Recent JDK updates break the XML/ITS filter (or possibly anything that uses xpath)...

[jimbo]

The new JDK updates or April 19th set hard limits on the number of nodes in an xpath expression. We now get these errors:

net.sf.okapi.common.exceptions.OkapiException: javax.xml.xpath.XPathExpressionException: 
javax.xml.transform.TransformerException: 
JAXP0801002: the compiler encountered an XPath expression containing '101' operators that exceeds the '100' limit set by 'FEATURE_SECURE_PROCESSING'.

We will need to override the new restrictions. But where can we do this globally?

Here are the update notes from the JDK:

New Features
xml/jaxp
➜ New XML Processing Limits
Three processing limits have been added. These are:

jdk.xml.xpathExprGrpLimit
Description: Limits the number of groups an XPath expression can contain.

Type: integer

Value: A positive integer. A value less than or equal to 0 indicates no limit. If the value is not an integer, a NumberFormatException is thrown. Default 10.

jdk.xml.xpathExprOpLimit
Description: Limits the number of operators an XPath expression can contain.

Type: integer

Value: A positive integer. A value less than or equal to 0 indicates no limit. If the value is not an integer, a NumberFormatException is thrown. Default 100.

jdk.xml.xpathTotalOpLimit
Description: Limits the total number of XPath operators in an XSL Stylesheet.

Type: integer

Value: A positive integer. A value less than or equal to 0 indicates no limit. If the value is not an integer, a NumberFormatException is thrown. Default 10000.

Supported processors

jdk.xml.xpathExprGrpLimit and jdk.xml.xpathExprOpLimit are supported by the XPath processor.

All three limits are supported by the XSLT processor.

Setting properties

For the XSLT processor, the properties can be changed through the TransformerFactory. For example,

        TransformerFactory factory = TransformerFactory.newInstance();
        factory.setAttribute("jdk.xml.xpathTotalOpLimit", "1000");
For both the XPath and XSLT processors, the properties can be set through the system property and jaxp.properties configuration file located in the conf directory of the Java installation. For example,

        System.setProperty("jdk.xml.xpathExprGrpLimit", "20");
or in the jaxp.properties file,

        jdk.xml.xpathExprGrpLimit=20
 

There are two known issues:

An XPath expression that contains a short form of the parent axis ".." can return incorrect results. See JDK-8284920 for details.
An invalid XPath expression that ends with a relational operator such as ‘<’ ‘>’ and ‘=’ will cause the processor to erroneously throw StringIndexOutOfBoundsException instead of XPathExpressionException. See JDK-8284548 for details.

[Yves]

Hi Jim.
I'm running into those limitations as well.
Looking forward to see what solution you end-up with.

-ys

[jimbo]

Hi Yves,

I made a commit directly to dev as the changes were small. I experimented and the best way to enable unlimited operators for both xpath and xslt factories, without disabling other security features is using these lines:

          // set xpath node limits to unlimited
        // recent JDK releases (4/2022) set a hard limit for increased security
        System.setProperty("jdk.xml.xpathExprGrpLimit", "0");
        System.setProperty("jdk.xml.xpathExprOpLimit", "0");
        System.setProperty("jdk.xml.xpathTotalOpLimit", "0");

Jim

--
You received this message because you are subscribed to the Google Groups "okapi-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email to okapi-devel...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/okapi-devel/0dadd261-dc6b-4f4e-ad0e-d3f4e718eae5n%40googlegroups.com.