Example 1 with XMLConfig
use of org.wso2.carbon.apimgt.gateway.threatprotection.configuration.XMLConfig in project carbon-apimgt by wso2.
the class AnalyzerHolder method getAnalyzer.
/**
* Borrows an object from pools (xml or json) for threat analysis
*
* @param contentType Content-Type of the payload
* @param policyId ID of the API
* @return Instance of APIMThreatAnalyzer based on content type
*/
public static APIMThreatAnalyzer getAnalyzer(String contentType, String policyId) {
APIMThreatAnalyzer analyzer = null;
if (T_TEXT_XML.equalsIgnoreCase(contentType) || T_APPLICATION_XML.equalsIgnoreCase(contentType)) {
try {
analyzer = xmlAnalyzerAnalyzerPool.borrowObject();
// configure per api
XMLConfig xmlConfig = ConfigurationHolder.getXmlConfig(policyId);
if (xmlConfig == null) {
xmlConfig = ConfigurationHolder.getXmlConfig("GLOBAL-XML");
}
if (xmlConfig == null) {
return null;
}
analyzer.configure(xmlConfig);
} catch (Exception e) {
logger.error("Threat Protection: Failed to create XMLAnalyzer, " + e.getMessage());
}
} else if (T_TEXT_JSON.equalsIgnoreCase(contentType) || T_APPLICATION_JSON.equalsIgnoreCase(contentType)) {
try {
analyzer = jsonAnalyzerAnalyzerPool.borrowObject();
// configure per api
JSONConfig jsonConfig = ConfigurationHolder.getJsonConfig(policyId);
if (jsonConfig == null) {
jsonConfig = ConfigurationHolder.getJsonConfig("GLOBAL-JSON");
}
if (jsonConfig == null) {
return null;
}
analyzer.configure(jsonConfig);
} catch (Exception e) {
logger.error("Threat Protection: Failed to create JSONAnalyzer, " + e.getMessage());
}
}
return analyzer;
}
Also used :
XMLConfig(org.wso2.carbon.apimgt.ballerina.threatprotection.configurations.XMLConfig)
JSONConfig(org.wso2.carbon.apimgt.ballerina.threatprotection.configurations.JSONConfig)
APIMThreatAnalyzer(org.wso2.carbon.apimgt.ballerina.threatprotection.analyzer.APIMThreatAnalyzer)
Example 2 with XMLConfig
use of org.wso2.carbon.apimgt.gateway.threatprotection.configuration.XMLConfig in project carbon-apimgt by wso2.
the class ConfigureXmlAnalyzer method execute.
@Override
public BValue[] execute(Context context) {
String event = getStringArgument(context, 0);
BStruct xmlInfo = ((BStruct) getRefArgument(context, 0));
if (xmlInfo != null) {
String xmlPolicyId = xmlInfo.getStringField(0);
switch(event) {
case THREAT_PROTECTION_POLICY_ADD:
case THREAT_PROTECTION_POLICY_UPDATE:
String name = xmlInfo.getStringField(1);
boolean dtdEnabled = xmlInfo.getBooleanField(0) != 0;
boolean externalEntitiesEnabled = xmlInfo.getBooleanField(1) != 0;
int maxXMLDepth = (int) xmlInfo.getIntField(0);
int elementCount = (int) xmlInfo.getIntField(1);
int attributeCount = (int) xmlInfo.getIntField(2);
int attributeLength = (int) xmlInfo.getIntField(3);
int entityExpansionLimit = (int) xmlInfo.getIntField(4);
int childrenPerElement = (int) xmlInfo.getIntField(5);
XMLConfig xmlConfig = new XMLConfig();
xmlConfig.setName(name);
xmlConfig.setDtdEnabled(dtdEnabled);
xmlConfig.setExternalEntitiesEnabled(externalEntitiesEnabled);
xmlConfig.setMaxDepth(maxXMLDepth);
xmlConfig.setMaxElementCount(elementCount);
xmlConfig.setMaxAttributeCount(attributeCount);
xmlConfig.setMaxAttributeLength(attributeLength);
xmlConfig.setEntityExpansionLimit(entityExpansionLimit);
xmlConfig.setMaxChildrenPerElement(childrenPerElement);
// put into ConfigurationHolder
ConfigurationHolder.addXmlConfig(xmlPolicyId, xmlConfig);
break;
case THREAT_PROTECTION_POLICY_DELETE:
ConfigurationHolder.removeXmlConfig(xmlPolicyId);
break;
default:
log.warn("Unknown event type for XML Threat Protection Policy. Event: " + event);
break;
}
}
return getBValues(new BBoolean(true));
}Example 3 with XMLConfig
use of org.wso2.carbon.apimgt.gateway.threatprotection.configuration.XMLConfig in project carbon-apimgt by wso2.
the class XMLAnalyzerTestCase method init.
