Adds test cases to test ClassLoader pollution
Project: http://git-wip-us.apache.org/repos/asf/struts/repo Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/149181a7 Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/149181a7 Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/149181a7 Branch: refs/heads/feature/exclude-object-class Commit: 149181a776afc94a39676a570bda72e14826476e Parents: 6315241 Author: Lukasz Lenart <lukaszlen...@apache.org> Authored: Thu Apr 24 19:52:03 2014 +0200 Committer: Lukasz Lenart <lukaszlen...@apache.org> Committed: Thu Apr 24 19:52:03 2014 +0200 ---------------------------------------------------------------------- .../interceptor/CookieInterceptorTest.java | 66 ++++++++++++++++++++ .../interceptor/ParametersInterceptorTest.java | 64 +++++++++++++++++++ 2 files changed, 130 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/struts/blob/149181a7/core/src/test/java/org/apache/struts2/interceptor/CookieInterceptorTest.java ---------------------------------------------------------------------- diff --git a/core/src/test/java/org/apache/struts2/interceptor/CookieInterceptorTest.java b/core/src/test/java/org/apache/struts2/interceptor/CookieInterceptorTest.java index 2d22fac..d1014a8 100644 --- a/core/src/test/java/org/apache/struts2/interceptor/CookieInterceptorTest.java +++ b/core/src/test/java/org/apache/struts2/interceptor/CookieInterceptorTest.java @@ -22,10 +22,12 @@ package org.apache.struts2.interceptor; import java.util.Collections; +import java.util.HashMap; import java.util.Map; import javax.servlet.http.Cookie; +import com.opensymphony.xwork2.mock.MockActionInvocation; import org.easymock.MockControl; import org.springframework.mock.web.MockHttpServletRequest; @@ -316,6 +318,70 @@ public class CookieInterceptorTest extends StrutsInternalTestCase { assertEquals(ActionContext.getContext().getValueStack().findValue("cookie3"), null); } + public void testCookiesWithClassPollution() throws Exception { + MockHttpServletRequest request = new MockHttpServletRequest(); + String pollution1 = "model['class']['classLoader']['jarPath']"; + String pollution2 = "model.class.classLoader.jarPath"; + String pollution3 = "class.classLoader.jarPath"; + String pollution4 = "class['classLoader']['jarPath']"; + String pollution5 = "model[\"class\"]['classLoader']['jarPath']"; + String pollution6 = "class[\"classLoader\"]['jarPath']"; + + request.setCookies( + new Cookie(pollution1, "pollution1"), + new Cookie("pollution1", pollution1), + new Cookie(pollution2, "pollution2"), + new Cookie("pollution2", pollution2), + new Cookie(pollution3, "pollution3"), + new Cookie("pollution3", pollution3), + new Cookie(pollution4, "pollution4"), + new Cookie("pollution4", pollution4), + new Cookie(pollution5, "pollution5"), + new Cookie("pollution5", pollution5), + new Cookie(pollution6, "pollution6"), + new Cookie("pollution6", pollution6) + ); + ServletActionContext.setRequest(request); + + final Map<String, Boolean> excludedName = new HashMap<String, Boolean>(); + final Map<String, Boolean> excludedValue = new HashMap<String, Boolean>(); + + CookieInterceptor interceptor = new CookieInterceptor() { + @Override + protected boolean isAcceptableName(String name) { + boolean accepted = super.isAcceptableName(name); + excludedName.put(name, accepted); + return accepted; + } + + @Override + protected boolean isAcceptableValue(String value) { + boolean accepted = super.isAcceptableValue(value); + excludedValue.put(value, accepted); + return accepted; + } + }; + interceptor.setCookiesName("*"); + + MockActionInvocation invocation = new MockActionInvocation(); + invocation.setAction(new MockActionWithCookieAware()); + + interceptor.intercept(invocation); + + assertFalse(excludedName.get(pollution1)); + assertFalse(excludedName.get(pollution2)); + assertFalse(excludedName.get(pollution3)); + assertFalse(excludedName.get(pollution4)); + assertFalse(excludedName.get(pollution5)); + assertFalse(excludedName.get(pollution6)); + + assertFalse(excludedValue.get(pollution1)); + assertFalse(excludedValue.get(pollution2)); + assertFalse(excludedValue.get(pollution3)); + assertFalse(excludedValue.get(pollution4)); + assertFalse(excludedValue.get(pollution5)); + assertFalse(excludedValue.get(pollution6)); + } public