summaryrefslogtreecommitdiffstats
path: root/src/test
diff options
context:
space:
mode:
authorDeterme, Sebastien (sd378r) <sd378r@intl.att.com>2018-03-27 10:25:41 +0200
committerDeterme, Sebastien (sd378r) <sd378r@intl.att.com>2018-03-27 10:25:41 +0200
commit08b9492f3330e93d477a5a5a275ed44755e9f52a (patch)
tree9f335baacbc365fdfce7048b756c1db3f5e6fac4 /src/test
parent020f29ee84fe5d780108149aa9de04e86d308d03 (diff)
Security Fix
Introduce a centralized ObjectMapper for Resteasy and Clamp code so that the automatic Ser/deserialization of all classes is disabled. Issue-ID: CLAMP-135 Change-Id: I1fb11c8fc8e7a53ef832774fa8c06af1c70d3dad Signed-off-by: Determe, Sebastien (sd378r) <sd378r@intl.att.com>
Diffstat (limited to 'src/test')
-rw-r--r--src/test/java/org/onap/clamp/clds/util/JacksonUtilsTest.java95
-rw-r--r--src/test/java/org/onap/clamp/clds/util/TestObject.java45
-rw-r--r--src/test/java/org/onap/clamp/clds/util/TestObject2.java44
3 files changed, 184 insertions, 0 deletions
diff --git a/src/test/java/org/onap/clamp/clds/util/JacksonUtilsTest.java b/src/test/java/org/onap/clamp/clds/util/JacksonUtilsTest.java
new file mode 100644
index 00000000..d8774af7
--- /dev/null
+++ b/src/test/java/org/onap/clamp/clds/util/JacksonUtilsTest.java
@@ -0,0 +1,95 @@
+/*-
+ * ============LICENSE_START=======================================================
+ * ONAP CLAMP
+ * ================================================================================
+ * Copyright (C) 2018 AT&T Intellectual Property. All rights
+ * reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END============================================
+ * ===================================================================
+ * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ */
+
+package org.onap.clamp.clds.util;
+
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNotNull;
+
+import com.fasterxml.jackson.core.JsonParseException;
+import com.fasterxml.jackson.databind.JsonMappingException;
+
+import java.io.IOException;
+
+import org.junit.Test;
+
+public class JacksonUtilsTest {
+
+ public static class TestClass extends TestObject {
+
+ String test2;
+ TestObject2 object2;
+
+ public TestClass(String value1, String value2) {
+ super(value1);
+ test2 = value2;
+ }
+
+ public TestClass() {
+ }
+
+ public String getTest2() {
+ return test2;
+ }
+
+ public void setTest2(String test2) {
+ this.test2 = test2;
+ }
+
+ public TestObject2 getObject2() {
+ return object2;
+ }
+
+ public void setObject2(TestObject2 object2) {
+ this.object2 = object2;
+ }
+ }
+
+ @Test
+ public void testGetObjectMapperInstance() {
+ assertNotNull(JacksonUtils.getObjectMapperInstance());
+ }
+
+ /**
+ * This method test that the security hole in Jackson is not enabled in the
+ * default ObjectMapper.
+ *
+ * @throws JsonParseException
+ * In case of issues
+ * @throws JsonMappingException
+ * In case of issues
+ * @throws IOException
+ * In case of issues
+ */
+ @Test
+ public void testCreateBeanDeserializer() throws JsonParseException, JsonMappingException, IOException {
+ TestClass test = new TestClass("value1", "value2");
+ test.setObject2(new TestObject2("test3"));
+ Object testObject = JacksonUtils.getObjectMapperInstance().readValue(
+ "[\"org.onap.clamp.clds.util.JacksonUtilsTest$TestClass\",{\"test\":\"value1\",\"test2\":\"value2\",\"object2\":[\"org.onap.clamp.clds.util.TestObject2\",{\"test3\":\"test3\"}]}]",
+ Object.class);
+ assertNotNull(testObject);
+ assertFalse(testObject instanceof TestObject);
+ assertFalse(testObject instanceof TestClass);
+ }
+}
diff --git a/src/test/java/org/onap/clamp/clds/util/TestObject.java b/src/test/java/org/onap/clamp/clds/util/TestObject.java
new file mode 100644
index 00000000..cf8d3029
--- /dev/null
+++ b/src/test/java/org/onap/clamp/clds/util/TestObject.java
@@ -0,0 +1,45 @@
+/*-
+ * ============LICENSE_START=======================================================
+ * ONAP CLAMP
+ * ================================================================================
+ * Copyright (C) 2018 AT&T Intellectual Property. All rights
+ * reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END============================================
+ * ===================================================================
+ * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ */
+
+package org.onap.clamp.clds.util;
+
+public class TestObject {
+
+ private String test;
+
+ public String getTest() {
+ return test;
+ }
+
+ public void setTest(String test) {
+ this.test = test;
+ }
+
+ // @JsonProperty("test"), @JsonCreator
+ public TestObject(String theString) {
+ this.setTest(theString);
+ }
+
+ public TestObject() {
+ }
+}
diff --git a/src/test/java/org/onap/clamp/clds/util/TestObject2.java b/src/test/java/org/onap/clamp/clds/util/TestObject2.java
new file mode 100644
index 00000000..d8d2d016
--- /dev/null
+++ b/src/test/java/org/onap/clamp/clds/util/TestObject2.java
@@ -0,0 +1,44 @@
+/*-
+ * ============LICENSE_START=======================================================
+ * ONAP CLAMP
+ * ================================================================================
+ * Copyright (C) 2018 AT&T Intellectual Property. All rights
+ * reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END============================================
+ * ===================================================================
+ * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ */
+
+package org.onap.clamp.clds.util;
+
+public class TestObject2 {
+
+ private String test3;
+
+ public String getTest3() {
+ return test3;
+ }
+
+ public void setTest3(String test) {
+ this.test3 = test;
+ }
+
+ public TestObject2(String theString) {
+ this.setTest3(theString);
+ }
+
+ public TestObject2() {
+ }
+}