You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@struts.apache.org by lu...@apache.org on 2014/04/28 08:53:04 UTC
[08/23] git commit: Adds test cases to test ClassLoader pollution
Adds test cases to test ClassLoader pollution
Project: http://git-wip-us.apache.org/repos/asf/struts/repo
Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/149181a7
Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/149181a7
Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/149181a7
Branch: refs/heads/master
Commit: 149181a776afc94a39676a570bda72e14826476e
Parents: 6315241
Author: Lukasz Lenart <lu...@apache.org>
Authored: Thu Apr 24 19:52:03 2014 +0200
Committer: Lukasz Lenart <lu...@apache.org>
Committed: Thu Apr 24 19:52:03 2014 +0200
----------------------------------------------------------------------
.../interceptor/CookieInterceptorTest.java | 66 ++++++++++++++++++++
.../interceptor/ParametersInterceptorTest.java | 64 +++++++++++++++++++
2 files changed, 130 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/struts/blob/149181a7/core/src/test/java/org/apache/struts2/interceptor/CookieInterceptorTest.java
----------------------------------------------------------------------
diff --git a/core/src/test/java/org/apache/struts2/interceptor/CookieInterceptorTest.java b/core/src/test/java/org/apache/struts2/interceptor/CookieInterceptorTest.java
index 2d22fac..d1014a8 100644
--- a/core/src/test/java/org/apache/struts2/interceptor/CookieInterceptorTest.java
+++ b/core/src/test/java/org/apache/struts2/interceptor/CookieInterceptorTest.java
@@ -22,10 +22,12 @@
package org.apache.struts2.interceptor;
import java.util.Collections;
+import java.util.HashMap;
import java.util.Map;
import javax.servlet.http.Cookie;
+import com.opensymphony.xwork2.mock.MockActionInvocation;
import org.easymock.MockControl;
import org.springframework.mock.web.MockHttpServletRequest;
@@ -316,6 +318,70 @@ public class CookieInterceptorTest extends StrutsInternalTestCase {
assertEquals(ActionContext.getContext().getValueStack().findValue("cookie3"), null);
}
+ public void testCookiesWithClassPollution() throws Exception {
+ MockHttpServletRequest request = new MockHttpServletRequest();
+ String pollution1 = "model['class']['classLoader']['jarPath']";
+ String pollution2 = "model.class.classLoader.jarPath";
+ String pollution3 = "class.classLoader.jarPath";
+ String pollution4 = "class['classLoader']['jarPath']";
+ String pollution5 = "model[\"class\"]['classLoader']['jarPath']";
+ String pollution6 = "class[\"classLoader\"]['jarPath']";
+
+ request.setCookies(
+ new Cookie(pollution1, "pollution1"),
+ new Cookie("pollution1", pollution1),
+ new Cookie(pollution2, "pollution2"),
+ new Cookie("pollution2", pollution2),
+ new Cookie(pollution3, "pollution3"),
+ new Cookie("pollution3", pollution3),
+ new Cookie(pollution4, "pollution4"),
+ new Cookie("pollution4", pollution4),
+ new Cookie(pollution5, "pollution5"),
+ new Cookie("pollution5", pollution5),
+ new Cookie(pollution6, "pollution6"),
+ new Cookie("pollution6", pollution6)
+ );
+ ServletActionContext.setRequest(request);
+
+ final Map<String, Boolean> excludedName = new HashMap<String, Boolean>();
+ final Map<String, Boolean> excludedValue = new HashMap<String, Boolean>();
+
+ CookieInterceptor interceptor = new CookieInterceptor() {
+ @Override
+ protected boolean isAcceptableName(String name) {
+ boolean accepted = super.isAcceptableName(name);
+ excludedName.put(name, accepted);
+ return accepted;
+ }
+
+ @Override
+ protected boolean isAcceptableValue(String value) {
+ boolean accepted = super.isAcceptableValue(value);
+ excludedValue.put(value, accepted);
+ return accepted;
+ }
+ };
+ interceptor.setCookiesName("*");
+
+ MockActionInvocation invocation = new MockActionInvocation();
+ invocation.setAction(new MockActionWithCookieAware());
+
+ interceptor.intercept(invocation);
+
+ assertFalse(excludedName.get(pollution1));
+ assertFalse(excludedName.get(pollution2));
+ assertFalse(excludedName.get(pollution3));
+ assertFalse(excludedName.get(pollution4));
+ assertFalse(excludedName.get(pollution5));
+ assertFalse(excludedName.get(pollution6));
+
