src/test/java/org/apache/commons/lang3/RangeReadObjectTest.java - commons-lang - Git at Google

 /*
  * Licensed to the Apache Software Foundation (ASF) under one or more
  * contributor license agreements. See the NOTICE file distributed with
  * this work for additional information regarding copyright ownership.
  * The ASF licenses this file to You under the Apache License, Version 2.0
  * (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  *
  *      https://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */

 package org.apache.commons.lang3;

 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertInstanceOf;
 import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.junit.jupiter.api.Assertions.assertTrue;

 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.io.InvalidObjectException;
 import java.io.ObjectInputStream;
 import java.io.ObjectOutputStream;
 import java.io.Serializable;
 import java.util.Collections;
 import java.util.Comparator;
 import java.util.Objects;

 import org.apache.commons.lang3.reflect.FieldUtils;
 import org.junit.jupiter.api.Test;

 /**
  * Tests that a serialized {@link Range} can't store a bad cached hashCode.
  */
 class RangeReadObjectTest {

     /**
      * Standin class used only to drive {@link ObjectOutputStream#writeObject(Object)} into emitting a stream that matches the wire format of {@link Range} but
      * with caller-controlled field values. The class name and serialVersionUID are spoofed in the stream below via a custom {@link ObjectOutputStream} subclass
      * so the stream reads back as a {@code Range}.
      */
     private static final class RangeForge implements Serializable {

         private static final long serialVersionUID = 2L; // matches Range.serialVersionUID
         private final Object comparator;
         private final int hashCode;
         private final Object maximum;
         private final Object minimum;

         RangeForge(final Object comparator, final Object minimum, final Object maximum, final int hashCode) {
             this.comparator = comparator;
             this.minimum = minimum;
             this.maximum = maximum;
             this.hashCode = hashCode;
         }
     }

     private static Object deserialize(final byte[] bytes) throws IOException, ClassNotFoundException {
         try (ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(bytes))) {
             return ois.readObject();
         }
     }

     /**
      * Serializes a {@link RangeForge} but rewrites the class descriptor name to "org.apache.commons.lang3.Range" so the resulting bytes deserialize as a
      * {@link Range}. Because the field set, types, order, and serialVersionUID all match, default deserialization assigns each forged value to the
      * corresponding Range field via reflection (bypassing the constructor).
      */
     private static byte[] forgeRangeStream(final Object comparator, final Object minimum, final Object maximum, final int hashCode) throws IOException {
         // Build the legitimate-shape bytes via RangeForge, then rewrite the embedded class name.
         final ByteArrayOutputStream baos = new ByteArrayOutputStream();
         try (ObjectOutputStream oos = new ObjectOutputStream(baos) {

             @Override
             protected void writeClassDescriptor(final java.io.ObjectStreamClass desc) throws IOException {
                 if (desc.getName().equals(RangeForge.class.getName())) {
                     // Emit a descriptor whose name is Range but whose field layout still matches RangeForge.
                     final java.io.ObjectStreamClass spoofed = java.io.ObjectStreamClass.lookup(Range.class);
                     super.writeClassDescriptor(spoofed);
                 } else {
                     super.writeClassDescriptor(desc);
                 }
             }
         }) {
             oos.writeObject(new RangeForge(comparator, minimum, maximum, hashCode));
         }
         return baos.toByteArray();
     }

     @Test
     void testBadHashCodeRejected() throws Exception {
         final Range<Integer> range = Range.of(1, 100);
         final byte[] bytes = SerializationUtils.serialize(range);
         // Locate the legitimate hashCode int in the serialized stream and overwrite it.
         final int hashCode = (Integer) FieldUtils.readDeclaredField(range, "hashCode", true);
         final byte[] edited = SerializationUtilsTest.replaceLastInt(bytes, hashCode, 0xDEADBEEF);
         final SerializationException ex = assertThrows(SerializationException.class, () -> SerializationUtils.deserialize(edited),
                 "Bad hashCode in stream must be rejected with InvalidObjectException");
         assertInstanceOf(InvalidObjectException.class, ex.getCause());
         assertEquals("java.io.InvalidObjectException: Range hashCode does not match minimum/maximum.", ex.getMessage());
     }

