You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by mt...@apache.org on 2019/10/26 21:47:46 UTC
svn commit: r1869023 - in
/ofbiz/ofbiz-framework/trunk/framework/base/src/test/java/org/apache/ofbiz/base/util:
UtilObjectTests.java UtilObjectUnitTest.java
Author: mthl
Date: Sat Oct 26 21:47:46 2019
New Revision: 1869023
URL: http://svn.apache.org/viewvc?rev=1869023&view=rev
Log:
Improved: Merge ‘UtilObjectUnitTest’ into ‘UtilObjectTests’
(OFBIZ-11067)
Those classes were testing the same class.
Removed:
ofbiz/ofbiz-framework/trunk/framework/base/src/test/java/org/apache/ofbiz/base/util/UtilObjectUnitTest.java
Modified:
ofbiz/ofbiz-framework/trunk/framework/base/src/test/java/org/apache/ofbiz/base/util/UtilObjectTests.java
Modified: ofbiz/ofbiz-framework/trunk/framework/base/src/test/java/org/apache/ofbiz/base/util/UtilObjectTests.java
URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/base/src/test/java/org/apache/ofbiz/base/util/UtilObjectTests.java?rev=1869023&r1=1869022&r2=1869023&view=diff
==============================================================================
--- ofbiz/ofbiz-framework/trunk/framework/base/src/test/java/org/apache/ofbiz/base/util/UtilObjectTests.java (original)
+++ ofbiz/ofbiz-framework/trunk/framework/base/src/test/java/org/apache/ofbiz/base/util/UtilObjectTests.java Sat Oct 26 21:47:46 2019
@@ -19,28 +19,40 @@
package org.apache.ofbiz.base.util;
import static org.apache.ofbiz.base.util.UtilMisc.toSet;
+import static org.apache.ofbiz.base.util.UtilObject.getObjectException;
import static org.apache.ofbiz.base.util.UtilObject.getObjectFromFactory;
+import static org.hamcrest.Matchers.contains;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertNotSame;
import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertThat;
import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
import java.io.FilterInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.io.Serializable;
+import java.util.Arrays;
import java.util.HashMap;
+import java.util.List;
import java.util.Set;
import org.apache.ofbiz.base.lang.Factory;
import org.apache.ofbiz.base.lang.SourceMonitored;
+import org.junit.After;
import org.junit.Test;
@SourceMonitored
public class UtilObjectTests {
+ @After
+ public void cleanUp() {
+ // Ensure that the default value of allowed deserialization classes is used.
+ UtilProperties.setPropertyValueInMemory("SafeObjectInputStream", "ListOfSafeObjectsForInputStream", "");
+ }
public static final class ErrorInjector extends FilterInputStream {
private int after;
@@ -305,4 +317,43 @@ public class UtilObjectTests {
assertNotNull("nothing found second", caught);
}
}
+
+ // Test reading a basic list of string object.
+ @Test
+ public void testGetObjectExceptionSafe() throws IOException, ClassNotFoundException {
+ try (ByteArrayOutputStream bos = new ByteArrayOutputStream();
+ ObjectOutputStream oos = new ObjectOutputStream(bos)) {
+ List<String> allowedObject = Arrays.asList("foo", "bar", "baz");
+ oos.writeObject(allowedObject);
+ List<String> readObject = UtilGenerics.cast(getObjectException(bos.toByteArray()));
+ assertThat(readObject, contains("foo", "bar", "baz"));
+ }
+ }
+
+ // Test reading a valid customized list of string object.
+ @Test
+ public void testGetObjectExceptionCustomized() throws IOException, ClassNotFoundException {
+ UtilProperties.setPropertyValueInMemory("SafeObjectInputStream", "ListOfSafeObjectsForInputStream",
+ "java.util.Arrays.ArrayList,java.lang.String");
+ testGetObjectExceptionSafe();
+
+ // With extra whitespace
+ UtilProperties.setPropertyValueInMemory("SafeObjectInputStream", "ListOfSafeObjectsForInputStream",
+ "java.util.Arrays.ArrayList, java.lang.String");
+ testGetObjectExceptionSafe();
+ }
+
+ // Test reading a basic list of string object after forbidding such kind of objects.
+ @Test(expected = ClassCastException.class)
+ public void testGetObjectExceptionUnsafe() throws IOException, ClassNotFoundException {
+ // Only allow object of type where the package prefix is 'org.apache.ofbiz'
+ UtilProperties.setPropertyValueInMemory("SafeObjectInputStream", "ListOfSafeObjectsForInputStream",
+ "org.apache.ofbiz..*");
+ try (ByteArrayOutputStream bos = new ByteArrayOutputStream();
+ ObjectOutputStream oos = new ObjectOutputStream(bos)) {
+ List<String> forbiddenObject = Arrays.asList("foo", "bar", "baz");
+ oos.writeObject(forbiddenObject);
+ getObjectException(bos.toByteArray());
+ }
+ }
}