svn commit: r1713799 - in /sling/whiteboard/bdelacretaz/safe-object-input-stream/src: main/java/org/apache/sling/deserialization/ test/java/org/apache/sling/deserialization/

Wed, 11 Nov 2015 02:21:07 -0800 

Author: bdelacretaz
Date: Wed Nov 11 10:20:33 2015
New Revision: 1713799

URL: http://svn.apache.org/viewvc?rev=1713799&view=rev
Log:
SLING-5288 - RegexpClassAcceptor added, with both white and black lists

Added:
    
sling/whiteboard/bdelacretaz/safe-object-input-stream/src/main/java/org/apache/sling/deserialization/RegexpClassAcceptor.java
    
sling/whiteboard/bdelacretaz/safe-object-input-stream/src/test/java/org/apache/sling/deserialization/RegexpClassAcceptorTest.java
Modified:
    
sling/whiteboard/bdelacretaz/safe-object-input-stream/src/test/java/org/apache/sling/deserialization/SafeObjectInputStreamTest.java

Added: 
sling/whiteboard/bdelacretaz/safe-object-input-stream/src/main/java/org/apache/sling/deserialization/RegexpClassAcceptor.java
URL: 
http://svn.apache.org/viewvc/sling/whiteboard/bdelacretaz/safe-object-input-stream/src/main/java/org/apache/sling/deserialization/RegexpClassAcceptor.java?rev=1713799&view=auto
==============================================================================
--- 
sling/whiteboard/bdelacretaz/safe-object-input-stream/src/main/java/org/apache/sling/deserialization/RegexpClassAcceptor.java
 (added)
+++ 
sling/whiteboard/bdelacretaz/safe-object-input-stream/src/main/java/org/apache/sling/deserialization/RegexpClassAcceptor.java
 Wed Nov 11 10:20:33 2015
@@ -0,0 +1,78 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.sling.deserialization;
+
+import java.util.regex.Pattern;
+import java.util.regex.PatternSyntaxException;
+
+/** ClassAcceptor that uses regular expressions with both a
+ *  blacklist and a whitelist. 
+ */
+public class RegexpClassAcceptor implements ClassAcceptor {
+    private Pattern [] blacklist;
+    private Pattern [] whitelist;
+
+    /** Set our blacklist of class name patterns, which takes precedence over 
our whitelist */
+    public RegexpClassAcceptor setBlacklist(String ... pattern) throws 
PatternSyntaxException {
+        blacklist = compile(pattern);
+        return this;
+    }
+
+    /** Set our whitelist of class name patterns */
+    public RegexpClassAcceptor setWhitelist(String ... pattern) throws 
PatternSyntaxException {
+        whitelist = compile(pattern);
+        return this;
+    }
+    
+    private Pattern [] compile(String ... pattern) {
+        final Pattern [] result = new Pattern[pattern.length];
+        for(int i=0; i < pattern.length; i++) {
+            result[i] = Pattern.compile(pattern[i]);
+        }
+        return result;
+    }
+
+    /** Throw ClassRejectedException if the supplied className matches
+     *  any of our blacklist patterns, or if it does not match those and
+     *  also doesn't match any whitelist pattern. 
+     */
+    public void accept(String className) throws 
ClassAcceptor.ClassRejectedException {
+        // Blacklist overrides whitelist
+        if(blacklist != null) {
+            for(Pattern p : blacklist) {
+                if(p.matcher(className).matches()) {
+                    throw new ClassRejectedException();
+                }
+            }   
+        }
+        
+        boolean match = false;
+        if(whitelist != null) {
+            for(Pattern p : whitelist) {
+                if(p.matcher(className).matches()) {
+                    match = true;
+                    break;
+                }
+            }
+        }
+        if(!match) {
+            throw new ClassRejectedException();
+        }
+    }
+}
\ No newline at end of file