     /**
      * Forged stream with {@code comparator == null}; F-004 hashCode check passes because we set hashCode canonically; {@code contains()} then NPEs on
      * {@code comparator.compare(...)}.
      */
     @Test
     void testComparatorNullViaForgedStream() throws Exception {
         final Integer min = Integer.valueOf(1);
         final Integer max = Integer.valueOf(10);
         final int canonicalHash = Objects.hash(min, max);
         final byte[] forged = forgeRangeStream(null, min, max, canonicalHash);
         assertThrows(InvalidObjectException.class, () -> deserialize(forged));
     }

     /**
      * Forged stream: minimum=1, maximum=10, hashCode=hash(1,10) (all legitimate), but comparator replaced with a reversed ordering. The hashCode gate passes
      * (comparator excluded from the hash) and the null gates pass (comparator is non-null); the ordering invariant is the only one violated. The deserialized
      * Range still reports endpoints [1,10] but {@code contains(5)} returns false because it trusts the reversed comparator.
      */
     @Test
     void testForgedReversedComparatorBreaksContains() throws Exception {
         final Range<Integer> reference = Range.of(Integer.valueOf(1), Integer.valueOf(10));
         final Range<Integer> forged = Range.of(Integer.valueOf(1), Integer.valueOf(10));
         final Comparator<Integer> reversed = Collections.reverseOrder();
         FieldUtils.writeDeclaredField(forged, "comparator", reversed, true);
         assertThrows(InvalidObjectException.class, () -> deserialize(SerializationUtils.serialize(forged)));
         assertThrows(SerializationException.class, () -> SerializationUtils.deserialize(SerializationUtils.serialize(forged)));
         assertThrows(SerializationException.class, () -> SerializationUtils.roundtrip(forged));
         assertTrue(reference.contains(Integer.valueOf(5)));
     }

     /**
      * Forged stream with {@code maximum == null}; symmetric to F-061b.
      */
     @Test
     void testMaximumNullViaForgedStream() throws Exception {
         final Integer min = Integer.valueOf(1);
         final int canonicalHash = Objects.hash(min, (Object) null);
         final Object comparator = Range.of(Integer.valueOf(1), Integer.valueOf(2)).getComparator();
         final byte[] forged = forgeRangeStream(comparator, min, null, canonicalHash);
         assertThrows(InvalidObjectException.class, () -> deserialize(forged));
     }

     /**
      * Forged stream with {@code minimum == null}; {@code Objects.hash(null, max)} is a valid int, so the F-004 check passes. {@code contains()} NPEs
      * because {@code comparator.compare(element, null)} unboxes null (or, for ComparableComparator, calls {@code element.compareTo(null)} which is an
      * NPE-by-contract).
      */
     @Test
     void testMinimumNullViaForgedStream() throws Exception {
         final Integer max = Integer.valueOf(10);
         final int canonicalHash = Objects.hash((Object) null, max);
         // comparator must be non-null here so we isolate the minimum-null gap.
         // We use ComparableComparator.INSTANCE via deserialization round-trip of a real Range.
         final Object comparator = Range.of(Integer.valueOf(1), Integer.valueOf(2)).getComparator();
         final byte[] forged = forgeRangeStream(comparator, null, max, canonicalHash);
         assertThrows(InvalidObjectException.class, () -> deserialize(forged));
     }

     @Test
     void testRoundTripPreservesCorrectHashCode() throws Exception {
         final Range<String> range = Range.of("apple", "mango");
         final Range<String> roundtrip = SerializationUtils.roundtrip(range);
         assertEquals(range.hashCode(), roundtrip.hashCode(), "Round-trip serialization must preserve the correct hashCode");
         assertEquals(range, roundtrip);
     }

