fix: Document#canonicalize raises exception for incompatible modes

flavorjones · flavorjones · commit 1cbf06d1ec62 · 2022-05-11T17:07:53.000-04:00
`Document#canonicalize` now raises an exception if
`inclusive_namespaces` is non-nil and the mode is inclusive,
i.e. XML_C14N_1_0 or XML_C14N_1_1.

`inclusive_namespaces` can only be passed with exclusive modes, and
previously this silently failed.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -38,6 +38,7 @@ This version of Nokogiri uses [`jar-dependencies`](https://github.com/mkristian/
 
 ### Improved
 
+* `Document#canonicalize` now raises an exception if `inclusive_namespaces` is non-nil and the mode is inclusive, i.e. XML_C14N_1_0 or XML_C14N_1_1. `inclusive_namespaces` can only be passed with exclusive modes, and previously this silently failed.
 * Compare `Encoding` objects rather than compare their names. This is a slight performance improvement and is future-proof. [[#2454](https://github.com/sparklemotion/nokogiri/issues/2454)] (Thanks, [@casperisfine](https://github.com/casperisfine)!)
 * Avoid compile-time conflict with system-installed `gumbo.h` on OpenBSD. [[#2464](https://github.com/sparklemotion/nokogiri/issues/2464)]
 * Remove calls to `vasprintf` in favor of platform-independent `rb_vsprintf`
diff --git a/ext/java/nokogiri/XmlDocument.java b/ext/java/nokogiri/XmlDocument.java
@@ -681,11 +681,9 @@ private static class DocumentBuilderFactoryHolder
         result = canonicalizer.canonicalizeSubtree(startingNode.getNode(), inclusive_namespace, filter);
       }
       return RubyString.newString(context.runtime, new ByteList(result, UTF8Encoding.INSTANCE));
-    } catch (CanonicalizationException e) {
-      // TODO Auto-generated catch block
-      e.printStackTrace();
+    } catch (XMLSecurityException e) {
+      throw context.getRuntime().newRuntimeError(e.getMessage());
     }
-    return context.nil;
   }
 
   private XmlNode
diff --git a/ext/nokogiri/xml_document.c b/ext/nokogiri/xml_document.c
@@ -536,6 +536,7 @@ rb_xml_document_canonicalize(int argc, VALUE *argv, VALUE self)
   VALUE rb_mode;
   VALUE rb_namespaces;
   VALUE rb_comments_p;
+  int c_mode = 0;
   xmlChar **c_namespaces;
 
   xmlDocPtr c_doc;
@@ -547,8 +548,16 @@ rb_xml_document_canonicalize(int argc, VALUE *argv, VALUE self)
   VALUE rb_io;
 
   rb_scan_args(argc, argv, "03", &rb_mode, &rb_namespaces, &rb_comments_p);
-  if (!NIL_P(rb_mode)) { Check_Type(rb_mode, T_FIXNUM); }
-  if (!NIL_P(rb_namespaces)) { Check_Type(rb_namespaces, T_ARRAY); }
+  if (!NIL_P(rb_mode)) {
+    Check_Type(rb_mode, T_FIXNUM);
+    c_mode = NUM2INT(rb_mode);
+  }
+  if (!NIL_P(rb_namespaces)) {
+    Check_Type(rb_namespaces, T_ARRAY);
+    if (c_mode == XML_C14N_1_0 || c_mode == XML_C14N_1_1) {
+      rb_raise(rb_eRuntimeError, "This canonicalizer does not support this operation");
+    }
+  }
 
   Data_Get_Struct(self, xmlDoc, c_doc);
 
@@ -577,7 +586,7 @@ rb_xml_document_canonicalize(int argc, VALUE *argv, VALUE self)
   }
 
   xmlC14NExecute(c_doc, c_callback_wrapper, rb_callback,
-                 (int)(NIL_P(rb_mode) ? 0 : NUM2INT(rb_mode)),
+                 c_mode,
                  c_namespaces,
                  (int)RTEST(rb_comments_p),
                  c_obuf);
diff --git a/test/xml/test_c14n.rb b/test/xml/test_c14n.rb
@@ -141,6 +141,7 @@ def test_c14n_modes
             </n1:elem2>
           </n0:local>
         EOXML
+        node1 = doc1.at_xpath("//n1:elem2", { "n1" => "http://example.net" })
 
         doc2 = Nokogiri.XML(<<~EOXML)
           <n2:pdu xmlns:n1="http://example.com"
@@ -154,13 +155,14 @@ def test_c14n_modes
             </n1:elem2>
           </n2:pdu>
         EOXML
+        node2 = doc2.at_xpath("//n1:elem2", { "n1" => "http://example.net" })
 
