/src/test/java/com/atlassian/velocity/htmlsafe/introspection/AllowlistSecureIntrospectorTest.java
Java | 92 lines | 81 code | 11 blank | 0 comment | 0 complexity | 7326c87c7808386ae72e288d83772ca0 MD5 | raw file
- package com.atlassian.velocity.htmlsafe.introspection;
- import org.apache.commons.collections.ExtendedProperties;
- import org.apache.velocity.runtime.RuntimeConstants;
- import org.apache.velocity.runtime.RuntimeServices;
- import org.apache.velocity.runtime.log.Log;
- import org.apache.velocity.util.introspection.IntrospectorCacheImpl;
- import org.junit.Before;
- import org.junit.Test;
- import org.junit.runner.RunWith;
- import org.mockito.Mock;
- import org.mockito.junit.MockitoJUnitRunner;
- import javax.swing.text.html.Option;
- import java.io.File;
- import java.io.Serializable;
- import java.nio.file.Path;
- import java.util.Optional;
- import static org.junit.Assert.assertFalse;
- import static org.junit.Assert.assertTrue;
- import static org.mockito.ArgumentMatchers.any;
- import static org.mockito.ArgumentMatchers.eq;
- import static org.mockito.Mockito.mock;
- import static org.mockito.Mockito.when;
- @RunWith(MockitoJUnitRunner.class)
- public class AllowlistSecureIntrospectorTest {
- private Log log;
- @Mock
- private RuntimeServices runtimeServices;
- private static final String[] RESTRICTED_CLASSES = {"java.io.File", "com.atlassian.velocity.htmlsafe.introspection.test.restrictedclass.MyClass"};
- private static final String[] RESTRICTED_PACKAGES = {"java.nio", "com.atlassian.velocity.htmlsafe.introspection.test.restrictedpackage"};
- private static final String[] ALLOW_LIST_CLASSES = {"java.io.Serializable"};
- private static final String[] ALLOWED_CLASSES = {"java.io.File", "java.nio.file.Path"};
- private static final String[] ALLOWED_PACKAGES = {"java.nio.charset"};
- @Before
- public void setUp() {
- log = new Log();
- ExtendedProperties configuration = mock(ExtendedProperties.class);
- when(runtimeServices.getConfiguration()).thenReturn(configuration);
- when(configuration.getString(eq(RuntimeConstants.INTROSPECTOR_CACHE_CLASS), any())).thenReturn(IntrospectorCacheImpl.class.getName());
- }
- @Test
- public void testCheckObjectExecutePermissionWithBadClassesAndEmptyGoodClassesFilterOutCorrectly() {
- AllowlistSecureIntrospector introspector = new AllowlistSecureIntrospector(
- Optional.of(RESTRICTED_CLASSES),
- Optional.of(RESTRICTED_PACKAGES),
- Optional.of(ALLOW_LIST_CLASSES),
- Optional.empty(),
- Optional.empty(),
- log,
- runtimeServices
- );
- assertTrue(introspector.checkObjectExecutePermission(Integer.class, ""));
- assertTrue((introspector.checkObjectExecutePermission(Serializable.class, "")));
- assertFalse(introspector.checkObjectExecutePermission(File.class, ""));
- assertFalse(introspector.checkObjectExecutePermission(Path.class, ""));
- assertFalse(introspector.checkObjectExecutePermission(java.nio.charset.Charset.class, ""));
- assertFalse(introspector.checkObjectExecutePermission(java.nio.charset.spi.CharsetProvider.class, ""));
- assertTrue(introspector.checkObjectExecutePermission(com.atlassian.velocity.htmlsafe.introspection.test.normalpackage.MyClass.class, ""));
- assertFalse(introspector.checkObjectExecutePermission(com.atlassian.velocity.htmlsafe.introspection.test.restrictedpackage.MyClass.class, ""));
- assertFalse(introspector.checkObjectExecutePermission(com.atlassian.velocity.htmlsafe.introspection.test.restrictedclass.MyClass.class, ""));
- }
- @Test
- public void testCheckObjectExecutePermissionWithBadClassesAndGoodClassesFilterOutCorrectly() {
- AllowlistSecureIntrospector introspector = new AllowlistSecureIntrospector(
- Optional.of(RESTRICTED_CLASSES),
- Optional.of(RESTRICTED_PACKAGES),
- Optional.of(ALLOW_LIST_CLASSES),
- Optional.of(ALLOWED_CLASSES),
- Optional.of(ALLOWED_PACKAGES),
- log,
- runtimeServices
- );
- assertTrue(introspector.checkObjectExecutePermission(Integer.class, ""));
- assertFalse(introspector.checkObjectExecutePermission(File.class, ""));
- assertTrue(introspector.checkObjectExecutePermission(Path.class, ""));
- assertTrue(introspector.checkObjectExecutePermission(java.nio.charset.Charset.class, ""));
- assertFalse(introspector.checkObjectExecutePermission(java.nio.charset.spi.CharsetProvider.class, ""));
- assertTrue(introspector.checkObjectExecutePermission(com.atlassian.velocity.htmlsafe.introspection.test.normalpackage.MyClass.class, ""));
- assertFalse(introspector.checkObjectExecutePermission(com.atlassian.velocity.htmlsafe.introspection.test.restrictedpackage.MyClass.class, ""));
- assertFalse(introspector.checkObjectExecutePermission(com.atlassian.velocity.htmlsafe.introspection.test.restrictedclass.MyClass.class, ""));
- }
- }