1 /*
2  * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
3  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4  *
5  * This code is free software; you can redistribute it and/or modify it
6  * under the terms of the GNU General Public License version 2 only, as
7  * published by the Free Software Foundation.
8  *
9  * This code is distributed in the hope that it will be useful, but WITHOUT
10  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
11  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
12  * version 2 for more details (a copy is included in the LICENSE file that
13  * accompanied this code).
14  *
15  * You should have received a copy of the GNU General Public License version
16  * 2 along with this work; if not, write to the Free Software Foundation,
17  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
18  *
19  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
20  * or visit www.oracle.com if you need additional information or have any
21  * questions.
22  */
23 
24 import java.io.ByteArrayInputStream;
25 import java.io.IOException;
26 import java.io.InputStream;
27 import java.io.ObjectInputFilter;
28 import java.io.ObjectInputStream;
29 import java.io.InvalidClassException;
30 
31 import jdk.internal.access.SharedSecrets;
32 
33 import org.testng.annotations.DataProvider;
34 import org.testng.annotations.Test;
35 import org.testng.Assert;
36 
37 /* @test
38  * @build CheckArrayTest SerialFilterTest
39  * @bug 8203368
40  * @modules java.base/jdk.internal.access
41  * @run testng CheckArrayTest
42  *
43  * @summary Test the SharedSecret access to ObjectInputStream.checkArray works
44  *      with overridden subclasses.
45  */
46 
47 /**
48  * Verify that the SharedSecret access to the OIS checkAccess method
49  * does not fail with NPE in the case where ObjectInputStream is subclassed.
50  * The checkAccess method is called from various aggregate types in java.util
51  * to check array sizes during deserialization via the ObjectInputFilter attached the stream.
52  * The filterCheck must be resilent to an InputStream not being available (only the subclass knows).
53  */
54 public class CheckArrayTest {
55 
56     @DataProvider(name = "Patterns")
patterns()57     Object[][] patterns() {
58         return new Object[][]{
59                 new Object[]{"maxarray=10", 10, new String[10]},    // successful
60                 new Object[]{"maxarray=10", 11, new String[11]},    // exception expected
61         };
62     }
63 
64     /**
65      * Test SharedSecrets checkArray with unmodified ObjectInputStream.
66      */
67     @Test(dataProvider = "Patterns")
normalOIS(String pattern, int arraySize, Object[] array)68     public void normalOIS(String pattern, int arraySize, Object[] array) throws IOException {
69         ObjectInputFilter filter = ObjectInputFilter.Config.createFilter(pattern);
70         byte[] bytes = SerialFilterTest.writeObjects(array);
71         try (ByteArrayInputStream bais = new ByteArrayInputStream(bytes);
72              ObjectInputStream ois = new ObjectInputStream(bais)) {
73             // Check the arraysize against the filter
74             try {
75                 ois.setObjectInputFilter(filter);
76                 SharedSecrets.getJavaObjectInputStreamAccess()
77                         .checkArray(ois, array.getClass(), arraySize);
78                 Assert.assertTrue(array.length >= arraySize,
79                         "Should have thrown InvalidClassException due to array size");
80             } catch (InvalidClassException ice) {
81                 Assert.assertFalse(array.length > arraySize,
82                         "Should NOT have thrown InvalidClassException due to array size");
83             }
84         }
85     }
86 
87     /**
88      * Test SharedSecrets checkArray with an ObjectInputStream subclassed to
89      * handle all input stream functions.
90      */
91     @Test(dataProvider = "Patterns")
subclassedOIS(String pattern, int arraySize, Object[] array)92     public void subclassedOIS(String pattern, int arraySize, Object[] array) throws IOException {
93         byte[] bytes = SerialFilterTest.writeObjects(array);
94         try (ByteArrayInputStream bais = new ByteArrayInputStream(bytes);
95              ObjectInputStream ois = new MyInputStream(bais)) {
96             // Check the arraysize against the filter
97             ObjectInputFilter filter = ObjectInputFilter.Config.createFilter(pattern);
98             ois.setObjectInputFilter(filter);
99             SharedSecrets.getJavaObjectInputStreamAccess()
100                     .checkArray(ois, array.getClass(), arraySize);
101             Assert.assertTrue(array.length >= arraySize,
102                     "Should have thrown InvalidClassException due to array size");
103         } catch (InvalidClassException ice) {
104             Assert.assertFalse(array.length > arraySize,
105                     "Should NOT have thrown InvalidClassException due to array size");
106         }
107     }
108 
109     /**
110      * Subclass OIS to disable all input stream functions of the OIS.
111      */
112     static class MyInputStream extends ObjectInputStream {
MyInputStream(InputStream is)113         MyInputStream(InputStream is) throws IOException {
114             super();
115         }
116 
close()117         public void close() {
118         }
119     }
120 }
121