+ assertFalse(excludedValue.get(pollution1));
+ assertFalse(excludedValue.get(pollution2));
+ assertFalse(excludedValue.get(pollution3));
+ assertFalse(excludedValue.get(pollution4));
+ assertFalse(excludedValue.get(pollution5));
+ assertFalse(excludedValue.get(pollution6));
+ }
public static class MockActionWithCookieAware extends ActionSupport implements CookiesAware {
http://git-wip-us.apache.org/repos/asf/struts/blob/149181a7/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ParametersInterceptorTest.java
----------------------------------------------------------------------
diff --git a/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ParametersInterceptorTest.java b/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ParametersInterceptorTest.java
index e616fb8..21c7da9 100644
--- a/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ParametersInterceptorTest.java
+++ b/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ParametersInterceptorTest.java
@@ -18,6 +18,7 @@ package com.opensymphony.xwork2.interceptor;
import com.opensymphony.xwork2.Action;
import com.opensymphony.xwork2.ActionContext;
import com.opensymphony.xwork2.ActionProxy;
+import com.opensymphony.xwork2.ExcludedPatterns;
import com.opensymphony.xwork2.ModelDrivenAction;
import com.opensymphony.xwork2.SimpleAction;
import com.opensymphony.xwork2.TestBean;
@@ -44,10 +45,12 @@ import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
+import java.util.HashSet;
import java.util.LinkedHashMap;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
+import java.util.regex.Pattern;
/**
@@ -184,6 +187,62 @@ public class ParametersInterceptorTest extends XWorkTestCase {
assertNull(session.get("user5"));
}
+ public void testArrayClassPollutionBlockedByPattern() throws Exception {
+ // given
+ final String pollution1 = "model.class.classLoader.jarPath";
+ final String pollution2 = "model['class']['classLoader']['jarPath']";
+ final String pollution3 = "model[\"class\"]['classLoader']['jarPath']";
+ final String pollution4 = "class.classLoader.jarPath";
+ final String pollution5 = "class['classLoader']['jarPath']";
+ final String pollution6 = "class[\"classLoader\"]['jarPath']";
+
+ loadConfigurationProviders(new XWorkConfigurationProvider(), new XmlConfigurationProvider("xwork-param-test.xml"));
+ final Map<String, Object> params = new HashMap<String, Object>() {
+ {
+ put(pollution1, "bad");
+ put(pollution2, "bad");
+ put(pollution3, "bad");
+ put(pollution4, "bad");
+ put(pollution5, "bad");
+ put(pollution6, "bad");
+ }
+ };
+
+ final Map<String, Boolean> excluded = new HashMap<String, Boolean>();
+ ParametersInterceptor pi = new ParametersInterceptor() {
+
+ @Override
+ protected void initializeHardCodedExcludePatterns() {
+ this.excludeParams = new HashSet<Pattern>();
+ }
+
+ @Override
+ protected boolean isExcluded(String paramName) {
+ boolean result = super.isExcluded(paramName);
+ excluded.put(paramName, result);
+ return result;
+ }
+
+ };
+
+ pi.setExcludeParams("(.*\\.|^|.*|\\[('|\"))class(\\.|('|\")]|\\[).*");
+ container.inject(pi);
+ ValueStack vs = ActionContext.getContext().getValueStack();
+
+ // when
+ ValidateAction action = new ValidateAction();
+ pi.setParameters(action, vs, params);
+
+ // then
+ assertEquals(0, action.getActionMessages().size());
+ assertTrue(excluded.get(pollution1));
+ assertTrue(excluded.get(pollution2));
+ assertTrue(excluded.get(pollution3));
+ assertTrue(excluded.get(pollution4));
+ assertTrue(excluded.get(pollution5));
+ assertTrue(excluded.get(pollution6));
+ }
+
public void testAccessToOgnlInternals() throws Exception {
// given
Map<String, Object> params = new HashMap<String, Object>();
@@ -571,6 +630,11 @@ public class ParametersInterceptorTest extends XWorkTestCase {
assertEquals(expected, actual);
}
+ public void testExcludedPatternsGetInitialized() throws Exception {
+ ParametersInterceptor parametersInterceptor = new ParametersInterceptor();
+ assertEquals(ExcludedPatterns.EXCLUDED_PATTERNS.length, parametersInterceptor.excludeParams.size());
+ }
+
private ValueStack injectValueStack(Map<String, Object> actual) {
ValueStack stack = createStubValueStack(actual);
container.inject(stack);