every call to
    *  scan() should return a fresh object.
    */
-  public Symbol scan() throws java.lang.Exception {
-    return getScanner().next_token();
+  public Symbol scan() throws Exception {
+      Symbol s = getScanner().next_token();
+
+      if (s.sym == sym.LPAREN) {
+          if (!isLiteral) {
+            grpCount++;
+          }
+          opCount++; // function
+          isLiteral = false;
+      } else if (contains(sym.OPERATORS, s.sym)) {
+          opCount++;
+          isLiteral = false;
+      }
+
+      if (s.sym == sym.Literal || s.sym == sym.QNAME) {
+          isLiteral = true;
+      }
+
+    return s;
+  }
+
+  private boolean contains(final int[] arr, final int key) {
+    return Arrays.stream(arr).anyMatch(i -> i == key);
   }
 
   /*. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .*/
@@ -552,6 +585,9 @@ public Symbol parse() throws java.lang.Exception
 
       /* do user initialization */
       user_init();
+      isLiteral = false;
+      grpCount = 0;
+      opCount = 0;
 
       /* get the first token */
       cur_token = scan();
@@ -630,9 +666,29 @@ else if (act == 0)
                 }
             }
         }
+
+      totalOpCount += opCount;
       return lhs_sym;
     }
 
+    /**
+     * Returns the count of operators in XPath expressions.
+     *
+     * @param id the ID of the count
+     * @return the count associated with the ID
+     */
+    public int getCount(int id) {
+        switch (id) {
+            case ID_GROUP:
+                return grpCount;
+            case ID_OPERATOR:
+                return opCount;
+            case ID_TOTAL_OPERATOR:
+                return totalOpCount;
+        }
+        return 0;
+    }
+
   /*. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .*/
 
   /** Write a debugging message to System.err for the debugging version

src/java.xml/share/classes/com/sun/org/apache/xalan/internal/xsltc/compiler/Parser.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015, 2021, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2022, Oracle and/or its affiliates. All rights reserved.
  */
 /*
  * Licensed to the Apache Software Foundation (ASF) under one or more
@@ -22,7 +22,6 @@
 
 import com.sun.java_cup.internal.runtime.Symbol;
 import com.sun.org.apache.xalan.internal.utils.ObjectFactory;
-import com.sun.org.apache.xalan.internal.utils.XMLSecurityManager;
 import com.sun.org.apache.xalan.internal.xsltc.compiler.util.ErrorMsg;
 import com.sun.org.apache.xalan.internal.xsltc.compiler.util.MethodType;
 import com.sun.org.apache.xalan.internal.xsltc.compiler.util.Type;
@@ -46,6 +45,7 @@
 import jdk.xml.internal.JdkXmlFeatures;
 import jdk.xml.internal.JdkXmlUtils;
 import jdk.xml.internal.SecuritySupport;
+import jdk.xml.internal.XMLSecurityManager;
 import org.xml.sax.Attributes;
 import org.xml.sax.ContentHandler;
 import org.xml.sax.InputSource;
@@ -62,7 +62,7 @@
  * @author G. Todd Miller
  * @author Morten Jorgensen
  * @author Erwin Bolwidt <[email protected]>
- * @LastModified: May 2021
+ * @LastModified: Jan 2022
  */
 public class Parser implements Constants, ContentHandler {
 
@@ -504,8 +504,10 @@ public SyntaxTreeNode parse(InputSource input) {
                 XMLSecurityManager securityManager =
                         (XMLSecurityManager)_xsltc.getProperty(JdkConstants.SECURITY_MANAGER);
                 for (XMLSecurityManager.Limit limit : XMLSecurityManager.Limit.values()) {
-                    lastProperty = limit.apiProperty();
-                    reader.setProperty(lastProperty, securityManager.getLimitValueAsString(limit));
+                    if (limit.isSupported(XMLSecurityManager.Processor.PARSER)) {
+                        lastProperty = limit.apiProperty();
+                        reader.setProperty(lastProperty, securityManager.getLimitValueAsString(limit));
+                    }
                 }
                 if (securityManager.printEntityCountInfo()) {
                     lastProperty = JdkConstants.JDK_DEBUG_LIMIT;
@@ -1169,6 +1171,9 @@ private SyntaxTreeNode parseTopLevel(SyntaxTreeNode parent, String text,
                                             expression, parent));
         }
         catch (Exception e) {
+            if (ErrorMsg.XPATH_LIMIT.equals(e.getMessage())) {
+                throw new RuntimeException(ErrorMsg.XPATH_LIMIT);
+            }
             if (_xsltc.debug()) e.printStackTrace();
             reportError(ERROR, new ErrorMsg(ErrorMsg.XPATH_PARSER_ERR,
                                             expression, parent));

src/java.xml/share/classes/com/sun/org/apache/xalan/internal/xsltc/compiler/XPathParser.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2005, 2019, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2022, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -34,14 +34,21 @@
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Stack;
+import jdk.xml.internal.JdkConstants;
+import jdk.xml.internal.XMLLimitAnalyzer;
+import jdk.xml.internal.XMLSecurityManager;
+import jdk.xml.internal.XMLSecurityManager.Limit;
 