         expected = <<~EOF.strip
           <n1:elem2 xmlns:n0="http://foobar.org" xmlns:n1="http://example.net" xmlns:n3="ftp://example.org" xml:lang="en">
               <n3:stuff></n3:stuff>
             </n1:elem2>
         EOF
-        c14n = doc1.at_xpath("//n1:elem2", { "n1" => "http://example.net" }).canonicalize
+        c14n = node1.canonicalize
         assert_equal(expected, c14n)
 
         expected = <<~EOF.strip
@@ -169,15 +171,20 @@ def test_c14n_modes
               <n4:stuff></n4:stuff>
             </n1:elem2>
         EOF
-        c14n = doc2.at_xpath("//n1:elem2", { "n1" => "http://example.net" }).canonicalize
+        c14n = node2.canonicalize
         assert_equal(expected, c14n)
+        c14n = node2.canonicalize(XML::XML_C14N_1_0)
+        assert_equal(expected, c14n)
+        assert_raises(RuntimeError) do
+          node2.canonicalize(XML::XML_C14N_1_0, ["n2"])
+        end
 
         expected = <<~EOF.strip
           <n1:elem2 xmlns:n1="http://example.net" xml:lang="en">
               <n3:stuff xmlns:n3="ftp://example.org"></n3:stuff>
             </n1:elem2>
         EOF
-        c14n = doc1.at_xpath("//n1:elem2", { "n1" => "http://example.net" }).canonicalize(XML::XML_C14N_EXCLUSIVE_1_0)
+        c14n = node1.canonicalize(XML::XML_C14N_EXCLUSIVE_1_0)
         assert_equal(expected, c14n)
 
         expected = <<~EOF.strip
@@ -186,7 +193,7 @@ def test_c14n_modes
               <n4:stuff xmlns:n4="http://foo.example"></n4:stuff>
             </n1:elem2>
         EOF
-        c14n = doc2.at_xpath("//n1:elem2", { "n1" => "http://example.net" }).canonicalize(XML::XML_C14N_EXCLUSIVE_1_0)
+        c14n = node2.canonicalize(XML::XML_C14N_EXCLUSIVE_1_0)
         assert_equal(expected, c14n)
 
         expected = <<~EOF.strip
@@ -195,7 +202,7 @@ def test_c14n_modes
               <n4:stuff xmlns:n4="http://foo.example"></n4:stuff>
             </n1:elem2>
         EOF
-        c14n = doc2.at_xpath("//n1:elem2", { "n1" => "http://example.net" }).canonicalize(XML::XML_C14N_EXCLUSIVE_1_0, ["n2"])
+        c14n = node2.canonicalize(XML::XML_C14N_EXCLUSIVE_1_0, ["n2"])
         assert_equal(expected, c14n)
 
         expected = <<~EOF.strip
@@ -204,8 +211,20 @@ def test_c14n_modes
               <n4:stuff></n4:stuff>
             </n1:elem2>
         EOF
-        c14n = doc2.at_xpath("//n1:elem2", { "n1" => "http://example.net" }).canonicalize(XML::XML_C14N_EXCLUSIVE_1_0, ["n2", "n4"])
+        c14n = node2.canonicalize(XML::XML_C14N_EXCLUSIVE_1_0, ["n2", "n4"])
         assert_equal(expected, c14n)
+
+        expected = <<~EOF.strip
+          <n1:elem2 xmlns:n1="http://example.net" xmlns:n2="http://foo.example" xmlns:n4="http://foo.example" xml:lang="en" xml:space="retain">
+              <n3:stuff xmlns:n3="ftp://example.org"></n3:stuff>
+              <n4:stuff></n4:stuff>
+            </n1:elem2>
+        EOF
+        c14n = node2.canonicalize(XML::XML_C14N_1_1)
+        assert_equal(expected, c14n)
+        assert_raises(RuntimeError) do
+          node2.canonicalize(XML::XML_C14N_1_1, ["n2"])
+        end
       end
 
       def test_wrong_params

Original file line number	Diff line number	Diff line change
`@@ -681,11 +681,9 @@ private static class DocumentBuilderFactoryHolder`
`681`	`681`	`result = canonicalizer.canonicalizeSubtree(startingNode.getNode(), inclusive_namespace, filter);`
`682`	`682`	`}`
`683`	`683`	`return RubyString.newString(context.runtime, new ByteList(result, UTF8Encoding.INSTANCE));`
`684`		`- } catch (CanonicalizationException e) {`
`685`		`- // TODO Auto-generated catch block`
`686`		`- e.printStackTrace();`
	`684`	`+ } catch (XMLSecurityException e) {`
	`685`	`+ throw context.getRuntime().newRuntimeError(e.getMessage());`
`687`	`686`	`}`
`688`		`- return context.nil;`
`689`	`687`	`}`
`690`	`688`
`691`	`689`	`private XmlNode`