/** Trusting java.lang.* and the array variants of that means we have * to define a number of accept classes explicitly. Quite safe but * might become a bit verbose. */ @Test public void trustJavaLang() throws IOException, ClassNotFoundException { assertSerialization(willClose( new ValidatingObjectInputStream(inputStream) .accept(MoreComplexObject.class, ArrayList.class, Random.class) .accept("java.lang.*","[Ljava.lang.*") )); }
/** Trusting java.* is probably reasonable and avoids having to be too * detailed in the accepts. */ @Test public void trustJavaIncludingArrays() throws IOException, ClassNotFoundException { assertSerialization(willClose( new ValidatingObjectInputStream(inputStream) .accept(MoreComplexObject.class) .accept("java.*","[Ljava.*") )); }
@Test public void acceptPattern() throws Exception { assertSerialization( willClose(new ValidatingObjectInputStream(testStream)) .accept(Pattern.compile(".*MockSerializedClass.*")) ); }
@Test(expected = InvalidClassException.class) public void rejectPattern() throws Exception { assertSerialization( willClose(new ValidatingObjectInputStream(testStream)) .accept(MockSerializedClass.class) .reject(Pattern.compile("org.*")) ); }
@Test public void ourTestClassOnlyAccepted() throws Exception { assertSerialization( willClose(new ValidatingObjectInputStream(testStream)) .accept(MockSerializedClass.class) ); }
@Test public void ourTestClassAcceptedSecondWildcard() throws Exception { assertSerialization( willClose(new ValidatingObjectInputStream(testStream)) .accept("*Integer","*MockSerializedClass") ); }
@Test public void acceptWildcard() throws Exception { assertSerialization( willClose(new ValidatingObjectInputStream(testStream)) .accept("org.apache.commons.io.*") ); }
@Test public void ourTestClassAcceptedFirst() throws Exception { assertSerialization( willClose(new ValidatingObjectInputStream(testStream)) .accept(MockSerializedClass.class, Integer.class) ); }
@Test public void acceptCustomMatcher() throws Exception { assertSerialization( willClose(new ValidatingObjectInputStream(testStream)) .accept(ALWAYS_TRUE) ); }
@Test(expected = InvalidClassException.class) public void ourTestClassNotAccepted() throws Exception { assertSerialization( willClose(new ValidatingObjectInputStream(testStream)) .accept(Integer.class) ); }
@Test public void ourTestClassAcceptedSecond() throws Exception { assertSerialization( willClose(new ValidatingObjectInputStream(testStream)) .accept(Integer.class, MockSerializedClass.class) ); }
@Test public void ourTestClassAcceptedFirstWildcard() throws Exception { assertSerialization( willClose(new ValidatingObjectInputStream(testStream)) .accept("*MockSerializedClass","*Integer") ); }
@Test(expected = InvalidClassException.class) public void rejectPrecedence() throws Exception { assertSerialization( willClose(new ValidatingObjectInputStream(testStream)) .accept(MockSerializedClass.class) .reject(MockSerializedClass.class, Integer.class) ); }
@Test(expected = InvalidClassException.class) public void reject() throws Exception { assertSerialization( willClose(new ValidatingObjectInputStream(testStream)) .accept(Long.class) .reject(MockSerializedClass.class, Integer.class) ); }
@Test(expected = InvalidClassException.class) public void rejectCustomMatcher() throws Exception { assertSerialization( willClose(new ValidatingObjectInputStream(testStream)) .accept(MockSerializedClass.class) .reject(ALWAYS_TRUE) ); }
@Test(expected = InvalidClassException.class) public void rejectWildcard() throws Exception { assertSerialization( willClose(new ValidatingObjectInputStream(testStream)) .accept(MockSerializedClass.class) .reject("org.*") ); }
/** Here we accept everything but reject specific classes, using a pure * blacklist mode. * * That's not as safe as it's hard to get an exhaustive blacklist, but * might be ok in controlled environments. */ @Test public void useBlacklist() throws IOException, ClassNotFoundException { final String [] blacklist = { "org.apache.commons.collections.functors.InvokerTransformer", "org.codehaus.groovy.runtime.ConvertedClosure", "org.codehaus.groovy.runtime.MethodClosure", "org.springframework.beans.factory.ObjectFactory" }; assertSerialization(willClose( new ValidatingObjectInputStream(inputStream) .accept("*") .reject(blacklist) )); } }
/** * De-serialize the pending uploads map from {@link org.apache.jackrabbit.core.data.AsyncUploadCache}. * * @param homeDir the directory where the serialized file is maintained * @return the de-serialized map */ private static Map<String, Long> deSerializeUploadMap(File homeDir) { Map<String, Long> asyncUploadMap = Maps.newHashMap(); File asyncUploadMapFile = new File(homeDir, UPLOAD_MAP); if (asyncUploadMapFile.exists()) { String path = asyncUploadMapFile.getAbsolutePath(); InputStream fis = null; try { fis = (new FileInputStream(path)); ValidatingObjectInputStream input = new ValidatingObjectInputStream(fis); input.accept(HashMap.class, Map.class, Number.class, Long.class, String.class); asyncUploadMap = (Map<String, Long>) input.readObject(); } catch (Exception e) { LOG.error("Error in reading pending uploads map [{}] from location [{}]", UPLOAD_MAP, homeDir, e); } finally { IOUtils.closeQuietly(fis); } LOG.debug("AsyncUploadMap read [{}]", asyncUploadMap); } return asyncUploadMap; }
/** * Deserialize list * @param in Input stream * @param <T> Class * @throws IOException Error accessing to IO * @throws ClassNotFoundException Class not found */ public static <T> List<T> readList(ObjectInputStream in, Class<T> clazz) throws IOException, ClassNotFoundException { int size = in.readInt(); ValidatingObjectInputStream inputStream = new ValidatingObjectInputStream(in); inputStream.accept(clazz); List<T> list = null; if (size >= 0) { list = new ArrayList<>(); for (int i = 0; i < size; i++) { list.add(clazz.cast(inputStream.readObject())); } } return list; }
/** * Deserialize list * @param in Input stream * @param <T> Class * @throws IOException Error accessing to IO * @throws ClassNotFoundException Class not found */ public static <T> Map<String, T> readMap(ObjectInputStream in, Class<T> clazz) throws IOException, ClassNotFoundException { int size = in.readInt(); ValidatingObjectInputStream inputStream = new ValidatingObjectInputStream(in); inputStream.accept(clazz); Map<String, T> map = null; if (size >= 0) { map = new HashMap<>(); for (int i = 0; i < size; i++) { map.put((String) inputStream.readObject(), clazz.cast(inputStream.readObject())); } } return map; } }