rxerces 0.6.1 → 0.7.0

data/spec/xpath_spec.rb

@@ -28,6 +28,7 @@ RSpec.describe "XPath support" do
   end
 
   let(:doc) { RXerces::XML::Document.parse(xml) }
+  let(:xalan_installed) { have_library('xalan-c') }
 
   describe "Document XPath queries" do
     it "finds all book elements" do
@@ -108,8 +109,28 @@ RSpec.describe "XPath support" do
     it "raises error for invalid XPath" do
       expect {
         doc.xpath('//[invalid')
+      }.to raise_error(ArgumentError, /XPath expression has unbalanced/)
+    end
+
+    it "raises error for malformed XPath expressions" do
+      expect {
+        doc.xpath('///')
+      }.to raise_error(RuntimeError, /XPath error/)
+    end
+
+    it "raises error for XPath with unsupported features" do
+      skip "Xalan installed, skipping" if xalan_installed
+      expect {
+        doc.xpath('//book[substring-before(@category, "c")]')
       }.to raise_error(RuntimeError, /XPath error/)
     end
+
+    it "handles very long XPath expressions" do
+      skip "Xalan installed, skipping" if xalan_installed
+      long_xpath = '/' + ('child::' * 100) + 'library'
+      result = doc.xpath(long_xpath)
+      expect(result).to be_a(RXerces::XML::NodeSet)
+    end
   end
 
   describe "Nokogiri compatibility" do
@@ -141,24 +162,7 @@ RSpec.describe "XPath support" do
     end
   end
 
