Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Improved: Improve ObjectInputStream denyList (OFBIZ-12221)
Forgot to change ListOfSafeObjectsForInputStream to allowList in UtilObjectTests
  • Loading branch information
JacquesLeRoux committed Apr 7, 2021
1 parent 3f97578 commit 7fd9d05
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 9 deletions.
Expand Up @@ -42,7 +42,7 @@ public final class SafeObjectInputStream extends ObjectInputStream {
"\\[Z", "\\[B", "\\[S", "\\[I", "\\[J", "\\[F", "\\[D", "\\[C",
"java..*", "sun.util.calendar..*", "org.apache.ofbiz..*",
"org.codehaus.groovy.runtime.GStringImpl", "groovy.lang.GString"};
private static final String[] DEFAULT_DENYLIST = { "rmi", "<" };
private static final String[] DEFAULT_DENYLIST = {"rmi", "<"};

/** The regular expression used to match serialized types. */
private final Pattern allowlistPattern;
Expand Down
Expand Up @@ -21,12 +21,12 @@
import static org.apache.ofbiz.base.util.UtilMisc.toSet;
import static org.apache.ofbiz.base.util.UtilObject.getObjectException;
import static org.apache.ofbiz.base.util.UtilObject.getObjectFromFactory;
import static org.hamcrest.MatcherAssert.assertThat;
import static org.hamcrest.Matchers.contains;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertNotSame;
import static org.junit.Assert.assertNull;
import static org.hamcrest.MatcherAssert.assertThat;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
Expand All @@ -51,7 +51,7 @@ public class UtilObjectTests {
@After
public void cleanUp() {
// Ensure that the default value of allowed deserialization classes is used.
UtilProperties.setPropertyValueInMemory("SafeObjectInputStream", "ListOfSafeObjectsForInputStream", "");
UtilProperties.setPropertyValueInMemory("SafeObjectInputStream", "allowList", "");
}

public static final class ErrorInjector extends FilterInputStream {
Expand Down Expand Up @@ -333,22 +333,19 @@ public void testGetObjectExceptionSafe() throws IOException, ClassNotFoundExcept
// Test reading a valid customized list of string object.
@Test
public void testGetObjectExceptionCustomized() throws IOException, ClassNotFoundException {
UtilProperties.setPropertyValueInMemory("SafeObjectInputStream", "ListOfSafeObjectsForInputStream",
"java.util.Arrays.ArrayList,java.lang.String");
UtilProperties.setPropertyValueInMemory("SafeObjectInputStream", "allowList", "java.util.Arrays.ArrayList,java.lang.String");
testGetObjectExceptionSafe();

// With extra whitespace
UtilProperties.setPropertyValueInMemory("SafeObjectInputStream", "ListOfSafeObjectsForInputStream",
"java.util.Arrays.ArrayList, java.lang.String");
UtilProperties.setPropertyValueInMemory("SafeObjectInputStream", "allowList", "java.util.Arrays.ArrayList, java.lang.String");
testGetObjectExceptionSafe();
}

// Test reading a basic list of string object after forbidding such kind of objects.
@Test(expected = ClassCastException.class)
public void testGetObjectExceptionUnsafe() throws IOException, ClassNotFoundException {
// Only allow object of type where the package prefix is 'org.apache.ofbiz'
UtilProperties.setPropertyValueInMemory("SafeObjectInputStream", "ListOfSafeObjectsForInputStream",
"org.apache.ofbiz..*");
UtilProperties.setPropertyValueInMemory("SafeObjectInputStream", "allowList", "org.apache.ofbiz..*");
try (ByteArrayOutputStream bos = new ByteArrayOutputStream();
ObjectOutputStream oos = new ObjectOutputStream(bos)) {
List<String> forbiddenObject = Arrays.asList("foo", "bar", "baz");
Expand Down

0 comments on commit 7fd9d05

Please sign in to comment.