@Test(expected = InvalidClassException.class) public void noAccept() throws Exception { assertSerialization( willClose(new ValidatingObjectInputStream(testStream))); }
@Test public void acceptPattern() throws Exception { assertSerialization( willClose(new ValidatingObjectInputStream(testStream)) .accept(Pattern.compile(".*MockSerializedClass.*")) ); }
@Test public void exceptionIncludesClassName() throws Exception { try { assertSerialization( willClose(new ValidatingObjectInputStream(testStream))); fail("Expected an InvalidClassException"); } catch(final InvalidClassException ice) { final String name = MockSerializedClass.class.getName(); assertTrue("Expecting message to contain " + name, ice.getMessage().contains(name)); } }
@Test(expected = InvalidClassException.class) public void rejectPattern() throws Exception { assertSerialization( willClose(new ValidatingObjectInputStream(testStream)) .accept(MockSerializedClass.class) .reject(Pattern.compile("org.*")) ); }
@Test public void ourTestClassOnlyAccepted() throws Exception { assertSerialization( willClose(new ValidatingObjectInputStream(testStream)) .accept(MockSerializedClass.class) ); }
@Test public void ourTestClassAcceptedSecondWildcard() throws Exception { assertSerialization( willClose(new ValidatingObjectInputStream(testStream)) .accept("*Integer","*MockSerializedClass") ); }
@Test public void acceptWildcard() throws Exception { assertSerialization( willClose(new ValidatingObjectInputStream(testStream)) .accept("org.apache.commons.io.*") ); }
@Test public void ourTestClassAcceptedFirst() throws Exception { assertSerialization( willClose(new ValidatingObjectInputStream(testStream)) .accept(MockSerializedClass.class, Integer.class) ); }
@Test(expected = InvalidClassException.class) public void rejectOnly() throws Exception { assertSerialization( willClose(new ValidatingObjectInputStream(testStream)) .reject(Integer.class) ); }
@Test public void acceptCustomMatcher() throws Exception { assertSerialization( willClose(new ValidatingObjectInputStream(testStream)) .accept(ALWAYS_TRUE) ); }
@Test(expected = InvalidClassException.class) public void ourTestClassNotAccepted() throws Exception { assertSerialization( willClose(new ValidatingObjectInputStream(testStream)) .accept(Integer.class) ); }
@Test public void ourTestClassAcceptedSecond() throws Exception { assertSerialization( willClose(new ValidatingObjectInputStream(testStream)) .accept(Integer.class, MockSerializedClass.class) ); }
@Test public void ourTestClassAcceptedFirstWildcard() throws Exception { assertSerialization( willClose(new ValidatingObjectInputStream(testStream)) .accept("*MockSerializedClass","*Integer") ); }
@Test(expected = InvalidClassException.class) public void rejectPrecedence() throws Exception { assertSerialization( willClose(new ValidatingObjectInputStream(testStream)) .accept(MockSerializedClass.class) .reject(MockSerializedClass.class, Integer.class) ); }
@Test(expected = InvalidClassException.class) public void reject() throws Exception { assertSerialization( willClose(new ValidatingObjectInputStream(testStream)) .accept(Long.class) .reject(MockSerializedClass.class, Integer.class) ); }
@Test(expected = InvalidClassException.class) public void rejectCustomMatcher() throws Exception { assertSerialization( willClose(new ValidatingObjectInputStream(testStream)) .accept(MockSerializedClass.class) .reject(ALWAYS_TRUE) ); }
@Test(expected = InvalidClassException.class) public void rejectWildcard() throws Exception { assertSerialization( willClose(new ValidatingObjectInputStream(testStream)) .accept(MockSerializedClass.class) .reject("org.*") ); }
/** Trusting java.lang.* and the array variants of that means we have * to define a number of accept classes explicitly. Quite safe but * might become a bit verbose. */ @Test public void trustJavaLang() throws IOException, ClassNotFoundException { assertSerialization(willClose( new ValidatingObjectInputStream(inputStream) .accept(MoreComplexObject.class, ArrayList.class, Random.class) .accept("java.lang.*","[Ljava.lang.*") )); }
/** Trusting java.* is probably reasonable and avoids having to be too * detailed in the accepts. */ @Test public void trustJavaIncludingArrays() throws IOException, ClassNotFoundException { assertSerialization(willClose( new ValidatingObjectInputStream(inputStream) .accept(MoreComplexObject.class) .accept("java.*","[Ljava.*") )); }
/** Here we accept everything but reject specific classes, using a pure * blacklist mode. * * That's not as safe as it's hard to get an exhaustive blacklist, but * might be ok in controlled environments. */ @Test public void useBlacklist() throws IOException, ClassNotFoundException { final String [] blacklist = { "org.apache.commons.collections.functors.InvokerTransformer", "org.codehaus.groovy.runtime.ConvertedClosure", "org.codehaus.groovy.runtime.MethodClosure", "org.springframework.beans.factory.ObjectFactory" }; assertSerialization(willClose( new ValidatingObjectInputStream(inputStream) .accept("*") .reject(blacklist) )); } }