-  describe "XPath 1.0 compliance with Xalan" do
-    # Check if Xalan support is compiled in
-    xalan_available = begin
-      # Try a feature that only works with Xalan (attribute predicates)
-      test_xml = '<root><item id="1">A</item><item id="2">B</item></root>'
-      test_doc = RXerces::XML::Document.parse(test_xml)
-      result = test_doc.xpath('//item[@id="1"]')
-      result.length == 1
-    rescue
-      false
-    end
-
-    before(:all) do
-      unless xalan_available
-        skip "Xalan-C not available - XPath 1.0 features require Xalan-C library"
-      end
-    end
-
+  describe "XPath 1.0 compliance with Xalan", xalan: true do
     describe "Attribute predicates" do
       it "finds elements by attribute value" do
         book = doc.xpath('//book[@id="1"]')
@@ -395,4 +399,288 @@ RSpec.describe "XPath support" do
       end
     end
   end
+
+  describe "XPath Injection Prevention" do
+    let(:simple_xml) do
+      <<-XML
+        <users>
+          <user id="1">
+            <name>Alice</name>
+            <password>secret123</password>
+          </user>
+          <user id="2">
+            <name>Bob</name>
+            <password>admin456</password>
+          </user>
+        </users>
+      XML
+    end
+
+    let(:doc) { RXerces::XML::Document.parse(simple_xml) }
+
+    describe "validates empty XPath expressions" do
+      it "rejects empty string" do
+        expect {
+          doc.xpath('')
+        }.to raise_error(ArgumentError, /cannot be empty/)
+      end
+    end
+
+    describe "validates quote balancing" do
+      it "rejects unbalanced single quotes" do
+        expect {
+          doc.xpath("//user[text()='Alice]")
+        }.to raise_error(ArgumentError, /unbalanced quotes/)
+      end
+
+      it "rejects unbalanced double quotes" do
+        expect {
+          doc.xpath('//user[text()="Alice]')
+        }.to raise_error(ArgumentError, /unbalanced quotes/)
+      end
+
+      it "allows properly balanced quotes" do
+        expect {
+          doc.xpath("//user")
+        }.not_to raise_error
+      end
+
+      it "allows mixed balanced quotes" do
+        expect {
+          doc.xpath('//user')
+        }.not_to raise_error
+      end
+    end
+
+    describe "prevents XPath injection attacks" do
+      it "rejects OR-based injection with numeric equality" do
+        expect {
+          doc.xpath("//user[@name='Alice' or 1=1]")
+        }.to raise_error(ArgumentError, /suspicious injection pattern/)
+      end
+
+      it "rejects OR-based injection with string equality" do
+        expect {
+          doc.xpath("//user[@name='Alice' or 'a'='a']")
+        }.to raise_error(ArgumentError, /suspicious injection pattern/)
+      end
+
+      it "rejects OR-based injection with double quotes" do
+        expect {
+          doc.xpath('//user[@name="Alice" or "1"="1"]')
+        }.to raise_error(ArgumentError, /suspicious injection pattern/)
+      end
+
+      it "rejects OR-based injection with true() function" do
+        expect {
+          doc.xpath("//user[@name='Alice' or true()]")
+        }.to raise_error(ArgumentError, /suspicious injection pattern/)
+      end
+
+      it "rejects AND-based injection with false condition" do
+        expect {
+          doc.xpath("//user[@name='Alice' and 1=0]")
+        }.to raise_error(ArgumentError, /suspicious injection pattern/)
+      end
+
+      it "rejects AND-based injection with false() function" do
+        expect {
+          doc.xpath("//user[@name='Alice' and false()]")
+        }.to raise_error(ArgumentError, /suspicious injection pattern/)
+      end
+
+      it "is case-insensitive for injection patterns" do
+        expect {
+          doc.xpath("//user[@name='Alice' OR 1=1]")
+        }.to raise_error(ArgumentError, /suspicious injection pattern/)
+      end
+    end
+
+    describe "prevents dangerous function calls" do
+      it "rejects document() function" do
+        expect {
+          doc.xpath("document('file.xml')//user")
+        }.to raise_error(ArgumentError, /dangerous function/)
+      end
+
+      it "rejects doc() function" do
+        expect {
+          doc.xpath("doc('file.xml')//user")
+        }.to raise_error(ArgumentError, /dangerous function/)
+      end
+
+      it "rejects collection() function" do
+        expect {
+          doc.xpath("collection('files')//user")
+        }.to raise_error(ArgumentError, /dangerous function/)
+      end
+
+      it "rejects unparsed-text() function" do
+        expect {
+          doc.xpath("unparsed-text('/etc/passwd')")
+        }.to raise_error(ArgumentError, /dangerous function/)
+      end
+
+      it "rejects system-property() function" do
+        expect {
+          doc.xpath("system-property('java.version')")
+        }.to raise_error(ArgumentError, /dangerous function/)
+      end
+
+      it "rejects environment-variable() function" do
+        expect {
+          doc.xpath("environment-variable('PATH')")
+        }.to raise_error(ArgumentError, /dangerous function/)
+      end
+    end
+
+    describe "prevents encoded character attacks" do
+      it "rejects numeric character references" do
+        expect {
+          doc.xpath("//user[@name='&#65;lice']")
+        }.to raise_error(ArgumentError, /encoded characters/)
+      end
+
+      it "rejects hexadecimal character references" do
+        expect {
+          doc.xpath("//user[@name='&#x41;lice']")
+        }.to raise_error(ArgumentError, /encoded characters/)
+      end
+
+      it "rejects double-encoded entity references" do
+        expect {
+          doc.xpath("//user[@name='&amp;#65;lice']")
+        }.to raise_error(ArgumentError, /encoded characters/)
+      end
+
+      it "allows legitimate ampersand usage in text" do
+        # Should not raise - legitimate use of & in string literals
+        xml = "<root><item name='Q&amp;A'>text</item></root>"
+        test_doc = RXerces::XML::Document.parse(xml)
+        expect { test_doc.xpath("//item") }.not_to raise_error
+      end
+    end
+
+    describe "prevents comment-based attacks" do
+      it "rejects XPath comments" do
+        expect {
+          doc.xpath("//user(: comment :)[@id='1']")
+        }.to raise_error(ArgumentError, /comment patterns/)
+      end
+
+      it "rejects partial comment syntax" do
+        expect {
+          doc.xpath("//user(:[@id='1']")
+        }.to raise_error(ArgumentError, /comment patterns/)
+      end
+    end
+
+    describe "prevents null byte injection" do
+      it "rejects expressions with null bytes" do
+        xpath_with_null = "//user" + "\x00" + "[@id='1']"
+        expect {
+          doc.xpath(xpath_with_null)
+        }.to raise_error(ArgumentError, /null byte/)
+      end
+    end
+
+    describe "prevents excessive nesting attacks (DoS)" do
+      it "rejects deeply nested brackets" do
+        nested = "//user" + ("[." * 101) + ("]" * 101)
+        expect {
+          doc.xpath(nested)
+        }.to raise_error(ArgumentError, /excessive nesting/)
+      end
+
+      it "rejects deeply nested parentheses" do
+        nested = "count(" * 101 + "//user" + ")" * 101
+        expect {
+          doc.xpath(nested)
+        }.to raise_error(ArgumentError, /excessive nesting/)
+      end
+
+      it "rejects unbalanced opening brackets" do
+        expect {
+          doc.xpath("//user[[[@id='1']")
+        }.to raise_error(ArgumentError, /unbalanced/)
+      end
+
+      it "rejects unbalanced closing brackets" do
+        expect {
+          doc.xpath("//user[@id='1']]")
+        }.to raise_error(ArgumentError, /unbalanced/)
+      end
+
+      it "rejects unbalanced parentheses" do
+        expect {
+          doc.xpath("count(//user")
+        }.to raise_error(ArgumentError, /unbalanced/)
+      end
+
+      it "allows reasonable nesting depth" do
+        nested = "//users/user/name"
+        expect {
+          doc.xpath(nested)
+        }.not_to raise_error
+      end
+    end
+
+    describe "prevents DoS via excessive length" do
+      it "rejects excessively long XPath expressions" do
+        # Create an expression over 10000 characters
+        long_part = "/user" * 2001  # Each part is ~5 chars, 2001*5 > 10000
+        long_xpath = "//users" + long_part
+        expect {
+          doc.xpath(long_xpath)
+        }.to raise_error(ArgumentError, /too long/)
+      end
+
+      it "allows reasonably long expressions" do
+        reasonable = "//users/user/name"
+        expect {
+          doc.xpath(reasonable)
+        }.not_to raise_error
+      end
+    end
+
+    describe "allows safe XPath expressions" do
+      it "allows simple path expressions" do
+        expect {
+          result = doc.xpath('//user')
+          expect(result.length).to eq(2)
+        }.not_to raise_error
+      end
+
+      it "allows descendant paths" do
+        expect {
+          result = doc.xpath('//name')
+          expect(result.length).to eq(2)
+        }.not_to raise_error
+      end
+
+      it "allows child paths" do
+        expect {
+          result = doc.xpath('/users/user')
+          expect(result.length).to eq(2)
+        }.not_to raise_error
+      end
+    end
+
+    describe "validates node XPath queries with injection prevention" do
+      it "prevents injection in node context" do
+        root = doc.root
+        expect {
+          root.xpath("//user[@name='Alice' or 1=1]")
+        }.to raise_error(ArgumentError, /suspicious injection pattern/)
+      end
+
+      it "allows safe node queries" do
+        root = doc.root
+        expect {
+          result = root.xpath('.//user')
+          expect(result.length).to eq(2)
+        }.not_to raise_error
+      end
+    end
+  end
 end