 }
	/*
	* Licensed to the Apache Software Foundation (ASF) under one or more
	* contributor license agreements. See the NOTICE file distributed with
	* this work for additional information regarding copyright ownership.
	* The ASF licenses this file to You under the Apache License, Version 2.0
	* (the "License"); you may not use this file except in compliance with
	* the License. You may obtain a copy of the License at
	*
	* https://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/

	package org.apache.commons.lang3;

	import static org.junit.jupiter.api.Assertions.assertEquals;
	import static org.junit.jupiter.api.Assertions.assertInstanceOf;
	import static org.junit.jupiter.api.Assertions.assertThrows;
	import static org.junit.jupiter.api.Assertions.assertTrue;

	import java.io.ByteArrayInputStream;
	import java.io.ByteArrayOutputStream;
	import java.io.IOException;
	import java.io.InvalidObjectException;
	import java.io.ObjectInputStream;
	import java.io.ObjectOutputStream;
	import java.io.Serializable;
	import java.util.Collections;
	import java.util.Comparator;
	import java.util.Objects;

	import org.apache.commons.lang3.reflect.FieldUtils;
	import org.junit.jupiter.api.Test;

	/**
	* Tests that a serialized {@link Range} can't store a bad cached hashCode.
	*/
	class RangeReadObjectTest {

	/**
	* Standin class used only to drive {@link ObjectOutputStream#writeObject(Object)} into emitting a stream that matches the wire format of {@link Range} but
	* with caller-controlled field values. The class name and serialVersionUID are spoofed in the stream below via a custom {@link ObjectOutputStream} subclass
	* so the stream reads back as a {@code Range}.
	*/
	private static final class RangeForge implements Serializable {

	private static final long serialVersionUID = 2L; // matches Range.serialVersionUID
	private final Object comparator;
	private final int hashCode;
	private final Object maximum;
	private final Object minimum;

	RangeForge(final Object comparator, final Object minimum, final Object maximum, final int hashCode) {
	this.comparator = comparator;
	this.minimum = minimum;
	this.maximum = maximum;
	this.hashCode = hashCode;
	}
	}

	private static Object deserialize(final byte[] bytes) throws IOException, ClassNotFoundException {
	try (ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(bytes))) {
	return ois.readObject();
	}
	}

	/**
	* Serializes a {@link RangeForge} but rewrites the class descriptor name to "org.apache.commons.lang3.Range" so the resulting bytes deserialize as a
	* {@link Range}. Because the field set, types, order, and serialVersionUID all match, default deserialization assigns each forged value to the
	* corresponding Range field via reflection (bypassing the constructor).
	*/
	private static byte[] forgeRangeStream(final Object comparator, final Object minimum, final Object maximum, final int hashCode) throws IOException {
	// Build the legitimate-shape bytes via RangeForge, then rewrite the embedded class name.
	final ByteArrayOutputStream baos = new ByteArrayOutputStream();
	try (ObjectOutputStream oos = new ObjectOutputStream(baos) {

	@Override
	protected void writeClassDescriptor(final java.io.ObjectStreamClass desc) throws IOException {
	if (desc.getName().equals(RangeForge.class.getName())) {
	// Emit a descriptor whose name is Range but whose field layout still matches RangeForge.
	final java.io.ObjectStreamClass spoofed = java.io.ObjectStreamClass.lookup(Range.class);
	super.writeClassDescriptor(spoofed);
	} else {
	super.writeClassDescriptor(desc);
	}
	}
	}) {
	oos.writeObject(new RangeForge(comparator, minimum, maximum, hashCode));
	}
	return baos.toByteArray();
	}

	@Test
	void testBadHashCodeRejected() throws Exception {
	final Range<Integer> range = Range.of(1, 100);
	final byte[] bytes = SerializationUtils.serialize(range);
	// Locate the legitimate hashCode int in the serialized stream and overwrite it.
	final int hashCode = (Integer) FieldUtils.readDeclaredField(range, "hashCode", true);
	final byte[] edited = SerializationUtilsTest.replaceLastInt(bytes, hashCode, 0xDEADBEEF);
	final SerializationException ex = assertThrows(SerializationException.class, () -> SerializationUtils.deserialize(edited),
	"Bad hashCode in stream must be rejected with InvalidObjectException");
	assertInstanceOf(InvalidObjectException.class, ex.getCause());
	assertEquals("java.io.InvalidObjectException: Range hashCode does not match minimum/maximum.", ex.getMessage());
	}

