1 files changed, 179 insertions, 0 deletions

diff --git a/velocity-engine-core/src/test/java/org/apache/velocity/test/SecureIntrospectionTestCase.java b/velocity-engine-core/src/test/java/org/apache/velocity/test/SecureIntrospectionTestCase.java
new file mode 100644
index 00000000..f504029f
--- /dev/null
+++ b/velocity-engine-core/src/test/java/org/apache/velocity/test/SecureIntrospectionTestCase.java
@@ -0,0 +1,179 @@
+package org.apache.velocity.test;
+
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+import junit.framework.Test;
+import junit.framework.TestSuite;
+import org.apache.velocity.VelocityContext;
+import org.apache.velocity.app.VelocityEngine;
+import org.apache.velocity.context.Context;
+import org.apache.velocity.exception.MethodInvocationException;
+import org.apache.velocity.exception.ParseErrorException;
+import org.apache.velocity.exception.ResourceNotFoundException;
+import org.apache.velocity.runtime.RuntimeConstants;
+import org.apache.velocity.util.introspection.SecureUberspector;
+
+import java.io.IOException;
+import java.io.StringWriter;
+import java.io.Writer;
+import java.net.MalformedURLException;
+import java.net.URL;
+import java.net.URLClassLoader;
+import java.util.Collection;
+import java.util.HashSet;
+
+/**
+ * Checks that the secure introspector is working properly.
+ *
+ * @author <a href="Will Glass-Husain">wglass@forio.com</a>
+ * @version $Id$
+ */
+public class SecureIntrospectionTestCase extends BaseTestCase
+{
+
+    /**
+     * Default constructor.
+     * @param name
+     */
+    public SecureIntrospectionTestCase(String name)
+    {
+        super(name);
+    }
+
+    public static Test suite()
+    {
+       return new TestSuite(SecureIntrospectionTestCase.class);
+    }
+
+
+    private String [] badTemplateStrings =
+    {
+        "$test.Class.Methods",
+        "$test.Class.ClassLoader",
+        "$test.Class.ClassLoader.loadClass('java.util.HashMap').newInstance().size()"
+    };
+
+    private String [] goodTemplateStrings =
+    {
+        "#foreach($item in $test.collection)$item#end",
+        "$test.Class.Name",
+        "#set($test.Property = 'abc')$test.Property",
+        "$test.aTestMethod()"
+    };
+
+    /**
+     *  Test to see that "dangerous" methods are forbidden
+     *  @exception Exception
+     */
+    public void testBadMethodCalls()
+        throws Exception
+    {
+        VelocityEngine ve = new VelocityEngine();
+        ve.setProperty(RuntimeConstants.UBERSPECT_CLASSNAME, SecureUberspector.class.getName());
+        ve.init();
+
+        /*
+         * all of the following method calls should not work
+         */
+        doTestMethods(ve, badTemplateStrings, false);
+    }
+
+    /**
+     *  Test to see that "dangerous" methods are forbidden
+     *  @exception Exception
+     */
+    public void testGoodMethodCalls()
+        throws Exception
+    {
+        VelocityEngine ve = new VelocityEngine();
+        ve.setProperty(RuntimeConstants.UBERSPECT_CLASSNAME, SecureUberspector.class.getName());
+        ve.init();
+
+        /*
+         * all of the following method calls should not work
+         */
+        doTestMethods(ve, goodTemplateStrings, true);
+    }
+
+    private void doTestMethods(VelocityEngine ve, String[] templateStrings, boolean shouldeval)
+    {
+        Context c = new VelocityContext();
+        c.put("test", this);
+
+        try
+        {
+            for (String templateString : templateStrings)
+            {
+                if (shouldeval && !doesStringEvaluate(ve, c, templateString))
+                {
+                    fail("Should have evaluated: " + templateString);
+                }
+
+                if (!shouldeval && doesStringEvaluate(ve, c, templateString))
+                {
+                    fail("Should not have evaluated: " + templateString);
+                }
+            }
+
+        }
+        catch (Exception e)
+        {
+            fail(e.toString());
+        }
+    }
+
+    private boolean doesStringEvaluate(VelocityEngine ve, Context c, String inputString) throws ParseErrorException, MethodInvocationException, ResourceNotFoundException, IOException
+    {
+        // assume that an evaluation is bad if the input and result are the same (e.g. a bad reference)
+        // or the result is an empty string (e.g. bad #foreach)
+        Writer w = new StringWriter();
+        ve.evaluate(c, w, "foo", inputString);
+        String result = w.toString();
+        return (result.length() > 0 ) &&  !result.equals(inputString);
+    }
+
+    private String testProperty;
+    public String getProperty()
+    {
+        return testProperty;
+    }
+
+    public int aTestMethod()
+    {
+        return 1;
+    }
+
+    public void setProperty(String val)
+    {
+        testProperty = val;
+    }
+
+
+    public Collection getCollection()
+    {
+        Collection c = new HashSet();
+        c.add("aaa");
+        c.add("bbb");
+        c.add("ccc");
+        return c;
+    }
+}
+
+