From 08b9492f3330e93d477a5a5a275ed44755e9f52a Mon Sep 17 00:00:00 2001 From: "Determe, Sebastien (sd378r)" Date: Tue, 27 Mar 2018 10:25:41 +0200 Subject: Security Fix Introduce a centralized ObjectMapper for Resteasy and Clamp code so that the automatic Ser/deserialization of all classes is disabled. Issue-ID: CLAMP-135 Change-Id: I1fb11c8fc8e7a53ef832774fa8c06af1c70d3dad Signed-off-by: Determe, Sebastien (sd378r) --- .../org/onap/clamp/clds/util/JacksonUtilsTest.java | 95 ++++++++++++++++++++++ .../java/org/onap/clamp/clds/util/TestObject.java | 45 ++++++++++ .../java/org/onap/clamp/clds/util/TestObject2.java | 44 ++++++++++ 3 files changed, 184 insertions(+) create mode 100644 src/test/java/org/onap/clamp/clds/util/JacksonUtilsTest.java create mode 100644 src/test/java/org/onap/clamp/clds/util/TestObject.java create mode 100644 src/test/java/org/onap/clamp/clds/util/TestObject2.java (limited to 'src/test/java/org/onap') diff --git a/src/test/java/org/onap/clamp/clds/util/JacksonUtilsTest.java b/src/test/java/org/onap/clamp/clds/util/JacksonUtilsTest.java new file mode 100644 index 000000000..d8774af70 --- /dev/null +++ b/src/test/java/org/onap/clamp/clds/util/JacksonUtilsTest.java @@ -0,0 +1,95 @@ +/*- + * ============LICENSE_START======================================================= + * ONAP CLAMP + * ================================================================================ + * Copyright (C) 2018 AT&T Intellectual Property. All rights + * reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END============================================ + * =================================================================== + * ECOMP is a trademark and service mark of AT&T Intellectual Property. + */ + +package org.onap.clamp.clds.util; + +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertNotNull; + +import com.fasterxml.jackson.core.JsonParseException; +import com.fasterxml.jackson.databind.JsonMappingException; + +import java.io.IOException; + +import org.junit.Test; + +public class JacksonUtilsTest { + + public static class TestClass extends TestObject { + + String test2; + TestObject2 object2; + + public TestClass(String value1, String value2) { + super(value1); + test2 = value2; + } + + public TestClass() { + } + + public String getTest2() { + return test2; + } + + public void setTest2(String test2) { + this.test2 = test2; + } + + public TestObject2 getObject2() { + return object2; + } + + public void setObject2(TestObject2 object2) { + this.object2 = object2; + } + } + + @Test + public void testGetObjectMapperInstance() { + assertNotNull(JacksonUtils.getObjectMapperInstance()); + } + + /** + * This method test that the security hole in Jackson is not enabled in the + * default ObjectMapper. + * + * @throws JsonParseException + * In case of issues + * @throws JsonMappingException + * In case of issues + * @throws IOException + * In case of issues + */ + @Test + public void testCreateBeanDeserializer() throws JsonParseException, JsonMappingException, IOException { + TestClass test = new TestClass("value1", "value2"); + test.setObject2(new TestObject2("test3")); + Object testObject = JacksonUtils.getObjectMapperInstance().readValue( + "[\"org.onap.clamp.clds.util.JacksonUtilsTest$TestClass\",{\"test\":\"value1\",\"test2\":\"value2\",\"object2\":[\"org.onap.clamp.clds.util.TestObject2\",{\"test3\":\"test3\"}]}]", + Object.class); + assertNotNull(testObject); + assertFalse(testObject instanceof TestObject); + assertFalse(testObject instanceof TestClass); + } +} diff --git a/src/test/java/org/onap/clamp/clds/util/TestObject.java b/src/test/java/org/onap/clamp/clds/util/TestObject.java new file mode 100644 index 000000000..cf8d3029b --- /dev/null +++ b/src/test/java/org/onap/clamp/clds/util/TestObject.java @@ -0,0 +1,45 @@ +/*- + * ============LICENSE_START======================================================= + * ONAP CLAMP + * ================================================================================ + * Copyright (C) 2018 AT&T Intellectual Property. All rights + * reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END============================================ + * =================================================================== + * ECOMP is a trademark and service mark of AT&T Intellectual Property. + */ + +package org.onap.clamp.clds.util; + +public class TestObject { + + private String test; + + public String getTest() { + return test; + } + + public void setTest(String test) { + this.test = test; + } + + // @JsonProperty("test"), @JsonCreator + public TestObject(String theString) { + this.setTest(theString); + } + + public TestObject() { + } +} diff --git a/src/test/java/org/onap/clamp/clds/util/TestObject2.java b/src/test/java/org/onap/clamp/clds/util/TestObject2.java new file mode 100644 index 000000000..d8d2d0167 --- /dev/null +++ b/src/test/java/org/onap/clamp/clds/util/TestObject2.java @@ -0,0 +1,44 @@ +/*- + * ============LICENSE_START======================================================= + * ONAP CLAMP + * ================================================================================ + * Copyright (C) 2018 AT&T Intellectual Property. All rights + * reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END============================================ + * =================================================================== + * ECOMP is a trademark and service mark of AT&T Intellectual Property. + */ + +package org.onap.clamp.clds.util; + +public class TestObject2 { + + private String test3; + + public String getTest3() { + return test3; + } + + public void setTest3(String test) { + this.test3 = test; + } + + public TestObject2(String theString) { + this.setTest3(theString); + } + + public TestObject2() { + } +} -- cgit 1.2.3-korg