Improved: Improve ObjectInputStream denyList (OFBIZ-12221)

JacquesLeRoux · JacquesLeRoux · commit 7fd9d05f7e9e · 2021-04-07T10:12:33.000+02:00
Forgot to change ListOfSafeObjectsForInputStream to allowList in UtilObjectTests
diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
@@ -42,7 +42,7 @@ public final class SafeObjectInputStream extends ObjectInputStream {
             "\\[Z", "\\[B", "\\[S", "\\[I", "\\[J", "\\[F", "\\[D", "\\[C",
             "java..*", "sun.util.calendar..*", "org.apache.ofbiz..*",
             "org.codehaus.groovy.runtime.GStringImpl", "groovy.lang.GString"};
-    private static final String[] DEFAULT_DENYLIST = { "rmi", "<" };
+    private static final String[] DEFAULT_DENYLIST = {"rmi", "<"};
 
     /** The regular expression used to match serialized types. */
     private final Pattern allowlistPattern;
diff --git a/framework/base/src/test/java/org/apache/ofbiz/base/util/UtilObjectTests.java b/framework/base/src/test/java/org/apache/ofbiz/base/util/UtilObjectTests.java
@@ -21,12 +21,12 @@
 import static org.apache.ofbiz.base.util.UtilMisc.toSet;
 import static org.apache.ofbiz.base.util.UtilObject.getObjectException;
 import static org.apache.ofbiz.base.util.UtilObject.getObjectFromFactory;
+import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.contains;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertNotSame;
 import static org.junit.Assert.assertNull;
-import static org.hamcrest.MatcherAssert.assertThat;
 
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
@@ -51,7 +51,7 @@ public class UtilObjectTests {
     @After
     public void cleanUp() {
         // Ensure that the default value of allowed deserialization classes is used.
-        UtilProperties.setPropertyValueInMemory("SafeObjectInputStream", "ListOfSafeObjectsForInputStream", "");
+        UtilProperties.setPropertyValueInMemory("SafeObjectInputStream", "allowList", "");
     }
 
     public static final class ErrorInjector extends FilterInputStream {
@@ -333,22 +333,19 @@ public void testGetObjectExceptionSafe() throws IOException, ClassNotFoundExcept
     // Test reading a valid customized list of string object.
     @Test
     public void testGetObjectExceptionCustomized() throws IOException, ClassNotFoundException {
-        UtilProperties.setPropertyValueInMemory("SafeObjectInputStream", "ListOfSafeObjectsForInputStream",
-                "java.util.Arrays.ArrayList,java.lang.String");
+        UtilProperties.setPropertyValueInMemory("SafeObjectInputStream", "allowList", "java.util.Arrays.ArrayList,java.lang.String");
         testGetObjectExceptionSafe();
 
         // With extra whitespace
-        UtilProperties.setPropertyValueInMemory("SafeObjectInputStream", "ListOfSafeObjectsForInputStream",
-                "java.util.Arrays.ArrayList, java.lang.String");
+        UtilProperties.setPropertyValueInMemory("SafeObjectInputStream", "allowList", "java.util.Arrays.ArrayList, java.lang.String");
         testGetObjectExceptionSafe();
     }
 
     // Test reading a basic list of string object after forbidding such kind of objects.
     @Test(expected = ClassCastException.class)
     public void testGetObjectExceptionUnsafe() throws IOException, ClassNotFoundException {
         // Only allow object of type where the package prefix is 'org.apache.ofbiz'
-        UtilProperties.setPropertyValueInMemory("SafeObjectInputStream", "ListOfSafeObjectsForInputStream",
-                "org.apache.ofbiz..*");
+        UtilProperties.setPropertyValueInMemory("SafeObjectInputStream", "allowList", "org.apache.ofbiz..*");
         try (ByteArrayOutputStream bos = new ByteArrayOutputStream();
                 ObjectOutputStream oos = new ObjectOutputStream(bos)) {
             List<String> forbiddenObject = Arrays.asList("foo", "bar", "baz");
