Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8354085

Streamline XPath API's extension function control

XMLWordPrintable

    • Icon: CSR CSR
    • Resolution: Approved
    • Icon: P4 P4
    • 25
    • xml
    • None
    • behavioral
    • minimal
    • Hide
      The behavior change is as follows:
          If FEATURE_SECURE_PROCESSING (FSP) is turned on, the XPath processor will throw XPathExpressionException when it encounters an Extension Function, regardless of whether a XPathFunctionResolver is provided. This will no longer happen for the case when XPathFunctionResolver is provided.

         This situation will unlikely happen at runtime since if a resolver is provided, developers will have to turn off FSP in order for it to work. Since FSP is off by default as of this change, they may also leave it as is. In both cases, the proposed change does not affect application code.

         Since FSP's default setting is false as of this proposed change, the common usage pattern is to set the resolver without changing FSP. This pattern will continue to work without interruption after this change.
      Show
      The behavior change is as follows:     If FEATURE_SECURE_PROCESSING (FSP) is turned on, the XPath processor will throw XPathExpressionException when it encounters an Extension Function, regardless of whether a XPathFunctionResolver is provided. This will no longer happen for the case when XPathFunctionResolver is provided.    This situation will unlikely happen at runtime since if a resolver is provided, developers will have to turn off FSP in order for it to work. Since FSP is off by default as of this change, they may also leave it as is. In both cases, the proposed change does not affect application code.    Since FSP's default setting is false as of this proposed change, the common usage pattern is to set the resolver without changing FSP. This pattern will continue to work without interruption after this change.
    • System or security property
    • SE

      Summary

      Streamline the extension function control in the XPath API by relying solely on XPathFunctionResolver, which provides a secure and developer-defined mechanism. Remove the feature FEATURE_SECURE_PROCESSING and jdk.xml.enableExtensionFunctions from the decision path that are redundant with regard to XPath's Extension Functions.

      Problem

      The JAXP API defines FEATURE_SECURE_PROCESSING (FSP) and the JDK jdk.xml.enableExtensionFunctions property to regulate the use of Extension Functions across both XSLT and XPath API. While these controls are appropriate and necessary for XSLT, where extension functions may directly invoke arbitrary Java methods and potentially execute untrusted code, they are redundant and misaligned with the design and security model of the XPath API.

      The XPath API does not allow automatic method calls on Java classes by name. Instead, developers must explicitly register a custom implementation using XPathFunctionResolver. This mechanism is under the full control of the application developer and cannot be exploited without deliberate action within the application code.

      As a result, applying security restrictions like FEATURE_SECURE_PROCESSING (FSP) and jdk.xml.enableExtensionFunctions to XPath extension functions introduces unnecessary complexity, confusion, and potentially blocks legitimate and secure use cases. For example, setting FSP would cause XPath to throw XPathExpressionException even though a resolver is already registered. It is confusing since turning off FSP would be insecure, but it has to be done in order for the resolver to work.

      Solution

      The FEATURE_SECURE_PROCESSING (FSP) and jdk.xml.enableExtensionFunctions property will no longer apply to XPath extension functions. The settings of this feature and property will no longer affect XPath behavior in terms of extension functions. The XPath API will continue to rely on its current XPathFunctionResolver for resolving extension functions.

      FSP will continue to apply to the limits set in the XPath API. Its default value will be changed to true, aligning with other components in JAXP. This change does not affect the actual behavior, since the default limits on XPath operation already complies with FSP equals to true.

      The jdk.xml.enableExtensionFunctions property is revised to only affect the Transform API. The default value was changed to false via JDK-8343001.

      After this change, the XPath API design will continue to be secure by default with regard to extension functions, since it requires a custom resolver to activate any extension function. There is no implicit or automatic exposure of Java methods or external logic. The use of resolver ensures that all extension functions are controlled within the application codebase.

      There will be no longer redundant controls that leads to unnecessary configuration complexity.

      Note: this change applies only to the XPath API. XSLT's use of extension functions is not affected. FSP and jdk.xml.enableExtensionFunctions property continue to control whether extension functions are allowed in the Transform API.

      Specification

      FEATURE_SECURE_PROCESSING (FSP)

      FEATURE_SECURE_PROCESSING (FSP) is a general purpose feature for enabling secure processing. It does not define specific security requirements but allows implementations to determine and enforce appropriate security measures. No change to the specification.

      jdk.xml.enableExtensionFunctions

      Description: determines whether extension functions in the Transform API are to be allowed. The extension functions in the XPath API are not affected by this property.

      Default Value: false

      Supported Processors: "XPath" is removed from the supported processors.

      This changes are reflected in the module summary shown below.

      diff --git a/src/java.xml/share/classes/module-info.java b/src/java.xml/share/classes/module-info.java
index a12fd3e8f45..63ae5c66283 100644
--- a/src/java.xml/share/classes/module-info.java
+++ b/src/java.xml/share/classes/module-info.java
@@ -880,7 +880,6 @@
  * </tr>
  * <tr>
  * <td id="ExtFunc">{@systemProperty jdk.xml.enableExtensionFunctions}</td>
- * <td>Determines if XSLT and XPath extension functions are to be allowed.
+ * <td>Determines whether extension functions in the Transform API are to be allowed.
+ * The extension functions in the XPath API are not affected by this property.
  * </td>
  * <td style="text-align:center" rowspan="5">yes</td>
  * <td style="text-align:center" rowspan="3">Boolean</td>
  * <td>
  * true or false. True indicates that extension functions are allowed; False otherwise.
  * </td>
- * <td style="text-align:center">true</td>
+ * <td style="text-align:center">false</td>
  * <td style="text-align:center">false</td>
  * <td style="text-align:center">Yes</td>
  * <td style="text-align:center">
  *     <a href="#Transform">Transform</a><br>
- *     <a href="#XPATH">XPath</a>
  * </td>
  * <td style="text-align:center"><a href="#Processor">Method 2</a></td>
  * <td style="text-align:center">8</td>

            joehw Joe Wang
            joehw Joe Wang
            Naoto Sato, Roger Riggs
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: