8356294: Enhance Path Factories

src/java.xml/share/classes/com/sun/org/apache/xerces/internal/jaxp/DocumentBuilderFactoryImpl.java

@@ -22,7 +22,6 @@ package com.sun.org.apache.xerces.internal.jaxp;
 
 import com.sun.org.apache.xerces.internal.parsers.DOMParser;
 import com.sun.org.apache.xerces.internal.util.SAXMessageFormatter;
-import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
 import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
 import java.util.HashMap;
 import java.util.Map;
@@ -32,6 +31,7 @@ import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.validation.Schema;
 import jdk.xml.internal.JdkProperty;
+import jdk.xml.internal.XMLSecurityManager;
 import org.xml.sax.SAXException;
 import org.xml.sax.SAXNotRecognizedException;
 import org.xml.sax.SAXNotSupportedException;
@@ -39,7 +39,7 @@ import org.xml.sax.SAXNotSupportedException;
 /**
  * @author Rajiv Mordani
  * @author Edwin Goei
- * @LastModified: Mar 2023
+ * @LastModified: June 2025
  */
 public class DocumentBuilderFactoryImpl extends DocumentBuilderFactory {
     /** These are DocumentBuilderFactory attributes not DOM attributes */
@@ -54,8 +54,26 @@ public class DocumentBuilderFactoryImpl extends DocumentBuilderFactory {
     private boolean fSecureProcess = true;
 
     // used to verify attributes
-    XMLSecurityManager fSecurityManager = new XMLSecurityManager(true);
-    XMLSecurityPropertyManager fSecurityPropertyMgr = new XMLSecurityPropertyManager();
+    XMLSecurityManager fSecurityManager;
+    XMLSecurityPropertyManager fSecurityPropertyMgr;
+
+    /**
+     * Creates a new {@code DocumentBuilderFactory} instance.
+     */
+    public DocumentBuilderFactoryImpl() {
+        this(null, null);
+    }
+
+    /**
+     * Creates a new {@code DocumentBuilderFactory} instance with a {@code XMLSecurityManager}
+     * and {@code XMLSecurityPropertyManager}.
+     * @param xsm the {@code XMLSecurityManager}
+     * @param xspm the {@code XMLSecurityPropertyManager}
+     */
+    public DocumentBuilderFactoryImpl(XMLSecurityManager xsm, XMLSecurityPropertyManager xspm) {
+        fSecurityManager = (xsm == null) ? new XMLSecurityManager(true) : xsm;
+        fSecurityPropertyMgr = (xspm == null) ? new XMLSecurityPropertyManager() : xspm;
+    }
 
     /**
      * Creates a new instance of a {@link javax.xml.parsers.DocumentBuilder}

src/java.xml/share/classes/com/sun/org/apache/xpath/internal/jaxp/XPathFactoryImpl.java

@@ -21,6 +21,7 @@
 package com.sun.org.apache.xpath.internal.jaxp;
 
 import com.sun.org.apache.xalan.internal.res.XSLMessages;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
 import com.sun.org.apache.xpath.internal.res.XPATHErrorResources;
 import javax.xml.XMLConstants;
 import javax.xml.xpath.XPathFactory;
@@ -37,7 +38,7 @@ import jdk.xml.internal.XMLSecurityManager;
  *
  * @author  Ramesh Mandava
  *
- * @LastModified: Jan 2022
+ * @LastModified: June 2025
  */
 public  class XPathFactoryImpl extends XPathFactory {
 
@@ -74,6 +75,7 @@ public  class XPathFactoryImpl extends XPathFactory {
          * The XML security manager
          */
         private XMLSecurityManager _xmlSecMgr;
+        private XMLSecurityPropertyManager _xmlSecPropMgr;
 
         /**
          * javax.xml.xpath.XPathFactory implementation.
@@ -86,6 +88,7 @@ public  class XPathFactoryImpl extends XPathFactory {
             }
             _featureManager = new JdkXmlFeatures(!_isNotSecureProcessing);
             _xmlSecMgr = new XMLSecurityManager(true);
+            _xmlSecPropMgr = new XMLSecurityPropertyManager();
         }
 
         /**
@@ -135,7 +138,7 @@ public  class XPathFactoryImpl extends XPathFactory {
          */
         public javax.xml.xpath.XPath newXPath() {
             return new XPathImpl(xPathVariableResolver, xPathFunctionResolver,
-                    !_isNotSecureProcessing, _featureManager, _xmlSecMgr);
+                    !_isNotSecureProcessing, _featureManager, _xmlSecMgr, _xmlSecPropMgr);
         }
 
         /**
@@ -189,6 +192,7 @@ public  class XPathFactoryImpl extends XPathFactory {
                 if (value && _featureManager != null) {
                     _featureManager.setFeature(JdkXmlFeatures.XmlFeature.ENABLE_EXTENSION_FUNCTION,
                             JdkProperty.State.FSP, false);
+                    _xmlSecMgr.setSecureProcessing(value);
                 }
 
                 // all done processing feature
@@ -348,6 +352,10 @@ public  class XPathFactoryImpl extends XPathFactory {
                 _xmlSecMgr.setLimit(name, JdkProperty.State.APIPROPERTY, value)) {
             return;
         }
+        if (_xmlSecPropMgr != null && _xmlSecPropMgr.find(name) != null &&
+                _xmlSecPropMgr.setValue(name, XMLSecurityPropertyManager.State.APIPROPERTY, value)) {
+            return;
+        }
 
         // property name not recognized
         String fmsg = XSLMessages.createXPATHMessage(

src/java.xml/share/classes/com/sun/org/apache/xpath/internal/jaxp/XPathImpl.java

@@ -20,6 +20,7 @@
 
 package com.sun.org.apache.xpath.internal.jaxp;
 
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
 import com.sun.org.apache.xml.internal.utils.WrappedRuntimeException;
 import com.sun.org.apache.xpath.internal.*;
 import com.sun.org.apache.xpath.internal.objects.XObject;
@@ -48,7 +49,7 @@ import org.xml.sax.InputSource;
  * New methods: evaluateExpression
  * Refactored to share code with XPathExpressionImpl.
  *
- * @LastModified: May 2022
+ * @LastModified: June 2025
  */
 public class XPathImpl extends XPathImplUtil implements javax.xml.xpath.XPath {
 
@@ -58,12 +59,13 @@ public class XPathImpl extends XPathImplUtil implements javax.xml.xpath.XPath {
     private NamespaceContext namespaceContext=null;
 
     XPathImpl(XPathVariableResolver vr, XPathFunctionResolver fr) {
-        this(vr, fr, false, new JdkXmlFeatures(false), new XMLSecurityManager(true));
+        this(vr, fr, false, new JdkXmlFeatures(false), new XMLSecurityManager(true),
+                new XMLSecurityPropertyManager());
     }
 
     XPathImpl(XPathVariableResolver vr, XPathFunctionResolver fr,
             boolean featureSecureProcessing, JdkXmlFeatures featureManager,
-            XMLSecurityManager xmlSecMgr) {
+            XMLSecurityManager xmlSecMgr, XMLSecurityPropertyManager xmlSecPropMgr) {
         this.origVariableResolver = this.variableResolver = vr;
         this.origFunctionResolver = this.functionResolver = fr;
         this.featureSecureProcessing = featureSecureProcessing;
@@ -71,6 +73,7 @@ public class XPathImpl extends XPathImplUtil implements javax.xml.xpath.XPath {
         overrideDefaultParser = featureManager.getFeature(
                 JdkXmlFeatures.XmlFeature.JDK_OVERRIDE_PARSER);
         this.xmlSecMgr = xmlSecMgr;
+        this.xmlSecPropMgr = xmlSecPropMgr;
     }
 
 

src/java.xml/share/classes/com/sun/org/apache/xpath/internal/jaxp/XPathImplUtil.java

@@ -30,7 +30,9 @@ import com.sun.org.apache.xml.internal.dtm.DTM;
 import com.sun.org.apache.xpath.internal.axes.LocPathIterator;
 import com.sun.org.apache.xpath.internal.objects.XObject;
 import com.sun.org.apache.xpath.internal.res.XPATHErrorResources;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
 import java.io.IOException;
+import javax.xml.XMLConstants;
 import javax.xml.namespace.QName;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
@@ -54,7 +56,7 @@ import org.xml.sax.SAXException;
  * This class contains several utility methods used by XPathImpl and
  * XPathExpressionImpl
  *
- * @LastModified: Jan 2022
+ * @LastModified: June 2025
  */
 class XPathImplUtil {
     XPathFunctionResolver functionResolver;
@@ -67,6 +69,7 @@ class XPathImplUtil {
     boolean featureSecureProcessing = false;
     JdkXmlFeatures featureManager;
     XMLSecurityManager xmlSecMgr;
+    XMLSecurityPropertyManager xmlSecPropMgr;
 
