You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by mt...@apache.org on 2019/10/26 21:47:46 UTC
svn commit: r1869023 - in /ofbiz/ofbiz-framework/trunk/framework/base/src/test/java/org/apache/ofbiz/base/util: UtilObjectTests.java UtilObjectUnitTest.java

Author: mthl
Date: Sat Oct 26 21:47:46 2019
New Revision: 1869023

URL: http://svn.apache.org/viewvc?rev=1869023&view=rev
Log:
Improved: Merge ‘UtilObjectUnitTest’ into ‘UtilObjectTests’
(OFBIZ-11067)

Those classes were testing the same class.

Removed:
    ofbiz/ofbiz-framework/trunk/framework/base/src/test/java/org/apache/ofbiz/base/util/UtilObjectUnitTest.java
Modified:
    ofbiz/ofbiz-framework/trunk/framework/base/src/test/java/org/apache/ofbiz/base/util/UtilObjectTests.java

Modified: ofbiz/ofbiz-framework/trunk/framework/base/src/test/java/org/apache/ofbiz/base/util/UtilObjectTests.java
URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/base/src/test/java/org/apache/ofbiz/base/util/UtilObjectTests.java?rev=1869023&r1=1869022&r2=1869023&view=diff
==============================================================================
--- ofbiz/ofbiz-framework/trunk/framework/base/src/test/java/org/apache/ofbiz/base/util/UtilObjectTests.java (original)
+++ ofbiz/ofbiz-framework/trunk/framework/base/src/test/java/org/apache/ofbiz/base/util/UtilObjectTests.java Sat Oct 26 21:47:46 2019
@@ -19,28 +19,40 @@
 package org.apache.ofbiz.base.util;
 
 import static org.apache.ofbiz.base.util.UtilMisc.toSet;
+import static org.apache.ofbiz.base.util.UtilObject.getObjectException;
 import static org.apache.ofbiz.base.util.UtilObject.getObjectFromFactory;
+import static org.hamcrest.Matchers.contains;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertNotSame;
 import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertThat;
 
 import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
 import java.io.FilterInputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.ObjectInputStream;
 import java.io.ObjectOutputStream;
 import java.io.Serializable;
+import java.util.Arrays;
 import java.util.HashMap;
+import java.util.List;
 import java.util.Set;
 
 import org.apache.ofbiz.base.lang.Factory;
 import org.apache.ofbiz.base.lang.SourceMonitored;
+import org.junit.After;
 import org.junit.Test;
 
 @SourceMonitored
 public class UtilObjectTests {
+    @After
+    public void cleanUp() {
+        // Ensure that the default value of allowed deserialization classes is used.
+        UtilProperties.setPropertyValueInMemory("SafeObjectInputStream", "ListOfSafeObjectsForInputStream", "");
+    }
 
     public static final class ErrorInjector extends FilterInputStream {
         private int after;
@@ -305,4 +317,43 @@ public class UtilObjectTests {
             assertNotNull("nothing found second", caught);
         }
     }
+
+    // Test reading a basic list of string object.
+    @Test
+    public void testGetObjectExceptionSafe() throws IOException, ClassNotFoundException {
+        try (ByteArrayOutputStream bos = new ByteArrayOutputStream();
+                ObjectOutputStream oos = new ObjectOutputStream(bos)) {
+            List<String> allowedObject = Arrays.asList("foo", "bar", "baz");
+            oos.writeObject(allowedObject);
+            List<String> readObject = UtilGenerics.cast(getObjectException(bos.toByteArray()));
+            assertThat(readObject, contains("foo", "bar", "baz"));
+        }
+    }
+
+    // Test reading a valid customized list of string object.
+    @Test
+    public void testGetObjectExceptionCustomized() throws IOException, ClassNotFoundException {
+        UtilProperties.setPropertyValueInMemory("SafeObjectInputStream", "ListOfSafeObjectsForInputStream",
+                "java.util.Arrays.ArrayList,java.lang.String");
+        testGetObjectExceptionSafe();
+
+        // With extra whitespace
+        UtilProperties.setPropertyValueInMemory("SafeObjectInputStream", "ListOfSafeObjectsForInputStream",
+                "java.util.Arrays.ArrayList, java.lang.String");
+        testGetObjectExceptionSafe();
+    }
+
+    // Test reading a basic list of string object after forbidding such kind of objects.
+    @Test(expected = ClassCastException.class)
+    public void testGetObjectExceptionUnsafe() throws IOException, ClassNotFoundException {
+        // Only allow object of type where the package prefix is 'org.apache.ofbiz'
+        UtilProperties.setPropertyValueInMemory("SafeObjectInputStream", "ListOfSafeObjectsForInputStream",
+                "org.apache.ofbiz..*");
+        try (ByteArrayOutputStream bos = new ByteArrayOutputStream();
+                ObjectOutputStream oos = new ObjectOutputStream(bos)) {
+            List<String> forbiddenObject = Arrays.asList("foo", "bar", "baz");
+            oos.writeObject(forbiddenObject);
+            getObjectException(bos.toByteArray());
+        }
+    }
 }