 /**
  * CUP v0.11b generated parser.
  * This class was generated by CUP v0.11b on Nov 12, 2019.
  *
- * @LastModified: Nov 2019
+ * @LastModified: Jan 2022
  */
 public class XPathParser extends lr_parser {
+    private int grpLimit = 0;
+    private int opLimit = 0;
+    private int totalOpLimit = 0;
 
     /**
      * Default constructor.
@@ -953,10 +960,19 @@ public int error_sym() {
      */
     public SymbolTable _symbolTable;
 
+    private XMLSecurityManager _xmlSM;
+    private XMLLimitAnalyzer _limitAnalyzer = null;
+
     public XPathParser(Parser parser) {
         _parser = parser;
         _xsltc = parser.getXSLTC();
         _symbolTable = parser.getSymbolTable();
+        _xmlSM = (XMLSecurityManager)_xsltc.getProperty(JdkConstants.SECURITY_MANAGER);
+        _limitAnalyzer = new XMLLimitAnalyzer();
+        // no limits if _xmlSM is null
+        grpLimit = (_xmlSM != null) ? _xmlSM.getLimit(Limit.XPATH_GROUP_LIMIT) : 0;
+        opLimit = (_xmlSM != null) ? _xmlSM.getLimit(Limit.XPATH_OP_LIMIT) : 0;
+        totalOpLimit = (_xmlSM != null) ? _xmlSM.getLimit(Limit.XPATH_TOTALOP_LIMIT) : 0;
     }
 
     public int getLineNumber() {
@@ -1101,7 +1117,32 @@ public Symbol parse(String expression, int lineNumber) throws Exception {
         try {
             _expression = expression;
             _lineNumber = lineNumber;
-            return super.parse();
+            Symbol s = super.parse();
+            int grpCount = getCount(ID_GROUP);
+            int opCount = getCount(ID_OPERATOR);
+            int totalOpCount = getCount(ID_TOTAL_OPERATOR);
+
+            String errCode = null;
+            Object[] params = null;
+            if (grpLimit > 0 && grpCount > grpLimit) {
+                errCode = ErrorMsg.XPATH_GROUP_LIMIT;
+                params = new Object[]{grpCount, grpLimit,
+                    _xmlSM.getStateLiteral(Limit.XPATH_GROUP_LIMIT)};
+            } else if (opLimit > 0 && opCount > opLimit) {
+                errCode = ErrorMsg.XPATH_OPERATOR_LIMIT;
+                params = new Object[]{opCount, opLimit,
+                    _xmlSM.getStateLiteral(Limit.XPATH_OP_LIMIT)};
+            } else if (totalOpLimit > 0 && totalOpCount > totalOpLimit) {
+                errCode = ErrorMsg.XPATH_TOTAL_OPERATOR_LIMIT;
+                params = new Object[]{totalOpCount, totalOpLimit,
+                    _xmlSM.getStateLiteral(Limit.XPATH_TOTALOP_LIMIT)};
+            }
+            if (errCode != null) {
+                _parser.reportError(Constants.FATAL,
+                        new ErrorMsg(errCode, lineNumber, params));
+                throw new RuntimeException(ErrorMsg.XPATH_LIMIT);
+            }
+            return s;
         } catch (IllegalCharException e) {
             ErrorMsg err = new ErrorMsg(ErrorMsg.ILLEGAL_CHAR_ERR,
                     lineNumber, e.getMessage());

src/java.xml/share/classes/com/sun/org/apache/xalan/internal/xsltc/compiler/XSLTC.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012, 2021, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2012, 2022, Oracle and/or its affiliates. All rights reserved.
  */
 /*
  * Licensed to the Apache Software Foundation (ASF) under one or more
@@ -21,7 +21,6 @@
 package com.sun.org.apache.xalan.internal.xsltc.compiler;
 
 import com.sun.org.apache.bcel.internal.classfile.JavaClass;
-import com.sun.org.apache.xalan.internal.utils.XMLSecurityManager;
 import com.sun.org.apache.xalan.internal.xsltc.compiler.util.ErrorMsg;
 import com.sun.org.apache.xalan.internal.xsltc.compiler.util.Util;
 import com.sun.org.apache.xml.internal.dtm.DTM;
@@ -47,8 +46,8 @@
 import javax.xml.catalog.CatalogFeatures;
 import jdk.xml.internal.JdkConstants;
 import jdk.xml.internal.JdkXmlFeatures;
-import jdk.xml.internal.JdkXmlUtils;
 import jdk.xml.internal.SecuritySupport;
+import jdk.xml.internal.XMLSecurityManager;
 import org.xml.sax.InputSource;
 import org.xml.sax.XMLReader;
 
