(sling-org-apache-sling-engine) branch master updated: SLING-13102 Add tests for TRACE-disabled handling and selector validation (#70)

Wed, 11 Feb 2026 00:47:47 -0800 

This is an automated email from the ASF dual-hosted git repository.

joerghoh pushed a commit to branch master
in repository 
https://gitbox.apache.org/repos/asf/sling-org-apache-sling-engine.git


The following commit(s) were added to refs/heads/master by this push:
     new 7198a27  SLING-13102 Add tests for TRACE-disabled handling and 
selector validation (#70)
7198a27 is described below

commit 7198a27076100848e8e184a8bec32f79f0caf655
Author: aswindhanan <[email protected]>
AuthorDate: Wed Feb 11 02:47:16 2026 -0600

    SLING-13102 Add tests for TRACE-disabled handling and selector validation 
(#70)
    
    * Add tests for TRACE-disabled handling in SlingMainServlet
    * Add selector validation tests
    * Replace reflection with OSGi DS config in SlingMainServletTest
---
 .../sling/engine/impl/SlingMainServletTest.java    | 86 ++++++++++++++++++++++
 .../request/RequestDataSelectorValidationTest.java | 62 ++++++++++++++++
 2 files changed, 148 insertions(+)

diff --git 
a/src/test/java/org/apache/sling/engine/impl/SlingMainServletTest.java 
b/src/test/java/org/apache/sling/engine/impl/SlingMainServletTest.java
new file mode 100644
index 0000000..564fe56
--- /dev/null
+++ b/src/test/java/org/apache/sling/engine/impl/SlingMainServletTest.java
@@ -0,0 +1,86 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.sling.engine.impl;
+
+import java.util.Dictionary;
+import java.util.HashMap;
+import java.util.Hashtable;
+import java.util.Map;
+
+import jakarta.servlet.ServletContext;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import org.apache.sling.testing.mock.osgi.junit.OsgiContext;
+import org.junit.Before;
+import org.junit.Rule;
+import org.junit.Test;
+import org.mockito.Mock;
+import org.mockito.Mockito;
+import org.mockito.MockitoAnnotations;
+
+import static org.mockito.Mockito.times;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
+
+public class SlingMainServletTest {
+    @Rule
+    public final OsgiContext osgiContext = new OsgiContext();
+
+    @Mock
+    private HttpServletRequest request;
+
+    @Mock
+    private HttpServletResponse response;
+
+    private SlingMainServlet servlet;
+
+    @Before
+    public void setUp() {
+        MockitoAnnotations.openMocks(this);
+
+        // Provide mandatory ProductInfoProvider reference (mock is sufficient 
for activation)
+        osgiContext.registerService(ProductInfoProvider.class, 
Mockito.mock(ProductInfoProvider.class));
+
+        // Provide a ServletContext service with the expected name property to 
satisfy the target filter
+        Dictionary<String, Object> props = new Hashtable<>();
+        props.put("name", SlingHttpContext.SERVLET_CONTEXT_NAME);
+        osgiContext.bundleContext().registerService(ServletContext.class, 
Mockito.mock(ServletContext.class), props);
+
+        // Satisfy mandatory reference to SlingRequestProcessorImpl
+        osgiContext.registerService(SlingRequestProcessorImpl.class, 
Mockito.mock(SlingRequestProcessorImpl.class));
+
+        // Activate SlingMainServlet with OSGi config
+        Map<String, Object> cfg = new HashMap<>();
+        cfg.put("sling_trace_allow", false);
+        cfg.put("servlet_name", "test-servlet");
+        servlet = 
osgiContext.registerInjectActivateService(SlingMainServlet.class, cfg);
+    }
+
+    @Test
+    public void testTraceDisabledReturns405AndAllowHeader() throws 
ServletException {
+        when(request.getMethod()).thenReturn("TRACE");
+        // Act
+        servlet.service(request, response);
+
+        // Assert
+        verify(response, 
times(1)).setStatus(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
+        verify(response, times(1)).setHeader("Allow", "GET, HEAD, POST, PUT, 
DELETE, OPTIONS");
+    }
+}
diff --git 
a/src/test/java/org/apache/sling/engine/impl/request/RequestDataSelectorValidationTest.java
 
b/src/test/java/org/apache/sling/engine/impl/request/RequestDataSelectorValidationTest.java
new file mode 100644
index 0000000..0f485b0
--- /dev/null
+++ 
b/src/test/java/org/apache/sling/engine/impl/request/RequestDataSelectorValidationTest.java
@@ -0,0 +1,62 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.sling.engine.impl.request;
+
+import org.junit.Test;
+
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+
+/**
+ * Selector-focused validation for RequestData.isValidRequest.
+ * Kept separate from RequestDataTest, which covers path traversal patterns.
+ */
+public class RequestDataSelectorValidationTest {
+
+    @Test
+    public void testEmptySelectorInvalid() {
+        assertValidRequest(false, "/content", "");
+    }
+
+    @Test
+    public void testWhitespaceOnlySelectorInvalid() {
+        assertValidRequest(false, "/content", "  \t\n");
+    }
+
+    @Test
+    public void testValidSelectorsAccepted() {
+        assertValidRequest(true, "/content", "print", "a4", "json");
+    }
+
+    @Test
+    public void testMixedValidAndEmptySelectorInvalid() {
+        assertValidRequest(false, "/content", "print", "", "json");
+    }
+
+    private static void assertValidRequest(boolean expected, String path, 
String... selectors) {
+        boolean result = RequestData.isValidRequest(path, selectors);
+        String message = String.format(
+                "Expected %s for path=%s, selectors=%s", expected, path, 
java.util.Arrays.toString(selectors));
+        if (expected) {
+            assertTrue(message, result);
+        } else {
+            assertFalse(message, result);
+        }
+    }
+}

Reply via email to