1/* 2 * Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. 8 * 9 * This code is distributed in the hope that it will be useful, but WITHOUT 10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 12 * version 2 for more details (a copy is included in the LICENSE file that 13 * accompanied this code). 14 * 15 * You should have received a copy of the GNU General Public License version 16 * 2 along with this work; if not, write to the Free Software Foundation, 17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 18 * 19 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 20 * or visit www.oracle.com if you need additional information or have any 21 * questions. 22 */ 23 24import java.io.ByteArrayInputStream; 25import java.io.InvalidClassException; 26import java.io.ObjectInputFilter; 27import java.io.ObjectInputStream; 28import java.io.Serializable; 29import java.security.Security; 30 31import org.testng.annotations.BeforeClass; 32import org.testng.annotations.DataProvider; 33import org.testng.annotations.Test; 34 35import static org.testng.Assert.assertTrue; 36import static org.testng.Assert.assertFalse; 37 38/* @test 39 * @build CheckInputOrderTest SerialFilterTest 40 * @run testng/othervm CheckInputOrderTest 41 * 42 * @summary Test that when both global filter and specific filter are set, 43 * global filter will not affect specific filter. 44 */ 45 46public class CheckInputOrderTest implements Serializable { 47 private static final long serialVersionUID = 12345678901L; 48 49 @DataProvider(name="Patterns") 50 Object[][] patterns() { 51 return new Object[][] { 52 new Object[] { SerialFilterTest.genTestObject("maxarray=1", true), "java.**;java.lang.*;java.lang.Long;maxarray=0", false }, 53 new Object[] { SerialFilterTest.genTestObject("maxarray=1", true), "java.**;java.lang.*;java.lang.Long", true }, 54 new Object[] { Long.MAX_VALUE, "java.**;java.lang.*;java.lang.Long;maxdepth=0", false }, 55 new Object[] { Long.MAX_VALUE, "java.**;java.lang.*;java.lang.Long;maxbytes=0", false }, 56 new Object[] { Long.MAX_VALUE, "java.**;java.lang.*;java.lang.Long;maxrefs=0", false }, 57 58 new Object[] { Long.MAX_VALUE, "java.**;java.lang.*;java.lang.Long", true }, 59 60 new Object[] { Long.MAX_VALUE, "!java.**;java.lang.*;java.lang.Long", false }, 61 new Object[] { Long.MAX_VALUE, "java.**;!java.lang.*;java.lang.Long", true }, 62 63 new Object[] { Long.MAX_VALUE, "!java.lang.*;java.**;java.lang.Long", false }, 64 new Object[] { Long.MAX_VALUE, "java.lang.*;!java.**;java.lang.Long", true }, 65 66 new Object[] { Long.MAX_VALUE, "!java.lang.Long;java.**;java.lang.*", false }, 67 new Object[] { Long.MAX_VALUE, "java.lang.Long;java.**;!java.lang.*", true }, 68 69 new Object[] { Long.MAX_VALUE, "java.lang.Long;!java.**;java.lang.*", false }, 70 new Object[] { Long.MAX_VALUE, "java.lang.Long;java.lang.Number;!java.**;java.lang.*", true }, 71 }; 72 } 73 74 /** 75 * Test: 76 * "global filter reject" + "specific ObjectInputStream filter is empty" => should reject 77 * "global filter reject" + "specific ObjectInputStream filter allow" => should allow 78 */ 79 @Test(dataProvider="Patterns") 80 public void testRejectedInGlobal(Object toDeserialized, String pattern, boolean allowed) throws Exception { 81 byte[] bytes = SerialFilterTest.writeObjects(toDeserialized); 82 ObjectInputFilter filter = ObjectInputFilter.Config.createFilter(pattern); 83 84 try (ByteArrayInputStream bais = new ByteArrayInputStream(bytes); 85 ObjectInputStream ois = new ObjectInputStream(bais)) { 86 ois.setObjectInputFilter(filter); 87 Object o = ois.readObject(); 88 assertTrue(allowed, "filter should have thrown an exception"); 89 } catch (InvalidClassException ice) { 90 assertFalse(allowed, "filter should have thrown an exception"); 91 } 92 } 93} 94