     /**
      * Evaluate an XPath context using the internal XPath engine
@@ -129,7 +132,12 @@ class XPathImplUtil {
             //
             // so we really have to create a fresh DocumentBuilder every time we need one
             // - KK
-            DocumentBuilderFactory dbf = JdkXmlUtils.getDOMFactory(overrideDefaultParser);
+            DocumentBuilderFactory dbf = JdkXmlUtils.getDOMFactory(
+                    overrideDefaultParser, xmlSecMgr, xmlSecPropMgr);
+            if (xmlSecMgr != null && xmlSecMgr.isSecureProcessingSet()) {
+                dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING,
+                        xmlSecMgr.isSecureProcessing());
+            }
             return dbf.newDocumentBuilder().parse(source);
         } catch (ParserConfigurationException | SAXException | IOException e) {
             throw new XPathExpressionException (e);

src/java.xml/share/classes/jdk/xml/internal/JdkXmlUtils.java

@@ -29,6 +29,7 @@ import com.sun.org.apache.xerces.internal.impl.Constants;
 import com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderFactoryImpl;
 import com.sun.org.apache.xerces.internal.jaxp.SAXParserFactoryImpl;
 import com.sun.org.apache.xerces.internal.util.ParserConfigurationSettings;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
 import com.sun.org.apache.xerces.internal.xni.parser.XMLComponentManager;
 import com.sun.org.apache.xerces.internal.xni.parser.XMLConfigurationException;
 import javax.xml.XMLConstants;
@@ -312,6 +313,21 @@ public class JdkXmlUtils {
      */
     @SuppressWarnings("removal")
     public static DocumentBuilderFactory getDOMFactory(boolean overrideDefaultParser) {
+        return getDOMFactory(overrideDefaultParser, null, null);
+    }
+
+    /**
+     * {@return a DocumentBuilderFactory instance}
+     *
+     * @param overrideDefaultParser a flag indicating whether the system-default
+     * implementation may be overridden. If the system property of the
+     * DOM factory ID is set, override is always allowed.
+     * @param xsm XMLSecurityManager
+     * @param xspm XMLSecurityPropertyManager
+     */
+    @SuppressWarnings("removal")
+    public static DocumentBuilderFactory getDOMFactory(boolean overrideDefaultParser,
+            XMLSecurityManager xsm, XMLSecurityPropertyManager xspm) {
         boolean override = overrideDefaultParser;
         String spDOMFactory = SecuritySupport.getJAXPSystemProperty(DOM_FACTORY_ID);
 
@@ -320,7 +336,7 @@ public class JdkXmlUtils {
         }
         DocumentBuilderFactory dbf
                 = !override
-                        ? new DocumentBuilderFactoryImpl()
+                        ? new DocumentBuilderFactoryImpl(xsm, xspm)
                         : DocumentBuilderFactory.newInstance();
         dbf.setNamespaceAware(true);
         // false is the default setting. This step here is for compatibility

src/java.xml/share/classes/jdk/xml/internal/XMLSecurityManager.java

@@ -191,6 +191,12 @@ public final class XMLSecurityManager {
      */
     boolean secureProcessing;
 
+    /**
+     * Flag indicating the secure processing is set explicitly through factories'
+     * setFeature method and then the setSecureProcessing method
+     */
+    boolean secureProcessingSet;
+
     /**
      * States that determine if properties are set explicitly
      */
@@ -238,6 +244,7 @@ public final class XMLSecurityManager {
      * Setting FEATURE_SECURE_PROCESSING explicitly
      */
     public void setSecureProcessing(boolean secure) {
+        secureProcessingSet = true;
         secureProcessing = secure;
         for (Limit limit : Limit.values()) {
             if (secure) {
@@ -256,6 +263,15 @@ public final class XMLSecurityManager {
         return secureProcessing;
     }
 
+    /**
+     * Returns the state indicating whether the Secure Processing is set explicitly,
+     * via factories' setFeature and then this class' setSecureProcessing method.
+     * @return the state indicating whether the Secure Processing is set explicitly
+     */
+    public boolean isSecureProcessingSet() {
+        return secureProcessingSet;
+    }
+
     /**
      * Finds a limit's new name with the given property name.
      * @param propertyName the property name specified