Search in sources :

Example 1 with XMLConfig

use of org.wso2.carbon.apimgt.ballerina.threatprotection.configurations.XMLConfig in project carbon-apimgt by wso2.

the class AnalyzerHolder method getAnalyzer.

/**
 * Borrows an object from pools (xml or json) for threat analysis
 *
 * @param contentType Content-Type of the payload
 * @param policyId ID of the API
 * @return Instance of APIMThreatAnalyzer based on content type
 */
public static APIMThreatAnalyzer getAnalyzer(String contentType, String policyId) {
    APIMThreatAnalyzer analyzer = null;
    if (T_TEXT_XML.equalsIgnoreCase(contentType) || T_APPLICATION_XML.equalsIgnoreCase(contentType)) {
        try {
            analyzer = xmlAnalyzerAnalyzerPool.borrowObject();
            // configure per api
            XMLConfig xmlConfig = ConfigurationHolder.getXmlConfig(policyId);
            if (xmlConfig == null) {
                xmlConfig = ConfigurationHolder.getXmlConfig("GLOBAL-XML");
            }
            if (xmlConfig == null) {
                return null;
            }
            analyzer.configure(xmlConfig);
        } catch (Exception e) {
            logger.error("Threat Protection: Failed to create XMLAnalyzer, " + e.getMessage());
        }
    } else if (T_TEXT_JSON.equalsIgnoreCase(contentType) || T_APPLICATION_JSON.equalsIgnoreCase(contentType)) {
        try {
            analyzer = jsonAnalyzerAnalyzerPool.borrowObject();
            // configure per api
            JSONConfig jsonConfig = ConfigurationHolder.getJsonConfig(policyId);
            if (jsonConfig == null) {
                jsonConfig = ConfigurationHolder.getJsonConfig("GLOBAL-JSON");
            }
            if (jsonConfig == null) {
                return null;
            }
            analyzer.configure(jsonConfig);
        } catch (Exception e) {
            logger.error("Threat Protection: Failed to create JSONAnalyzer, " + e.getMessage());
        }
    }
    return analyzer;
}
Also used : XMLConfig(org.wso2.carbon.apimgt.ballerina.threatprotection.configurations.XMLConfig) JSONConfig(org.wso2.carbon.apimgt.ballerina.threatprotection.configurations.JSONConfig) APIMThreatAnalyzer(org.wso2.carbon.apimgt.ballerina.threatprotection.analyzer.APIMThreatAnalyzer)

Example 2 with XMLConfig

use of org.wso2.carbon.apimgt.ballerina.threatprotection.configurations.XMLConfig in project carbon-apimgt by wso2.

the class ConfigureXmlAnalyzer method execute.

@Override
public BValue[] execute(Context context) {
    String event = getStringArgument(context, 0);
    BStruct xmlInfo = ((BStruct) getRefArgument(context, 0));
    if (xmlInfo != null) {
        String xmlPolicyId = xmlInfo.getStringField(0);
        switch(event) {
            case THREAT_PROTECTION_POLICY_ADD:
            case THREAT_PROTECTION_POLICY_UPDATE:
                String name = xmlInfo.getStringField(1);
                boolean dtdEnabled = xmlInfo.getBooleanField(0) != 0;
                boolean externalEntitiesEnabled = xmlInfo.getBooleanField(1) != 0;
                int maxXMLDepth = (int) xmlInfo.getIntField(0);
                int elementCount = (int) xmlInfo.getIntField(1);
                int attributeCount = (int) xmlInfo.getIntField(2);
                int attributeLength = (int) xmlInfo.getIntField(3);
                int entityExpansionLimit = (int) xmlInfo.getIntField(4);
                int childrenPerElement = (int) xmlInfo.getIntField(5);
                XMLConfig xmlConfig = new XMLConfig();
                xmlConfig.setName(name);
                xmlConfig.setDtdEnabled(dtdEnabled);
                xmlConfig.setExternalEntitiesEnabled(externalEntitiesEnabled);
                xmlConfig.setMaxDepth(maxXMLDepth);
                xmlConfig.setMaxElementCount(elementCount);
                xmlConfig.setMaxAttributeCount(attributeCount);
                xmlConfig.setMaxAttributeLength(attributeLength);
                xmlConfig.setEntityExpansionLimit(entityExpansionLimit);
                xmlConfig.setMaxChildrenPerElement(childrenPerElement);
                // put into ConfigurationHolder
                ConfigurationHolder.addXmlConfig(xmlPolicyId, xmlConfig);
                break;
            case THREAT_PROTECTION_POLICY_DELETE:
                ConfigurationHolder.removeXmlConfig(xmlPolicyId);
                break;
            default:
                log.warn("Unknown event type for XML Threat Protection Policy. Event: " + event);
                break;
        }
    }
    return getBValues(new BBoolean(true));
}
Also used : BStruct(org.ballerinalang.model.values.BStruct) XMLConfig(org.wso2.carbon.apimgt.ballerina.threatprotection.configurations.XMLConfig) BBoolean(org.ballerinalang.model.values.BBoolean)

Example 3 with XMLConfig

use of org.wso2.carbon.apimgt.ballerina.threatprotection.configurations.XMLConfig in project carbon-apimgt by wso2.

the class XMLAnalyzerTestCase method init.

@BeforeTest
public void init() {
    xmlConfig = new XMLConfig();
    xmlConfig.setMaxAttributeCount(1);
    xmlConfig.setMaxChildrenPerElement(5);
    xmlConfig.setEntityExpansionLimit(5);
    xmlConfig.setMaxAttributeLength(1);
    xmlConfig.setMaxElementCount(5);
    xmlConfig.setMaxDepth(5);
    xmlConfig.setDtdEnabled(false);
    xmlConfig.setExternalEntitiesEnabled(false);
}
Also used : XMLConfig(org.wso2.carbon.apimgt.ballerina.threatprotection.configurations.XMLConfig) BeforeTest(org.testng.annotations.BeforeTest)

Example 4 with XMLConfig

use of org.wso2.carbon.apimgt.ballerina.threatprotection.configurations.XMLConfig in project carbon-apimgt by wso2.

the class XMLAnalyzerTestCase method testMaxAttributeCount.

@Test(expectedExceptions = APIMThreatAnalyzerException.class)
public void testMaxAttributeCount() throws Exception {
    init();
    String xmlString = "<a><root aaaaaaaaaa='aaaaaaa' b='b' c='c' d='d' e='e' f='f' g='g'></root></a>";
    XMLAnalyzer analyzer = new XMLAnalyzer();
    analyzer.configure(xmlConfig);
    analyzer.analyze(xmlString, "/foo");
}
Also used : XMLAnalyzer(org.wso2.carbon.apimgt.ballerina.threatprotection.analyzer.XMLAnalyzer) BeforeTest(org.testng.annotations.BeforeTest) Test(org.testng.annotations.Test)

Example 5 with XMLConfig

use of org.wso2.carbon.apimgt.ballerina.threatprotection.configurations.XMLConfig in project carbon-apimgt by wso2.

the class XMLAnalyzerTestCase method testMaxEntityExpansionLimit.

@Test(expectedExceptions = APIMThreatAnalyzerException.class)
public void testMaxEntityExpansionLimit() throws Exception {
    init();
    XMLAnalyzer analyzer = new XMLAnalyzer();
    xmlConfig.setEntityExpansionLimit(100);
    xmlConfig.setDtdEnabled(true);
    analyzer.configure(xmlConfig);
    String xmlString = "<?xml version=\"1.0\"?>\n" + "<!DOCTYPE lolz [\n" + " <!ENTITY lol \"lol\">\n" + " <!ELEMENT lolz (#PCDATA)>\n" + " <!ENTITY lol1 \"&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;\">\n" + " <!ENTITY lol2 \"&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;\">\n" + " <!ENTITY lol3 \"&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;\">\n" + " <!ENTITY lol4 \"&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;\">\n" + " <!ENTITY lol5 \"&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;\">\n" + " <!ENTITY lol6 \"&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;\">\n" + " <!ENTITY lol7 \"&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;\">\n" + " <!ENTITY lol8 \"&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;\">\n" + " <!ENTITY lol9 \"&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;\">\n" + "]>\n" + "<lolz>&lol9;</lolz>";
    analyzer.analyze(xmlString, "/foo");
}
Also used : XMLAnalyzer(org.wso2.carbon.apimgt.ballerina.threatprotection.analyzer.XMLAnalyzer) BeforeTest(org.testng.annotations.BeforeTest) Test(org.testng.annotations.Test)

Aggregations

BeforeTest (org.testng.annotations.BeforeTest)7 Test (org.testng.annotations.Test)7 XMLAnalyzer (org.wso2.carbon.apimgt.ballerina.threatprotection.analyzer.XMLAnalyzer)6 XMLConfig (org.wso2.carbon.apimgt.ballerina.threatprotection.configurations.XMLConfig)4 BBoolean (org.ballerinalang.model.values.BBoolean)1 BStruct (org.ballerinalang.model.values.BStruct)1 APIMThreatAnalyzer (org.wso2.carbon.apimgt.ballerina.threatprotection.analyzer.APIMThreatAnalyzer)1 JSONAnalyzer (org.wso2.carbon.apimgt.ballerina.threatprotection.analyzer.JSONAnalyzer)1 JSONConfig (org.wso2.carbon.apimgt.ballerina.threatprotection.configurations.JSONConfig)1