1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
|
/*
* Copyright (C) 2013, 2014 XStream Committers.
* All rights reserved.
*
* The software in this package is published under the terms of the BSD
* style license a copy of which has been included with this distribution in
* the LICENSE.txt file.
*
* Created on 23. December 2013 by Joerg Schaible
*/
package com.thoughtworks.acceptance;
import java.beans.EventHandler;
import com.thoughtworks.xstream.XStreamException;
import com.thoughtworks.xstream.converters.ConversionException;
import com.thoughtworks.xstream.converters.reflection.ReflectionConverter;
import com.thoughtworks.xstream.security.ForbiddenClassException;
import com.thoughtworks.xstream.security.ProxyTypePermission;
/**
* @author Jörg Schaible
*/
public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
private final static StringBuffer BUFFER = new StringBuffer();
protected void setUp() throws Exception {
super.setUp();
BUFFER.setLength(0);
xstream.alias("runnable", Runnable.class);
xstream.allowTypes(new Class[]{EventHandler.class});
xstream.allowTypeHierarchy(Runnable.class);
xstream.addPermission(ProxyTypePermission.PROXIES);
}
public void testCannotInjectEventHandler() {
final String xml = ""
+ "<string class='runnable-array'>\n"
+ " <dynamic-proxy>\n"
+ " <interface>java.lang.Runnable</interface>\n"
+ " <handler class='java.beans.EventHandler'>\n"
+ " <target class='com.thoughtworks.acceptance.SecurityVulnerabilityTest$Exec'/>\n"
+ " <action>exec</action>\n"
+ " </handler>\n"
+ " </dynamic-proxy>\n"
+ "</string>";
try {
xstream.fromXML(xml);
fail("Thrown " + XStreamException.class.getName() + " expected");
} catch (final XStreamException e) {
assertTrue(e.getMessage().indexOf(EventHandler.class.getName()) > 0);
}
assertEquals(0, BUFFER.length());
}
public void testExplicitlyConvertEventHandler() {
final String xml = ""
+ "<string class='runnable-array'>\n"
+ " <dynamic-proxy>\n"
+ " <interface>java.lang.Runnable</interface>\n"
+ " <handler class='java.beans.EventHandler'>\n"
+ " <target class='com.thoughtworks.acceptance.SecurityVulnerabilityTest$Exec'/>\n"
+ " <action>exec</action>\n"
+ " </handler>\n"
+ " </dynamic-proxy>\n"
+ "</string>";
xstream.registerConverter(new ReflectionConverter(xstream.getMapper(), xstream
.getReflectionProvider(), EventHandler.class));
final Runnable[] array = (Runnable[])xstream.fromXML(xml);
assertEquals(0, BUFFER.length());
array[0].run();
assertEquals("Executed!", BUFFER.toString());
}
public static class Exec {
public void exec() {
BUFFER.append("Executed!");
}
}
public void testDeniedInstanceOfVoid() {
try {
xstream.fromXML("<void/>");
fail("Thrown " + ForbiddenClassException.class.getName() + " expected");
} catch (final ForbiddenClassException e) {
// OK
}
}
public void testAllowedInstanceOfVoid() {
xstream.allowTypes(void.class, Void.class);
try {
xstream.fromXML("<void/>");
fail("Thrown " + ConversionException.class.getName() + " expected");
} catch (final ConversionException e) {
assertEquals("void", e.get("construction-type"));
}
}
}
|