	/**
	* Forged stream with {@code comparator == null}; F-004 hashCode check passes because we set hashCode canonically; {@code contains()} then NPEs on
	* {@code comparator.compare(...)}.
	*/
	@Test
	void testComparatorNullViaForgedStream() throws Exception {
	final Integer min = Integer.valueOf(1);
	final Integer max = Integer.valueOf(10);
	final int canonicalHash = Objects.hash(min, max);
	final byte[] forged = forgeRangeStream(null, min, max, canonicalHash);
	assertThrows(InvalidObjectException.class, () -> deserialize(forged));
	}

	/**
	* Forged stream: minimum=1, maximum=10, hashCode=hash(1,10) (all legitimate), but comparator replaced with a reversed ordering. The hashCode gate passes
	* (comparator excluded from the hash) and the null gates pass (comparator is non-null); the ordering invariant is the only one violated. The deserialized
	* Range still reports endpoints [1,10] but {@code contains(5)} returns false because it trusts the reversed comparator.
	*/
	@Test
	void testForgedReversedComparatorBreaksContains() throws Exception {
	final Range<Integer> reference = Range.of(Integer.valueOf(1), Integer.valueOf(10));
	final Range<Integer> forged = Range.of(Integer.valueOf(1), Integer.valueOf(10));
	final Comparator<Integer> reversed = Collections.reverseOrder();
	FieldUtils.writeDeclaredField(forged, "comparator", reversed, true);
	assertThrows(InvalidObjectException.class, () -> deserialize(SerializationUtils.serialize(forged)));
	assertThrows(SerializationException.class, () -> SerializationUtils.deserialize(SerializationUtils.serialize(forged)));
	assertThrows(SerializationException.class, () -> SerializationUtils.roundtrip(forged));
	assertTrue(reference.contains(Integer.valueOf(5)));
	}

	/**
	* Forged stream with {@code maximum == null}; symmetric to F-061b.
	*/
	@Test
	void testMaximumNullViaForgedStream() throws Exception {
	final Integer min = Integer.valueOf(1);
	final int canonicalHash = Objects.hash(min, (Object) null);
	final Object comparator = Range.of(Integer.valueOf(1), Integer.valueOf(2)).getComparator();
	final byte[] forged = forgeRangeStream(comparator, min, null, canonicalHash);
	assertThrows(InvalidObjectException.class, () -> deserialize(forged));
	}

	/**
	* Forged stream with {@code minimum == null}; {@code Objects.hash(null, max)} is a valid int, so the F-004 check passes. {@code contains()} NPEs
	* because {@code comparator.compare(element, null)} unboxes null (or, for ComparableComparator, calls {@code element.compareTo(null)} which is an
	* NPE-by-contract).
	*/
	@Test
	void testMinimumNullViaForgedStream() throws Exception {
	final Integer max = Integer.valueOf(10);
	final int canonicalHash = Objects.hash((Object) null, max);
	// comparator must be non-null here so we isolate the minimum-null gap.
	// We use ComparableComparator.INSTANCE via deserialization round-trip of a real Range.
	final Object comparator = Range.of(Integer.valueOf(1), Integer.valueOf(2)).getComparator();
	final byte[] forged = forgeRangeStream(comparator, null, max, canonicalHash);
	assertThrows(InvalidObjectException.class, () -> deserialize(forged));
	}

	@Test
	void testRoundTripPreservesCorrectHashCode() throws Exception {
	final Range<String> range = Range.of("apple", "mango");
	final Range<String> roundtrip = SerializationUtils.roundtrip(range);
	assertEquals(range.hashCode(), roundtrip.hashCode(), "Round-trip serialization must preserve the correct hashCode");
	assertEquals(range, roundtrip);
	}

	}