Adds test cases to test ClassLoader pollution

10088 · Apr 24, 2014 · 149181a · 149181a
1 parent 6315241
commit 149181a
Show file tree

Hide file tree

Showing 2 changed files with 130 additions and 0 deletions.
diff --git a/core/src/test/java/org/apache/struts2/interceptor/CookieInterceptorTest.java b/core/src/test/java/org/apache/struts2/interceptor/CookieInterceptorTest.java
@@ -22,10 +22,12 @@
 package org.apache.struts2.interceptor;
 
 import java.util.Collections;
+import java.util.HashMap;
 import java.util.Map;
 
 import javax.servlet.http.Cookie;
 
+import com.opensymphony.xwork2.mock.MockActionInvocation;
 import org.easymock.MockControl;
 import org.springframework.mock.web.MockHttpServletRequest;
 
@@ -316,6 +318,70 @@ public void testInterceptSelectedCookiesNameAndValue() throws Exception {
         assertEquals(ActionContext.getContext().getValueStack().findValue("cookie3"), null);
     }
 
+    public void testCookiesWithClassPollution() throws Exception {
+        MockHttpServletRequest request = new MockHttpServletRequest();
+        String pollution1 = "model['class']['classLoader']['jarPath']";
+        String pollution2 = "model.class.classLoader.jarPath";
+        String pollution3 = "class.classLoader.jarPath";
+        String pollution4 = "class['classLoader']['jarPath']";
+        String pollution5 = "model[\"class\"]['classLoader']['jarPath']";
+        String pollution6 = "class[\"classLoader\"]['jarPath']";
+
+        request.setCookies(
+                new Cookie(pollution1, "pollution1"),
+                new Cookie("pollution1", pollution1),
+                new Cookie(pollution2, "pollution2"),
+                new Cookie("pollution2", pollution2),
+                new Cookie(pollution3, "pollution3"),
+                new Cookie("pollution3", pollution3),
+                new Cookie(pollution4, "pollution4"),
+                new Cookie("pollution4", pollution4),
+                new Cookie(pollution5, "pollution5"),
+                new Cookie("pollution5", pollution5),
+                new Cookie(pollution6, "pollution6"),
+                new Cookie("pollution6", pollution6)
+            );
+        ServletActionContext.setRequest(request);
+
+        final Map<String, Boolean> excludedName = new HashMap<String, Boolean>();
+        final Map<String, Boolean> excludedValue = new HashMap<String, Boolean>();
+
+        CookieInterceptor interceptor = new CookieInterceptor() {
+            @Override
+            protected boolean isAcceptableName(String name) {
+                boolean accepted = super.isAcceptableName(name);
+                excludedName.put(name, accepted);
+                return accepted;
+            }
+
+            @Override
+            protected boolean isAcceptableValue(String value) {
+                boolean accepted = super.isAcceptableValue(value);
+                excludedValue.put(value, accepted);
+                return accepted;
+            }
+        };
+        interceptor.setCookiesName("*");
+
+        MockActionInvocation invocation = new MockActionInvocation();
+        invocation.setAction(new MockActionWithCookieAware());
+
+        interceptor.intercept(invocation);
+
+        assertFalse(excludedName.get(pollution1));
+        assertFalse(excludedName.get(pollution2));
+        assertFalse(excludedName.get(pollution3));
+        assertFalse(excludedName.get(pollution4));
+        assertFalse(excludedName.get(pollution5));
+        assertFalse(excludedName.get(pollution6));
+
+        assertFalse(excludedValue.get(pollution1));
+        assertFalse(excludedValue.get(pollution2));
+        assertFalse(excludedValue.get(pollution3));
+        assertFalse(excludedValue.get(pollution4));
+        assertFalse(excludedValue.get(pollution5));
+        assertFalse(excludedValue.get(pollution6));
+    }
 
     public static class MockActionWithCookieAware extends ActionSupport implements CookiesAware {
 