@@ -58,7 +57,7 @@
  * @author G. Todd Miller
  * @author Morten Jorgensen
  * @author John Howard ([email protected])
- * @LastModified: May 2021
+ * @LastModified: Jan 2022
  */
 public final class XSLTC {
 
@@ -505,7 +504,10 @@ else if (systemId != null && !systemId.equals("")) {
             }
         }
         catch (Exception e) {
-            /*if (_debug)*/ e.printStackTrace();
+            if (_debug) e.printStackTrace();
+            if (ErrorMsg.XPATH_LIMIT.equals(e.getMessage())) {
+                return !_parser.errorsFound();
+            }
             _parser.reportError(Constants.FATAL, new ErrorMsg(ErrorMsg.JAXP_COMPILE_ERR, e));
         }
         catch (Error e) {

src/java.xml/share/classes/com/sun/org/apache/xalan/internal/xsltc/compiler/sym.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2004, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2004, 2022, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,9 +25,13 @@
 
 package com.sun.org.apache.xalan.internal.xsltc.compiler;
 
+import java.util.Arrays;
+
 /**
  * CUP generated class containing symbol constants.
  * This class was generated by CUP v0.10j on Fri Feb 27 13:01:50 PST 2004.
+ *
+ * @LastModified: Jan 2022
  */
 public class sym {
   /* terminals */
@@ -85,4 +89,12 @@ public class sym {
   public static final int ATTRIBUTE = 41;
   public static final int GT = 19;
   public static final int NODE = 31;
+  /*
+    AXES: count once at DCOLON,
+          these axes names are therefore not counted:
+            NAMESPACE, FOLLOWINGSIBLING, CHILD, DESCENDANTORSELF, DESCENDANT
+          , PRECEDINGSIBLING, SELF, ANCESTORORSELF, PRECEDING, ANCESTOROR, PARENT, FOLLOWING, ATTRIBUTE
+  */
+  public static final int[] OPERATORS = {GE, SLASH, ATSIGN, LPAREN, DCOLON,
+      MINUS, STAR, LT, OR, DIV, PLUS, LE, VBAR, MOD, EQ, LBRACK, DOLLAR, NE, GT};
 }

src/java.xml/share/classes/com/sun/org/apache/xalan/internal/xsltc/compiler/util/ErrorMessages.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2013, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2013, 2022, Oracle and/or its affiliates. All rights reserved.
  */
 /*
  * Licensed to the Apache Software Foundation (ASF) under one or more
@@ -24,6 +24,7 @@
 
 /**
  * @author Morten Jorgensen
+ * @LastModified: Jan 2022
  */
 public class ErrorMessages extends ListResourceBundle {
 
@@ -1027,12 +1028,22 @@ public Object[][] getContents()
          "smaller templates."
         },
 
-         {ErrorMsg.DESERIALIZE_TRANSLET_ERR, "When Java security is enabled, " +
-                        "support for deserializing TemplatesImpl is disabled." +
-                        "This can be overridden by setting the jdk.xml.enableTemplatesImplDeserialization" +
-                        " system property to true."}
-
-    };
+        {ErrorMsg.DESERIALIZE_TRANSLET_ERR, "When Java security is enabled, "
+              + "support for deserializing TemplatesImpl is disabled. This can be "
+              + "overridden by setting the jdk.xml.enableTemplatesImplDeserialization"
+              + " system property to true."},
+
+        {ErrorMsg.XPATH_GROUP_LIMIT,
+            "JAXP0801001: the compiler encountered an XPath expression containing "
+              + "''{0}'' groups that exceeds the ''{1}'' limit set by ''{2}''."},
+
+        {ErrorMsg.XPATH_OPERATOR_LIMIT,
+            "JAXP0801002: the compiler encountered an XPath expression containing "
+              + "''{0}'' operators that exceeds the ''{1}'' limit set by ''{2}''."},
+        {ErrorMsg.XPATH_TOTAL_OPERATOR_LIMIT,
+            "JAXP0801003: the compiler encountered XPath expressions with an accumulated "
+              + "''{0}'' operators that exceeds the ''{1}'' limit set by ''{2}''."},
+      };
 
     }
 }