Add test: vulnerable settings should fail importing

This commit is contained in:
Stypox 2024-03-27 15:12:57 +01:00
parent d8668ed226
commit 6afdbd6fd3
No known key found for this signature in database
GPG key ID: 4BDF1B40A49FDD23
2 changed files with 19 additions and 0 deletions

View file

@ -3,6 +3,7 @@ package org.schabi.newpipe.settings
import android.content.SharedPreferences
import org.junit.Assert.assertEquals
import org.junit.Assert.assertFalse
import org.junit.Assert.assertThrows
import org.junit.Assert.assertTrue
import org.junit.Assume
import org.junit.Before
@ -192,4 +193,22 @@ class ImportExportManagerTest {
verify(editor, atLeastOnce()).putString(anyString(), anyString())
verify(editor, atLeastOnce()).putInt(anyString(), anyInt())
}
@Test
fun `Importing preferences with a serialization injected class should fail`() {
val settings = File.createTempFile("newpipe_", "")
`when`(fileLocator.settings).thenReturn(settings)
val emptyZip = File(classloader.getResource("settings/vulnerable_serialization.zip")?.file!!)
`when`(storedFileHelper.stream).thenReturn(FileStream(emptyZip))
Assume.assumeTrue(ImportExportManager(fileLocator).extractSettings(storedFileHelper))
val preferences = Mockito.mock(SharedPreferences::class.java, withSettings().stubOnly())
val editor = Mockito.mock(SharedPreferences.Editor::class.java)
`when`(preferences.edit()).thenReturn(editor)
assertThrows(ClassNotFoundException::class.java) {
ImportExportManager(fileLocator).loadSharedPreferences(preferences)
}
}
}