static class MockActionWithCookieAware extends ActionSupport implements CookiesAware { http://git-wip-us.apache.org/repos/asf/struts/blob/149181a7/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ParametersInterceptorTest.java ---------------------------------------------------------------------- diff --git a/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ParametersInterceptorTest.java b/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ParametersInterceptorTest.java index e616fb8..21c7da9 100644 --- a/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ParametersInterceptorTest.java +++ b/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ParametersInterceptorTest.java @@ -18,6 +18,7 @@ package com.opensymphony.xwork2.interceptor; import com.opensymphony.xwork2.Action; import com.opensymphony.xwork2.ActionContext; import com.opensymphony.xwork2.ActionProxy; +import com.opensymphony.xwork2.ExcludedPatterns; import com.opensymphony.xwork2.ModelDrivenAction; import com.opensymphony.xwork2.SimpleAction; import com.opensymphony.xwork2.TestBean; @@ -44,10 +45,12 @@ import java.util.ArrayList; import java.util.Collection; import java.util.Collections; import java.util.HashMap; +import java.util.HashSet; import java.util.LinkedHashMap; import java.util.LinkedList; import java.util.List; import java.util.Map; +import java.util.regex.Pattern; /** @@ -184,6 +187,62 @@ public class ParametersInterceptorTest extends XWorkTestCase { assertNull(session.get("user5")); } + public void testArrayClassPollutionBlockedByPattern() throws Exception { + // given + final String pollution1 = "model.class.classLoader.jarPath"; + final String pollution2 = "model['class']['classLoader']['jarPath']"; + final String pollution3 = "model[\"class\"]['classLoader']['jarPath']"; + final String pollution4 = "class.classLoader.jarPath"; + final String pollution5 = "class['classLoader']['jarPath']"; + final String pollution6 = "class[\"classLoader\"]['jarPath']"; + + loadConfigurationProviders(new XWorkConfigurationProvider(), new XmlConfigurationProvider("xwork-param-test.xml")); + final Map<String, Object> params = new HashMap<String, Object>() { + { + put(pollution1, "bad"); + put(pollution2, "bad"); + put(pollution3, "bad"); + put(pollution4, "bad"); + put(pollution5, "bad"); + put(pollution6, "bad"); + } + }; + + final Map<String, Boolean> excluded = new HashMap<String, Boolean>(); + ParametersInterceptor pi = new ParametersInterceptor() { + + @Override + protected void initializeHardCodedExcludePatterns() { + this.excludeParams = new HashSet<Pattern>(); + } + + @Override + protected boolean isExcluded(String paramName) { + boolean result = super.isExcluded(paramName); + excluded.put(paramName, result); + return result; + } + + }; + + pi.setExcludeParams("(.*\\.|^|.*|\\[('|\"))class(\\.|('|\")]|\\[).*"); + container.inject(pi); + ValueStack vs = ActionContext.getContext().getValueStack(); + + // when + ValidateAction action = new ValidateAction(); + pi.setParameters(action, vs, params); + + // then + assertEquals(0, action.getActionMessages().size()); + assertTrue(excluded.get(pollution1)); + assertTrue(excluded.get(pollution2)); + assertTrue(excluded.get(pollution3)); + assertTrue(excluded.get(pollution4)); + assertTrue(excluded.get(pollution5)); + assertTrue(excluded.get(pollution6)); + } + public void testAccessToOgnlInternals() throws Exception { // given Map<String, Object> params = new HashMap<String, Object>(); @@ -571,6 +630,11 @@ public class ParametersInterceptorTest extends XWorkTestCase { assertEquals(expected, actual); } + public void testExcludedPatternsGetInitialized() throws Exception { + ParametersInterceptor parametersInterceptor = new ParametersInterceptor(); + assertEquals(ExcludedPatterns.EXCLUDED_PATTERNS.length, parametersInterceptor.excludeParams.size()); + } + private ValueStack injectValueStack(Map<String, Object> actual) { ValueStack stack = createStubValueStack(actual); container.inject(stack);