diff --git a/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ParametersInterceptorTest.java b/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ParametersInterceptorTest.java
@@ -18,6 +18,7 @@
 import com.opensymphony.xwork2.Action;
 import com.opensymphony.xwork2.ActionContext;
 import com.opensymphony.xwork2.ActionProxy;
+import com.opensymphony.xwork2.ExcludedPatterns;
 import com.opensymphony.xwork2.ModelDrivenAction;
 import com.opensymphony.xwork2.SimpleAction;
 import com.opensymphony.xwork2.TestBean;
@@ -44,10 +45,12 @@
 import java.util.Collection;
 import java.util.Collections;
 import java.util.HashMap;
+import java.util.HashSet;
 import java.util.LinkedHashMap;
 import java.util.LinkedList;
 import java.util.List;
 import java.util.Map;
+import java.util.regex.Pattern;
 
 
 /**
@@ -184,6 +187,62 @@ public void testParametersDoesNotAffectSession() throws Exception {
         assertNull(session.get("user5"));
     }
 
+    public void testArrayClassPollutionBlockedByPattern() throws Exception {
+        // given
+        final String pollution1 = "model.class.classLoader.jarPath";
+        final String pollution2 = "model['class']['classLoader']['jarPath']";
+        final String pollution3 = "model[\"class\"]['classLoader']['jarPath']";
+        final String pollution4 = "class.classLoader.jarPath";
+        final String pollution5 = "class['classLoader']['jarPath']";
+        final String pollution6 = "class[\"classLoader\"]['jarPath']";
+
+        loadConfigurationProviders(new XWorkConfigurationProvider(), new XmlConfigurationProvider("xwork-param-test.xml"));
+        final Map<String, Object> params = new HashMap<String, Object>() {
+            {
+                put(pollution1, "bad");
+                put(pollution2, "bad");
+                put(pollution3, "bad");
+                put(pollution4, "bad");
+                put(pollution5, "bad");
+                put(pollution6, "bad");
+            }
+        };
+
+        final Map<String, Boolean> excluded = new HashMap<String, Boolean>();
+        ParametersInterceptor pi = new ParametersInterceptor() {
+
+            @Override
+            protected void initializeHardCodedExcludePatterns() {
+                this.excludeParams = new HashSet<Pattern>();
+            }
+
+            @Override
+            protected boolean isExcluded(String paramName) {
+                boolean result = super.isExcluded(paramName);
+                excluded.put(paramName, result);
+                return result;
+            }
+
+        };
+
+        pi.setExcludeParams("(.*\\.|^|.*|\\[('|\"))class(\\.|('|\")]|\\[).*");
+        container.inject(pi);
+        ValueStack vs = ActionContext.getContext().getValueStack();
+
+        // when
+        ValidateAction action = new ValidateAction();
+        pi.setParameters(action, vs, params);
+
+        // then
+        assertEquals(0, action.getActionMessages().size());
+        assertTrue(excluded.get(pollution1));
+        assertTrue(excluded.get(pollution2));
+        assertTrue(excluded.get(pollution3));
+        assertTrue(excluded.get(pollution4));
+        assertTrue(excluded.get(pollution5));
+        assertTrue(excluded.get(pollution6));
+    }
+
     public void testAccessToOgnlInternals() throws Exception {
         // given
         Map<String, Object> params = new HashMap<String, Object>();
@@ -571,6 +630,11 @@ public void testInternalParametersAreIgnored() throws Exception {
         assertEquals(expected, actual);
     }
 
+    public void testExcludedPatternsGetInitialized() throws Exception {
+        ParametersInterceptor parametersInterceptor = new ParametersInterceptor();
+        assertEquals(ExcludedPatterns.EXCLUDED_PATTERNS.length, parametersInterceptor.excludeParams.size());
+    }
+
     private ValueStack injectValueStack(Map<String, Object> actual) {
         ValueStack stack = createStubValueStack(actual);
         container.inject(stack);