ExternalVendorCode/corda
1
0
Fork 0
mirror of https://github.com/corda/corda.git synced 2025-06-06 01:11:45 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Re-enable all but unsafe test

Browse Source
This commit is contained in:
rick.parker 2023-04-05 08:56:06 +01:00
parent 6bf1587cf6
commit 2ed10bb0e9
5 changed files with 46 additions and 47 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
tools/aegis4j/src/test/java/net/gredler/aegis4j/AegisAgentMonitoringTest.java
View File

@ -2,21 +2,25 @@
package net.gredler.aegis4j; package net.gredler.aegis4j;
import org.junit.jupiter.api.AfterAll;
import org.junit.jupiter.api.Test;
import static org.junit.jupiter.api.Assertions.assertEquals; import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertNull; import static org.junit.jupiter.api.Assertions.assertNull;
import org.junit.jupiter.api.Test;
/** /**
* Tests {@link AegisAgent} monitoring via system properties. * Tests {@link AegisAgent} monitoring via system properties.
*/ */
public class AegisAgentMonitoringTest { public class AegisAgentMonitoringTest {
/* @AfterAll
public static void uninstallAgent() throws Exception {
TestUtils.installAgent("unblock=unsafe,serialization");
}
@Test @Test
public void testSystemProperty() throws Exception { public void testSystemProperty() throws Exception {
assertNull(System.getProperty("aegis4j.blocked.features")); assertNull(System.getProperty("aegis4j.blocked.features"));
TestUtils.installAgent("unblock=jndi,rmi,unsafe,scripting"); TestUtils.installAgent("unblock=jndi,rmi,unsafe,scripting");
assertEquals("serialization,jshell,process,httpserver", System.getProperty("aegis4j.blocked.features")); assertEquals("serialization,process,httpserver", System.getProperty("aegis4j.blocked.features"));
} }
*/
} }

36
tools/aegis4j/src/test/java/net/gredler/aegis4j/CVE_2015_7501.java
View File

@ -2,11 +2,14 @@
package net.gredler.aegis4j; package net.gredler.aegis4j;
import static net.gredler.aegis4j.TestUtils.OWNED; import org.apache.commons.collections4.FunctorException;
import static net.gredler.aegis4j.TestUtils.installAgent; import org.apache.commons.collections4.Transformer;
import static net.gredler.aegis4j.TestUtils.toBytes; import org.apache.commons.collections4.comparators.TransformingComparator;
import static org.junit.jupiter.api.Assertions.assertEquals; import org.apache.commons.collections4.functors.ChainedTransformer;
import static org.junit.jupiter.api.Assertions.fail; import org.apache.commons.collections4.functors.ConstantTransformer;
import org.apache.commons.collections4.functors.InvokerTransformer;
import org.junit.jupiter.api.AfterAll;
import org.junit.jupiter.api.Test;
import java.io.ByteArrayInputStream; import java.io.ByteArrayInputStream;
import java.io.ObjectInputStream; import java.io.ObjectInputStream;
@ -15,14 +18,11 @@ import java.nio.file.Path;
import java.util.Comparator; import java.util.Comparator;
import java.util.PriorityQueue; import java.util.PriorityQueue;
import jdk.nashorn.internal.ir.annotations.Ignore; import static net.gredler.aegis4j.TestUtils.OWNED;
import org.apache.commons.collections4.FunctorException; import static net.gredler.aegis4j.TestUtils.installAgent;
import org.apache.commons.collections4.Transformer; import static net.gredler.aegis4j.TestUtils.toBytes;
import org.apache.commons.collections4.comparators.TransformingComparator; import static org.junit.jupiter.api.Assertions.assertEquals;
import org.apache.commons.collections4.functors.ChainedTransformer; import static org.junit.jupiter.api.Assertions.fail;
import org.apache.commons.collections4.functors.ConstantTransformer;
import org.apache.commons.collections4.functors.InvokerTransformer;
import org.junit.jupiter.api.Test;
/** /**
* Tests mitigation of CVE-2015-7501, both at the process execution level and at the serialization level. * Tests mitigation of CVE-2015-7501, both at the process execution level and at the serialization level.
@ -35,10 +35,13 @@ import org.junit.jupiter.api.Test;
* @see <a href="https://github.com/frohoff/ysoserial/blob/master/src/main/java/ysoserial/payloads/CommonsCollections6.java">Exploit POC</a> * @see <a href="https://github.com/frohoff/ysoserial/blob/master/src/main/java/ysoserial/payloads/CommonsCollections6.java">Exploit POC</a>
*/ */
public class CVE_2015_7501 { public class CVE_2015_7501 {
@AfterAll
public static void uninstallAgent() throws Exception {
TestUtils.installAgent("unblock=unsafe,serialization");
}
/*
@Test @Test
@SuppressWarnings({ "rawtypes", "unchecked" }) @SuppressWarnings({"rawtypes", "unchecked"})
public void test() throws Exception { public void test() throws Exception {
Path temp = Files.createTempFile("aegis4j-", ".tmp"); Path temp = Files.createTempFile("aegis4j-", ".tmp");
@ -79,7 +82,7 @@ public class CVE_2015_7501 {
assertEquals("", TestUtils.fileReadString(temp), path); assertEquals("", TestUtils.fileReadString(temp), path);
// install aegis4j agent // install aegis4j agent
installAgent(null); installAgent("unblock=unsafe");
// trigger again directly, verify not owned // trigger again directly, verify not owned
try { try {
@ -103,5 +106,4 @@ public class CVE_2015_7501 {
assertEquals("Java deserialization blocked by aegis4j", e.getMessage()); assertEquals("Java deserialization blocked by aegis4j", e.getMessage());
} }
} }
*/
} }

