OFBiz OFBiz - Commits

[ofbiz-framework] branch trunk updated: Improved: Improve ObjectInputStream denyList (OFBIZ-12221)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
jleroux@apache.org
Reply | Threaded
Open this post in threaded view
|

[ofbiz-framework] branch trunk updated: Improved: Improve ObjectInputStream denyList (OFBIZ-12221)

jleroux@apache.org
This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/trunk by this push:
     new 7fd9d05  Improved: Improve ObjectInputStream denyList (OFBIZ-12221)
7fd9d05 is described below

commit 7fd9d05f7e9efb2f3eaff8c95678f1217215c408
Author: Jacques Le Roux <[hidden email]>
AuthorDate: Wed Apr 7 10:12:33 2021 +0200

    Improved: Improve ObjectInputStream denyList (OFBIZ-12221)
   
    Forgot to change ListOfSafeObjectsForInputStream to allowList in UtilObjectTests
---
 .../org/apache/ofbiz/base/util/SafeObjectInputStream.java   |  2 +-
 .../java/org/apache/ofbiz/base/util/UtilObjectTests.java    | 13 +++++--------
 2 files changed, 6 insertions(+), 9 deletions(-)

diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
index 185d828..1bc1ba9 100644
--- a/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
+++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
@@ -42,7 +42,7 @@ public final class SafeObjectInputStream extends ObjectInputStream {
             "\\[Z", "\\[B", "\\[S", "\\[I", "\\[J", "\\[F", "\\[D", "\\[C",
             "java..*", "sun.util.calendar..*", "org.apache.ofbiz..*",
             "org.codehaus.groovy.runtime.GStringImpl", "groovy.lang.GString"};
-    private static final String[] DEFAULT_DENYLIST = { "rmi", "<" };
+    private static final String[] DEFAULT_DENYLIST = {"rmi", "<"};
 
     /** The regular expression used to match serialized types. */
     private final Pattern allowlistPattern;
diff --git a/framework/base/src/test/java/org/apache/ofbiz/base/util/UtilObjectTests.java b/framework/base/src/test/java/org/apache/ofbiz/base/util/UtilObjectTests.java
index cddff9d..b6d7b2e 100644
--- a/framework/base/src/test/java/org/apache/ofbiz/base/util/UtilObjectTests.java
+++ b/framework/base/src/test/java/org/apache/ofbiz/base/util/UtilObjectTests.java
@@ -21,12 +21,12 @@ package org.apache.ofbiz.base.util;
 import static org.apache.ofbiz.base.util.UtilMisc.toSet;
 import static org.apache.ofbiz.base.util.UtilObject.getObjectException;
 import static org.apache.ofbiz.base.util.UtilObject.getObjectFromFactory;
+import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.contains;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertNotSame;
 import static org.junit.Assert.assertNull;
-import static org.hamcrest.MatcherAssert.assertThat;
 
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
@@ -51,7 +51,7 @@ public class UtilObjectTests {
     @After
     public void cleanUp() {
         // Ensure that the default value of allowed deserialization classes is used.
-        UtilProperties.setPropertyValueInMemory("SafeObjectInputStream", "ListOfSafeObjectsForInputStream", "");
+        UtilProperties.setPropertyValueInMemory("SafeObjectInputStream", "allowList", "");
     }
 
     public static final class ErrorInjector extends FilterInputStream {
@@ -333,13 +333,11 @@ public class UtilObjectTests {
     // Test reading a valid customized list of string object.
     @Test
     public void testGetObjectExceptionCustomized() throws IOException, ClassNotFoundException {
-        UtilProperties.setPropertyValueInMemory("SafeObjectInputStream", "ListOfSafeObjectsForInputStream",
-                "java.util.Arrays.ArrayList,java.lang.String");
+        UtilProperties.setPropertyValueInMemory("SafeObjectInputStream", "allowList", "java.util.Arrays.ArrayList,java.lang.String");
         testGetObjectExceptionSafe();
 
         // With extra whitespace
-        UtilProperties.setPropertyValueInMemory("SafeObjectInputStream", "ListOfSafeObjectsForInputStream",
-                "java.util.Arrays.ArrayList, java.lang.String");
+        UtilProperties.setPropertyValueInMemory("SafeObjectInputStream", "allowList", "java.util.Arrays.ArrayList, java.lang.String");
         testGetObjectExceptionSafe();
     }
 
@@ -347,8 +345,7 @@ public class UtilObjectTests {
     @Test(expected = ClassCastException.class)
     public void testGetObjectExceptionUnsafe() throws IOException, ClassNotFoundException {
         // Only allow object of type where the package prefix is 'org.apache.ofbiz'
-        UtilProperties.setPropertyValueInMemory("SafeObjectInputStream", "ListOfSafeObjectsForInputStream",
-                "org.apache.ofbiz..*");
+        UtilProperties.setPropertyValueInMemory("SafeObjectInputStream", "allowList", "org.apache.ofbiz..*");
         try (ByteArrayOutputStream bos = new ByteArrayOutputStream();
                 ObjectOutputStream oos = new ObjectOutputStream(bos)) {
             List<String> forbiddenObject = Arrays.asList("foo", "bar", "baz");
Free forum by Nabble Edit this page