garydgregory commented on code in PR #435:
URL: https://github.com/apache/commons-compress/pull/435#discussion_r1389868899
##########
src/test/java/org/apache/commons/compress/compressors/z/ZCompressorInputStreamTest.java:
##########
@@ -68,4 +73,32 @@ public void
testSingleByteReadConsistentlyReturnsMinusOneAtEof() throws IOExcept
}
}
+ @Test
+ public void testInvalidMaxCodeSize() throws IOException {
+ Set<Integer> invalidValues = new TreeSet<>();
+ invalidValues.addAll(IntStream.range(Byte.MIN_VALUE,
-120).boxed().collect(Collectors.toSet()));
+ invalidValues.addAll(IntStream.range(-97,
-88).boxed().collect(Collectors.toSet()));
+ invalidValues.addAll(IntStream.range(-65,
-56).boxed().collect(Collectors.toSet()));
+ invalidValues.addAll(IntStream.range(-33,
-24).boxed().collect(Collectors.toSet()));
+ invalidValues.addAll(IntStream.range(-1,
8).boxed().collect(Collectors.toSet()));
+ invalidValues.addAll(IntStream.range(31,
40).boxed().collect(Collectors.toSet()));
+ invalidValues.addAll(IntStream.range(63,
72).boxed().collect(Collectors.toSet()));
+ invalidValues.addAll(IntStream.range(95,
104).boxed().collect(Collectors.toSet()));
+ invalidValues.add(127);
+
+ final File input = getFile("bla.tar.Z");
+ try (final InputStream contentStream =
Files.newInputStream(input.toPath())) {
+ final byte[] content = IOUtils.toByteArray(contentStream);
+
+ for (int value : invalidValues) {
+ content[2] = (byte) value;
+
+ // Test that invalid values always throw an IOException
+ assertThrows(IOException.class, () ->
+ new ZCompressorInputStream(new
ByteArrayInputStream(content), 1024 * 1024)
+ );
+ }
+ }
Review Comment:
Many methods throw unchecked exceptions in this library and in most
libraries and IN the JDK, so any truly billet-proof app will know where it
needs to watch out for this based on testing, fuzzing, and general empirical
usage. All of this to say that the method ALREADY threw IAE, so now it does so
under another use case. IOW, it's fine the way it is IMO. I'm happy to hear
other opinions.
##########
src/test/java/org/apache/commons/compress/compressors/z/ZCompressorInputStreamTest.java:
##########
@@ -68,4 +73,32 @@ public void
testSingleByteReadConsistentlyReturnsMinusOneAtEof() throws IOExcept
}
}
+ @Test
+ public void testInvalidMaxCodeSize() throws IOException {
+ Set<Integer> invalidValues = new TreeSet<>();
+ invalidValues.addAll(IntStream.range(Byte.MIN_VALUE,
-120).boxed().collect(Collectors.toSet()));
+ invalidValues.addAll(IntStream.range(-97,
-88).boxed().collect(Collectors.toSet()));
+ invalidValues.addAll(IntStream.range(-65,
-56).boxed().collect(Collectors.toSet()));
+ invalidValues.addAll(IntStream.range(-33,
-24).boxed().collect(Collectors.toSet()));
+ invalidValues.addAll(IntStream.range(-1,
8).boxed().collect(Collectors.toSet()));
+ invalidValues.addAll(IntStream.range(31,
40).boxed().collect(Collectors.toSet()));
+ invalidValues.addAll(IntStream.range(63,
72).boxed().collect(Collectors.toSet()));
+ invalidValues.addAll(IntStream.range(95,
104).boxed().collect(Collectors.toSet()));
+ invalidValues.add(127);
+
+ final File input = getFile("bla.tar.Z");
+ try (final InputStream contentStream =
Files.newInputStream(input.toPath())) {
+ final byte[] content = IOUtils.toByteArray(contentStream);
+
+ for (int value : invalidValues) {
+ content[2] = (byte) value;
+
+ // Test that invalid values always throw an IOException
+ assertThrows(IOException.class, () ->
+ new ZCompressorInputStream(new
ByteArrayInputStream(content), 1024 * 1024)
+ );
+ }
+ }
Review Comment:
Many methods throw unchecked exceptions in this library and in most
libraries and in the JDK, so any truly billet-proof app will know where it
needs to watch out for this based on testing, fuzzing, and general empirical
usage. All of this to say that the method ALREADY threw IAE, so now it does so
under another use case. IOW, it's fine the way it is IMO. I'm happy to hear
other opinions.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