7
tools/aegis4j/src/test/java/net/gredler/aegis4j/CVE_2019_17531.java
View File

@ -2,13 +2,12 @@
package net.gredler.aegis4j; package net.gredler.aegis4j;
import static net.gredler.aegis4j.TestUtils.testLdap; import com.fasterxml.jackson.databind.ObjectMapper;
import org.apache.log4j.receivers.db.JNDIConnectionSource; import org.apache.log4j.receivers.db.JNDIConnectionSource;
import org.junit.jupiter.api.Test; import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.function.Executable; import org.junit.jupiter.api.function.Executable;
import com.fasterxml.jackson.databind.ObjectMapper; import static net.gredler.aegis4j.TestUtils.testLdap;
/** /**
* Tests mitigation of CVE-2019-17531. No setup is required besides starting the LDAP server that * Tests mitigation of CVE-2019-17531. No setup is required besides starting the LDAP server that
@ -23,7 +22,6 @@ import com.fasterxml.jackson.databind.ObjectMapper;
* @see <a href="https://swapneildash.medium.com/understanding-insecure-implementation-of-jackson-deserialization-7b3d409d2038">Understanding Jackson deserialization</a> * @see <a href="https://swapneildash.medium.com/understanding-insecure-implementation-of-jackson-deserialization-7b3d409d2038">Understanding Jackson deserialization</a>
*/ */
public class CVE_2019_17531 { public class CVE_2019_17531 {
/*
@Test @Test
public void test() throws Throwable { public void test() throws Throwable {
@ -40,5 +38,4 @@ public class CVE_2019_17531 {
testLdap(setup, trigger, SerializableDataSource.class, true); testLdap(setup, trigger, SerializableDataSource.class, true);
} }
*/
} }

