Codebase list libxstream-java / upstream/1.4.8 xstream / src / test / com / thoughtworks / acceptance / SecurityVulnerabilityTest.java
upstream/1.4.8

Tree @upstream/1.4.8 (Download .tar.gz)

SecurityVulnerabilityTest.java @upstream/1.4.8raw · history · blame 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
/*
 * Copyright (C) 2013, 2014 XStream Committers.
 * All rights reserved.
 *
 * The software in this package is published under the terms of the BSD
 * style license a copy of which has been included with this distribution in
 * the LICENSE.txt file.
 * 
 * Created on 23. December 2013 by Joerg Schaible
 */
package com.thoughtworks.acceptance;

import java.beans.EventHandler;

import com.thoughtworks.xstream.XStreamException;
import com.thoughtworks.xstream.converters.reflection.ReflectionConverter;
import com.thoughtworks.xstream.security.ProxyTypePermission;

/**
 * @author Jörg Schaible
 */
public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {

    private final static StringBuffer BUFFER = new StringBuffer();

    protected void setUp() throws Exception {
        super.setUp();
        BUFFER.setLength(0);
        xstream.alias("runnable", Runnable.class);
        xstream.allowTypes(new Class[]{EventHandler.class});
        xstream.allowTypeHierarchy(Runnable.class);
        xstream.addPermission(ProxyTypePermission.PROXIES);
    }

    public void testCannotInjectEventHandler() {
        final String xml = ""
                + "<string class='runnable-array'>\n"
                + "  <dynamic-proxy>\n"
                + "    <interface>java.lang.Runnable</interface>\n"
                + "    <handler class='java.beans.EventHandler'>\n"
                + "      <target class='com.thoughtworks.acceptance.SecurityVulnerabilityTest$Exec'/>\n"
                + "      <action>exec</action>\n"
                + "    </handler>\n"
                + "  </dynamic-proxy>\n"
                + "</string>";

        try {
            xstream.fromXML(xml);
            fail("Thrown " + XStreamException.class.getName() + " expected");
        } catch (final XStreamException e) {
            assertTrue(e.getMessage().indexOf(EventHandler.class.getName()) > 0);
        }
        assertEquals(0, BUFFER.length());
    }

    public void testExplicitlyConvertEventHandler() {
        final String xml = ""
                + "<string class='runnable-array'>\n"
                + "  <dynamic-proxy>\n"
                + "    <interface>java.lang.Runnable</interface>\n"
                + "    <handler class='java.beans.EventHandler'>\n"
                + "      <target class='com.thoughtworks.acceptance.SecurityVulnerabilityTest$Exec'/>\n"
                + "      <action>exec</action>\n"
                + "    </handler>\n"
                + "  </dynamic-proxy>\n"
                + "</string>";

        xstream.registerConverter(new ReflectionConverter(xstream.getMapper(), xstream
            .getReflectionProvider(), EventHandler.class));

        final Runnable[] array = (Runnable[])xstream.fromXML(xml);
        assertEquals(0, BUFFER.length());
        array[0].run();
        assertEquals("Executed!", BUFFER.toString());
    }

    public static class Exec {

        public void exec() {
            BUFFER.append("Executed!");
        }
    }
}