Added: 
sling/whiteboard/bdelacretaz/safe-object-input-stream/src/test/java/org/apache/sling/deserialization/RegexpClassAcceptorTest.java
URL: 
http://svn.apache.org/viewvc/sling/whiteboard/bdelacretaz/safe-object-input-stream/src/test/java/org/apache/sling/deserialization/RegexpClassAcceptorTest.java?rev=1713799&view=auto
==============================================================================
--- 
sling/whiteboard/bdelacretaz/safe-object-input-stream/src/test/java/org/apache/sling/deserialization/RegexpClassAcceptorTest.java
 (added)
+++ 
sling/whiteboard/bdelacretaz/safe-object-input-stream/src/test/java/org/apache/sling/deserialization/RegexpClassAcceptorTest.java
 Wed Nov 11 10:20:33 2015
@@ -0,0 +1,91 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.sling.deserialization;
+
+import java.util.regex.PatternSyntaxException;
+
+import org.junit.Test;
+
+public class RegexpClassAcceptorTest {
+    
+    @Test(expected=ClassAcceptor.ClassRejectedException.class)
+    public void testNoPatterns() throws ClassAcceptor.ClassRejectedException {
+        new RegexpClassAcceptor().accept("foo");
+    }
+    
+    @Test(expected=PatternSyntaxException.class)
+    public void testInvalidWhitelistPattern() throws 
ClassAcceptor.ClassRejectedException {
+        new RegexpClassAcceptor().setWhitelist("(");
+    }
+    
+    @Test(expected=PatternSyntaxException.class)
+    public void testInvalidBlacklistPattern() throws 
ClassAcceptor.ClassRejectedException {
+        new RegexpClassAcceptor().setBlacklist("(");
+    }
+    
+    @Test(expected=ClassAcceptor.ClassRejectedException.class)
+    public void testNullName() throws ClassAcceptor.ClassRejectedException {
+        new RegexpClassAcceptor().accept(null);
+    }
+    
+    @Test
+    public void testWhitelist() throws ClassAcceptor.ClassRejectedException {
+        new RegexpClassAcceptor()
+        .setWhitelist("foo.*")
+        .accept("foo.should.pass");
+    }
+    
+    @Test
+    public void testMultipleWhitelist() throws 
ClassAcceptor.ClassRejectedException {
+        final ClassAcceptor ca = new 
RegexpClassAcceptor().setWhitelist("bar","foo.*");
+        ca.accept("foo.should.pass");
+        ca.accept("bar");
+    }
+    
+    @Test(expected=ClassAcceptor.ClassRejectedException.class)
+    public void testBlacklistOnly() throws 
ClassAcceptor.ClassRejectedException {
+        new RegexpClassAcceptor()
+        .setBlacklist(".*won't.*")
+        .accept("foo.won't.pass");
+    }
+    
+    @Test(expected=ClassAcceptor.ClassRejectedException.class)
+    public void testBlacklistOverrideA() throws 
ClassAcceptor.ClassRejectedException {
+        new RegexpClassAcceptor()
+        .setBlacklist(".*won't.*")
+        .setWhitelist("bar","foo.*")
+        .accept("foo.won't.pass");
+    }
+    
+    @Test(expected=ClassAcceptor.ClassRejectedException.class)
+    public void testBlacklistOverrideB() throws 
ClassAcceptor.ClassRejectedException {
+        new RegexpClassAcceptor()
+        .setBlacklist("bar","foo")
+        .setWhitelist(".*")
+        .accept("bar");
+    }
+    
+    @Test(expected=ClassAcceptor.ClassRejectedException.class)
+    public void testMultipleBlacklistOverride() throws 
ClassAcceptor.ClassRejectedException {
+        new RegexpClassAcceptor()
+        .setBlacklist("foo",".*won't.*")
+        .setWhitelist("bar","foo.*")
+        .accept("foo.won't.pass");
+    }
+}
\ No newline at end of file

Modified: 
sling/whiteboard/bdelacretaz/safe-object-input-stream/src/test/java/org/apache/sling/deserialization/SafeObjectInputStreamTest.java
URL: 
http://svn.apache.org/viewvc/sling/whiteboard/bdelacretaz/safe-object-input-stream/src/test/java/org/apache/sling/deserialization/SafeObjectInputStreamTest.java?rev=1713799&r1=1713798&r2=1713799&view=diff
==============================================================================
--- 
sling/whiteboard/bdelacretaz/safe-object-input-stream/src/test/java/org/apache/sling/deserialization/SafeObjectInputStreamTest.java
 (original)
+++ 
sling/whiteboard/bdelacretaz/safe-object-input-stream/src/test/java/org/apache/sling/deserialization/SafeObjectInputStreamTest.java
 Wed Nov 11 10:20:33 2015
@@ -93,4 +93,10 @@ public class SafeObjectInputStreamTest {
         acceptor = new WhitelistClassAcceptor(Integer.class, 
TestSerializable.class);
         testSerialize();
     }
+    
+    @Test
+    public void testBasicRegexpAcceptor() throws Exception {
+        acceptor = new RegexpClassAcceptor().setWhitelist("org.*TestSer.*");
+        testSerialize();
+    }
 }
\ No newline at end of file

Reply via email to