data/tmp/arm64-darwin24/rxerces/3.4.8/rxerces.bundle.dSYM/Contents/Info.plist

@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+	<dict>
+		<key>CFBundleDevelopmentRegion</key>
+		<string>English</string>
+		<key>CFBundleIdentifier</key>
+		<string>com.apple.xcode.dsym.rxerces.bundle</string>
+		<key>CFBundleInfoDictionaryVersion</key>
+		<string>6.0</string>
+		<key>CFBundlePackageType</key>
+		<string>dSYM</string>
+		<key>CFBundleSignature</key>
+		<string>????</string>
+		<key>CFBundleShortVersionString</key>
+		<string>1.0</string>
+		<key>CFBundleVersion</key>
+		<string>1</string>
+	</dict>
+</plist>

data/tmp/arm64-darwin24/rxerces/3.4.8/rxerces.bundle.dSYM/Contents/Resources/Relocations/aarch64/rxerces.bundle.yml

@@ -0,0 +1,5 @@
+---
+triple:          'arm64-apple-darwin'
+binary-path:     rxerces.bundle
+relocations:     []
+...

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rxerces
 version: !ruby/object:Gem::Version
-  version: 0.6.1
+  version: 0.7.0
 platform: ruby
 authors:
 - Daniel J. Berger
@@ -78,6 +78,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '3.12'
+- !ruby/object:Gem::Dependency
+  name: mkmf-lite
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.7.5
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.7.5
 description: |2
       A Ruby XML library with Nokogiri-compatible API, powered by Xerces-C
       instead of libxml2. It also optionally uses Xalan for Xpath 1.0 compliance.
@@ -99,12 +113,17 @@ files:
 - benchmarks/serialization_benchmark.rb
 - benchmarks/traversal_benchmark.rb
 - benchmarks/xpath_benchmark.rb
+- benchmarks/xpath_validation_cache_benchmark.rb
+- benchmarks/xpath_validation_micro_benchmark.rb
 - certs/djberg96_pub.pem
+- e
 - examples/basic_usage.rb
 - examples/schema_example.rb
 - examples/simple_example.rb
 - examples/xpath_example.rb
 - ext/rxerces/extconf.rb
+- ext/rxerces/rxerces.bundle.dSYM/Contents/Info.plist
+- ext/rxerces/rxerces.bundle.dSYM/Contents/Resources/Relocations/aarch64/rxerces.bundle.yml
 - ext/rxerces/rxerces.cpp
 - ext/rxerces/rxerces.h
 - lib/rxerces.rb
@@ -120,9 +139,10 @@ files:
 - spec/rxerces_spec.rb
 - spec/schema_spec.rb
 - spec/spec_helper.rb
+- spec/xpath_cache_spec.rb
 - spec/xpath_spec.rb
-- tmp/arm64-darwin24/rxerces/3.4.7/rxerces.bundle.dSYM/Contents/Info.plist
-- tmp/arm64-darwin24/rxerces/3.4.7/rxerces.bundle.dSYM/Contents/Resources/Relocations/aarch64/rxerces.bundle.yml
+- tmp/arm64-darwin24/rxerces/3.4.8/rxerces.bundle.dSYM/Contents/Info.plist
+- tmp/arm64-darwin24/rxerces/3.4.8/rxerces.bundle.dSYM/Contents/Resources/Relocations/aarch64/rxerces.bundle.yml
 homepage: http://github.com/djberg96/rxerces
 licenses:
 - MIT
@@ -150,7 +170,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.7.2
+rubygems_version: 3.6.9
 specification_version: 4
 summary: Nokogiri-compatible XML library using Xerces-C
 test_files:
@@ -161,4 +181,5 @@ test_files:
 - spec/nokogiri_compatibility_spec.rb
 - spec/rxerces_spec.rb
 - spec/schema_spec.rb
+- spec/xpath_cache_spec.rb
 - spec/xpath_spec.rb