AllowlistSecureIntrospectorTest.java

/src/test/java/com/atlassian/velocity/htmlsafe/introspection/AllowlistSecureIntrospectorTest.java

https://bitbucket.org/atlassian/velocity-htmlsafe
Java | 92 lines | 81 code | 11 blank | 0 comment | 0 complexity | 7326c87c7808386ae72e288d83772ca0 MD5 | raw file

package com.atlassian.velocity.htmlsafe.introspection;

import org.apache.commons.collections.ExtendedProperties;
import org.apache.velocity.runtime.RuntimeConstants;
import org.apache.velocity.runtime.RuntimeServices;
import org.apache.velocity.runtime.log.Log;
import org.apache.velocity.util.introspection.IntrospectorCacheImpl;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.Mock;
import org.mockito.junit.MockitoJUnitRunner;

import javax.swing.text.html.Option;
import java.io.File;
import java.io.Serializable;
import java.nio.file.Path;
import java.util.Optional;

import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertTrue;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.ArgumentMatchers.eq;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.when;

@RunWith(MockitoJUnitRunner.class)
public class AllowlistSecureIntrospectorTest {
    private Log log;
    @Mock
    private RuntimeServices runtimeServices;
    private static final String[] RESTRICTED_CLASSES = {"java.io.File", "com.atlassian.velocity.htmlsafe.introspection.test.restrictedclass.MyClass"};
    private static final String[] RESTRICTED_PACKAGES = {"java.nio", "com.atlassian.velocity.htmlsafe.introspection.test.restrictedpackage"};
    private static final String[] ALLOW_LIST_CLASSES = {"java.io.Serializable"};
    private static final String[] ALLOWED_CLASSES = {"java.io.File", "java.nio.file.Path"};
    private static final String[] ALLOWED_PACKAGES = {"java.nio.charset"};

    @Before
    public void setUp() {
        log = new Log();
        ExtendedProperties configuration = mock(ExtendedProperties.class);
        when(runtimeServices.getConfiguration()).thenReturn(configuration);
        when(configuration.getString(eq(RuntimeConstants.INTROSPECTOR_CACHE_CLASS), any())).thenReturn(IntrospectorCacheImpl.class.getName());
    }

    @Test
    public void testCheckObjectExecutePermissionWithBadClassesAndEmptyGoodClassesFilterOutCorrectly() {
        AllowlistSecureIntrospector introspector = new AllowlistSecureIntrospector(
                Optional.of(RESTRICTED_CLASSES),
                Optional.of(RESTRICTED_PACKAGES),
                Optional.of(ALLOW_LIST_CLASSES),
                Optional.empty(),
                Optional.empty(),
                log,
                runtimeServices
        );

        assertTrue(introspector.checkObjectExecutePermission(Integer.class, ""));
        assertTrue((introspector.checkObjectExecutePermission(Serializable.class, "")));
        assertFalse(introspector.checkObjectExecutePermission(File.class, ""));
        assertFalse(introspector.checkObjectExecutePermission(Path.class, ""));
        assertFalse(introspector.checkObjectExecutePermission(java.nio.charset.Charset.class, ""));
        assertFalse(introspector.checkObjectExecutePermission(java.nio.charset.spi.CharsetProvider.class, ""));

        assertTrue(introspector.checkObjectExecutePermission(com.atlassian.velocity.htmlsafe.introspection.test.normalpackage.MyClass.class, ""));
        assertFalse(introspector.checkObjectExecutePermission(com.atlassian.velocity.htmlsafe.introspection.test.restrictedpackage.MyClass.class, ""));
        assertFalse(introspector.checkObjectExecutePermission(com.atlassian.velocity.htmlsafe.introspection.test.restrictedclass.MyClass.class, ""));
    }

    @Test
    public void testCheckObjectExecutePermissionWithBadClassesAndGoodClassesFilterOutCorrectly() {
        AllowlistSecureIntrospector introspector = new AllowlistSecureIntrospector(
                Optional.of(RESTRICTED_CLASSES),
                Optional.of(RESTRICTED_PACKAGES),
                Optional.of(ALLOW_LIST_CLASSES),
                Optional.of(ALLOWED_CLASSES),
                Optional.of(ALLOWED_PACKAGES),
                log,
                runtimeServices
        );

        assertTrue(introspector.checkObjectExecutePermission(Integer.class, ""));
        assertFalse(introspector.checkObjectExecutePermission(File.class, ""));
        assertTrue(introspector.checkObjectExecutePermission(Path.class, ""));
        assertTrue(introspector.checkObjectExecutePermission(java.nio.charset.Charset.class, ""));
        assertFalse(introspector.checkObjectExecutePermission(java.nio.charset.spi.CharsetProvider.class, ""));

        assertTrue(introspector.checkObjectExecutePermission(com.atlassian.velocity.htmlsafe.introspection.test.normalpackage.MyClass.class, ""));
        assertFalse(introspector.checkObjectExecutePermission(com.atlassian.velocity.htmlsafe.introspection.test.restrictedpackage.MyClass.class, ""));
        assertFalse(introspector.checkObjectExecutePermission(com.atlassian.velocity.htmlsafe.introspection.test.restrictedclass.MyClass.class, ""));
    }
}