@BeforeTest
public void init() {
xmlConfig = new XMLConfig();
xmlConfig.setMaxAttributeCount(1);
xmlConfig.setMaxChildrenPerElement(5);
xmlConfig.setEntityExpansionLimit(5);
xmlConfig.setMaxAttributeLength(1);
xmlConfig.setMaxElementCount(5);
xmlConfig.setMaxDepth(5);
xmlConfig.setDtdEnabled(false);
xmlConfig.setExternalEntitiesEnabled(false);
}
Also used :
XMLConfig(org.wso2.carbon.apimgt.ballerina.threatprotection.configurations.XMLConfig)
BeforeTest(org.testng.annotations.BeforeTest)
Example 4 with XMLConfig
use of org.wso2.carbon.apimgt.gateway.threatprotection.configuration.XMLConfig in project carbon-apimgt by wso2.
the class XMLAnalyzerTestCase method testMaxAttributeCount.
@Test(expectedExceptions = APIMThreatAnalyzerException.class)
public void testMaxAttributeCount() throws Exception {
init();
String xmlString = "<a><root aaaaaaaaaa='aaaaaaa' b='b' c='c' d='d' e='e' f='f' g='g'></root></a>";
XMLAnalyzer analyzer = new XMLAnalyzer();
analyzer.configure(xmlConfig);
analyzer.analyze(xmlString, "/foo");
}
Also used :
XMLAnalyzer(org.wso2.carbon.apimgt.ballerina.threatprotection.analyzer.XMLAnalyzer)
BeforeTest(org.testng.annotations.BeforeTest)
Test(org.testng.annotations.Test)
Example 5 with XMLConfig
use of org.wso2.carbon.apimgt.gateway.threatprotection.configuration.XMLConfig in project carbon-apimgt by wso2.
the class XMLAnalyzerTestCase method testMaxEntityExpansionLimit.
@Test(expectedExceptions = APIMThreatAnalyzerException.class)
public void testMaxEntityExpansionLimit() throws Exception {
init();
XMLAnalyzer analyzer = new XMLAnalyzer();
xmlConfig.setEntityExpansionLimit(100);
xmlConfig.setDtdEnabled(true);
analyzer.configure(xmlConfig);
String xmlString = "<?xml version=\"1.0\"?>\n" + "<!DOCTYPE lolz [\n" + " <!ENTITY lol \"lol\">\n" + " <!ELEMENT lolz (#PCDATA)>\n" + " <!ENTITY lol1 \"&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;\">\n" + " <!ENTITY lol2 \"&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;\">\n" + " <!ENTITY lol3 \"&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;\">\n" + " <!ENTITY lol4 \"&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;\">\n" + " <!ENTITY lol5 \"&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;\">\n" + " <!ENTITY lol6 \"&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;\">\n" + " <!ENTITY lol7 \"&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;\">\n" + " <!ENTITY lol8 \"&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;\">\n" + " <!ENTITY lol9 \"&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;\">\n" + "]>\n" + "<lolz>&lol9;</lolz>";
analyzer.analyze(xmlString, "/foo");
}
Also used :
XMLAnalyzer(org.wso2.carbon.apimgt.ballerina.threatprotection.analyzer.XMLAnalyzer)
BeforeTest(org.testng.annotations.BeforeTest)
Test(org.testng.annotations.Test)
Aggregations
BeforeTest (org.testng.annotations.BeforeTest)7
Test (org.testng.annotations.Test)7
XMLAnalyzer (org.wso2.carbon.apimgt.ballerina.threatprotection.analyzer.XMLAnalyzer)6
XMLConfig (org.wso2.carbon.apimgt.gateway.threatprotection.configuration.XMLConfig)5
XMLConfig (org.wso2.carbon.apimgt.ballerina.threatprotection.configurations.XMLConfig)4
APIMThreatAnalyzer (org.wso2.carbon.apimgt.gateway.threatprotection.analyzer.APIMThreatAnalyzer)2
BufferedInputStream (java.io.BufferedInputStream)1
IOException (java.io.IOException)1
InputStream (java.io.InputStream)1
XMLStreamException (javax.xml.stream.XMLStreamException)1
Axis2MessageContext (org.apache.synapse.core.axis2.Axis2MessageContext)1
BBoolean (org.ballerinalang.model.values.BBoolean)1
BStruct (org.ballerinalang.model.values.BStruct)1
Before (org.junit.Before)1
Test (org.junit.Test)1
PrepareForTest (org.powermock.core.classloader.annotations.PrepareForTest)1
APIMThreatAnalyzer (org.wso2.carbon.apimgt.ballerina.threatprotection.analyzer.APIMThreatAnalyzer)1
JSONAnalyzer (org.wso2.carbon.apimgt.ballerina.threatprotection.analyzer.JSONAnalyzer)1
JSONConfig (org.wso2.carbon.apimgt.ballerina.threatprotection.configurations.JSONConfig)1
APIMThreatAnalyzerException (org.wso2.carbon.apimgt.gateway.threatprotection.APIMThreatAnalyzerException)1
