use of org.wso2.carbon.apimgt.ballerina.threatprotection.configurations.XMLConfig in project carbon-apimgt by wso2.
the class AnalyzerHolder method getAnalyzer.
/**
* Borrows an object from pools (xml or json) for threat analysis
*
* @param contentType Content-Type of the payload
* @param policyId ID of the API
* @return Instance of APIMThreatAnalyzer based on content type
*/
public static APIMThreatAnalyzer getAnalyzer(String contentType, String policyId) {
APIMThreatAnalyzer analyzer = null;
if (T_TEXT_XML.equalsIgnoreCase(contentType) || T_APPLICATION_XML.equalsIgnoreCase(contentType)) {
try {
analyzer = xmlAnalyzerAnalyzerPool.borrowObject();
// configure per api
XMLConfig xmlConfig = ConfigurationHolder.getXmlConfig(policyId);
if (xmlConfig == null) {
xmlConfig = ConfigurationHolder.getXmlConfig("GLOBAL-XML");
}
if (xmlConfig == null) {
return null;
}
analyzer.configure(xmlConfig);
} catch (Exception e) {
logger.error("Threat Protection: Failed to create XMLAnalyzer, " + e.getMessage());
}
} else if (T_TEXT_JSON.equalsIgnoreCase(contentType) || T_APPLICATION_JSON.equalsIgnoreCase(contentType)) {
try {
analyzer = jsonAnalyzerAnalyzerPool.borrowObject();
// configure per api
JSONConfig jsonConfig = ConfigurationHolder.getJsonConfig(policyId);
if (jsonConfig == null) {
jsonConfig = ConfigurationHolder.getJsonConfig("GLOBAL-JSON");
}
if (jsonConfig == null) {
return null;
}
analyzer.configure(jsonConfig);
} catch (Exception e) {
logger.error("Threat Protection: Failed to create JSONAnalyzer, " + e.getMessage());
}
}
return analyzer;
}
use of org.wso2.carbon.apimgt.ballerina.threatprotection.configurations.XMLConfig in project carbon-apimgt by wso2.
the class ConfigureXmlAnalyzer method execute.
@Override
public BValue[] execute(Context context) {
String event = getStringArgument(context, 0);
BStruct xmlInfo = ((BStruct) getRefArgument(context, 0));
if (xmlInfo != null) {
String xmlPolicyId = xmlInfo.getStringField(0);
switch(event) {
case THREAT_PROTECTION_POLICY_ADD:
case THREAT_PROTECTION_POLICY_UPDATE:
String name = xmlInfo.getStringField(1);
boolean dtdEnabled = xmlInfo.getBooleanField(0) != 0;
boolean externalEntitiesEnabled = xmlInfo.getBooleanField(1) != 0;
int maxXMLDepth = (int) xmlInfo.getIntField(0);
int elementCount = (int) xmlInfo.getIntField(1);
int attributeCount = (int) xmlInfo.getIntField(2);
int attributeLength = (int) xmlInfo.getIntField(3);
int entityExpansionLimit = (int) xmlInfo.getIntField(4);
int childrenPerElement = (int) xmlInfo.getIntField(5);
XMLConfig xmlConfig = new XMLConfig();
xmlConfig.setName(name);
xmlConfig.setDtdEnabled(dtdEnabled);
xmlConfig.setExternalEntitiesEnabled(externalEntitiesEnabled);
xmlConfig.setMaxDepth(maxXMLDepth);
xmlConfig.setMaxElementCount(elementCount);
xmlConfig.setMaxAttributeCount(attributeCount);
xmlConfig.setMaxAttributeLength(attributeLength);
xmlConfig.setEntityExpansionLimit(entityExpansionLimit);
xmlConfig.setMaxChildrenPerElement(childrenPerElement);
// put into ConfigurationHolder
ConfigurationHolder.addXmlConfig(xmlPolicyId, xmlConfig);
break;
case THREAT_PROTECTION_POLICY_DELETE:
ConfigurationHolder.removeXmlConfig(xmlPolicyId);
break;
default:
log.warn("Unknown event type for XML Threat Protection Policy. Event: " + event);
break;
}
}
return getBValues(new BBoolean(true));
}
use of org.wso2.carbon.apimgt.ballerina.threatprotection.configurations.XMLConfig in project carbon-apimgt by wso2.
the class XMLAnalyzerTestCase method init.
@BeforeTest
public void init() {
xmlConfig = new XMLConfig();
xmlConfig.setMaxAttributeCount(1);
xmlConfig.setMaxChildrenPerElement(5);
xmlConfig.setEntityExpansionLimit(5);
xmlConfig.setMaxAttributeLength(1);
xmlConfig.setMaxElementCount(5);
xmlConfig.setMaxDepth(5);
xmlConfig.setDtdEnabled(false);
xmlConfig.setExternalEntitiesEnabled(false);
}
use of org.wso2.carbon.apimgt.ballerina.threatprotection.configurations.XMLConfig in project carbon-apimgt by wso2.
the class XMLAnalyzerTestCase method testMaxAttributeCount.
@Test(expectedExceptions = APIMThreatAnalyzerException.class)
public void testMaxAttributeCount() throws Exception {
init();
String xmlString = "<a><root aaaaaaaaaa='aaaaaaa' b='b' c='c' d='d' e='e' f='f' g='g'></root></a>";
XMLAnalyzer analyzer = new XMLAnalyzer();
analyzer.configure(xmlConfig);
analyzer.analyze(xmlString, "/foo");
}
use of org.wso2.carbon.apimgt.ballerina.threatprotection.configurations.XMLConfig in project carbon-apimgt by wso2.
the class XMLAnalyzerTestCase method testMaxEntityExpansionLimit.
@Test(expectedExceptions = APIMThreatAnalyzerException.class)
public void testMaxEntityExpansionLimit() throws Exception {
init();
XMLAnalyzer analyzer = new XMLAnalyzer();
xmlConfig.setEntityExpansionLimit(100);
xmlConfig.setDtdEnabled(true);
analyzer.configure(xmlConfig);
String xmlString = "<?xml version=\"1.0\"?>\n" + "<!DOCTYPE lolz [\n" + " <!ENTITY lol \"lol\">\n" + " <!ELEMENT lolz (#PCDATA)>\n" + " <!ENTITY lol1 \"&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;\">\n" + " <!ENTITY lol2 \"&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;\">\n" + " <!ENTITY lol3 \"&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;\">\n" + " <!ENTITY lol4 \"&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;\">\n" + " <!ENTITY lol5 \"&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;\">\n" + " <!ENTITY lol6 \"&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;\">\n" + " <!ENTITY lol7 \"&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;\">\n" + " <!ENTITY lol8 \"&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;\">\n" + " <!ENTITY lol9 \"&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;\">\n" + "]>\n" + "<lolz>&lol9;</lolz>";
analyzer.analyze(xmlString, "/foo");
}
Aggregations