8
tools/aegis4j/src/test/java/net/gredler/aegis4j/CVE_2021_44228.java
View File

@ -2,9 +2,6 @@
package net.gredler.aegis4j; package net.gredler.aegis4j;
import static net.gredler.aegis4j.TestUtils.testLdap;
import jdk.nashorn.internal.ir.annotations.Ignore;
import org.apache.logging.log4j.Level; import org.apache.logging.log4j.Level;
import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.Logger;
@ -18,6 +15,8 @@ import org.apache.logging.log4j.core.config.builder.impl.BuiltConfiguration;
import org.junit.jupiter.api.Test; import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.function.Executable; import org.junit.jupiter.api.function.Executable;
import static net.gredler.aegis4j.TestUtils.testLdap;
/** /**
* Tests mitigation of CVE-2021-44228 (a.k.a. Log4Shell). During setup we simply configure log4j to * Tests mitigation of CVE-2021-44228 (a.k.a. Log4Shell). During setup we simply configure log4j to
* perform basic logging, and set up our LDAP server to serve serialized {@link SerializablePojo} * perform basic logging, and set up our LDAP server to serve serialized {@link SerializablePojo}
@ -28,8 +27,6 @@ import org.junit.jupiter.api.function.Executable;
* @see <a href="https://research.nccgroup.com/2021/12/12/log4j-jndi-be-gone-a-simple-mitigation-for-cve-2021-44228/">log4j-jndi-be-gone</a> * @see <a href="https://research.nccgroup.com/2021/12/12/log4j-jndi-be-gone-a-simple-mitigation-for-cve-2021-44228/">log4j-jndi-be-gone</a>
*/ */
public class CVE_2021_44228 { public class CVE_2021_44228 {
/*
@Test @Test
public void test() throws Throwable { public void test() throws Throwable {
@ -64,5 +61,4 @@ public class CVE_2021_44228 {
Configurator.initialize(builder.build()); Configurator.initialize(builder.build());
} }
*/
} }

28
tools/aegis4j/src/test/java/net/gredler/aegis4j/TestUtils.java
View File

@ -2,9 +2,15 @@
package net.gredler.aegis4j; package net.gredler.aegis4j;
import static org.junit.jupiter.api.Assertions.assertFalse; import com.google.common.base.Charsets;
import static org.junit.jupiter.api.Assertions.assertNull; import com.google.common.io.ByteStreams;
import static org.junit.jupiter.api.Assertions.assertTrue; import com.unboundid.ldap.listener.InMemoryDirectoryServer;
import com.unboundid.ldap.listener.InMemoryDirectoryServerConfig;
import com.unboundid.ldap.listener.InMemoryListenerConfig;
import com.unboundid.ldap.sdk.DN;
import com.unboundid.ldap.sdk.Entry;
import com.unboundid.ldap.sdk.LDAPException;
import org.junit.jupiter.api.function.Executable;
import java.io.ByteArrayOutputStream; import java.io.ByteArrayOutputStream;
import java.io.IOException; import java.io.IOException;
@ -20,16 +26,9 @@ import java.util.jar.JarEntry;
import java.util.jar.JarOutputStream; import java.util.jar.JarOutputStream;
import java.util.jar.Manifest; import java.util.jar.Manifest;
import com.google.common.base.Charsets; import static org.junit.jupiter.api.Assertions.assertFalse;
import com.google.common.io.ByteStreams; import static org.junit.jupiter.api.Assertions.assertNull;
import org.junit.jupiter.api.function.Executable; import static org.junit.jupiter.api.Assertions.assertTrue;
import com.unboundid.ldap.listener.InMemoryDirectoryServer;
import com.unboundid.ldap.listener.InMemoryDirectoryServerConfig;
import com.unboundid.ldap.listener.InMemoryListenerConfig;
import com.unboundid.ldap.sdk.DN;
import com.unboundid.ldap.sdk.Entry;
import com.unboundid.ldap.sdk.LDAPException;
/** /**
* Base test class which makes it easy to set up an embedded LDAP server, trigger an LDAP-related * Base test class which makes it easy to set up an embedded LDAP server, trigger an LDAP-related
@ -53,7 +52,7 @@ public final class TestUtils {
System.clearProperty(OWNED); System.clearProperty(OWNED);
assertNull(System.getProperty(OWNED)); assertNull(System.getProperty(OWNED));
installAgent(null); installAgent("unblock=unsafe");
try { try {
trigger.execute(); trigger.execute();
@ -66,6 +65,7 @@ public final class TestUtils {
} }
ldapServer.shutDown(true); ldapServer.shutDown(true);
TestUtils.installAgent("unblock=unsafe,serialization");
} }
// https://docs.oracle.com/javase/jndi/tutorial/objects/representation/ldap.html // https://docs.oracle.com/javase/jndi/tutorial/objects/representation/ldap.html