[jboss-svn-commits] JBL Code SVN: r26917 - labs/jbossrules/trunk/drools-pipeline/drools-transformer-xstream/src/test/java/org/drools/runtime/pipeline/impl.
jboss-svn-commits at lists.jboss.org
jboss-svn-commits at lists.jboss.org
Wed Jun 10 22:31:47 EDT 2009
Author: michael.neale at jboss.com
Date: 2009-06-10 22:31:46 -0400 (Wed, 10 Jun 2009)
New Revision: 26917
Modified:
labs/jbossrules/trunk/drools-pipeline/drools-transformer-xstream/src/test/java/org/drools/runtime/pipeline/impl/XStreamBatchExecutionTest.java
Log:
option to only allow literals as value for security reasons
Modified: labs/jbossrules/trunk/drools-pipeline/drools-transformer-xstream/src/test/java/org/drools/runtime/pipeline/impl/XStreamBatchExecutionTest.java
===================================================================
--- labs/jbossrules/trunk/drools-pipeline/drools-transformer-xstream/src/test/java/org/drools/runtime/pipeline/impl/XStreamBatchExecutionTest.java 2009-06-11 02:30:57 UTC (rev 26916)
+++ labs/jbossrules/trunk/drools-pipeline/drools-transformer-xstream/src/test/java/org/drools/runtime/pipeline/impl/XStreamBatchExecutionTest.java 2009-06-11 02:31:46 UTC (rev 26917)
@@ -34,6 +34,7 @@
import org.drools.io.ResourceFactory;
import org.drools.process.core.context.variable.VariableScope;
import org.drools.process.instance.context.variable.VariableScopeInstance;
+import org.drools.process.command.ModifyCommand;
import org.drools.runtime.ExecutionResults;
import org.drools.runtime.StatefulKnowledgeSession;
import org.drools.runtime.StatelessKnowledgeSession;
@@ -459,7 +460,7 @@
inXml = "";
inXml += "<batch-execution>";
- inXml += " <modify factHandle='" + factHandle.toExternalForm() + "'> <set accessor='type' value='\"cheddar\"' /><set accessor='price' value='50' /></modify>";
+ inXml += " <modify factHandle='" + factHandle.toExternalForm() + "'> <set accessor='oldPrice' value='\"42\"' /><set accessor='price' value='50' /></modify>";
inXml += " <fire-all-rules />";
inXml += "</batch-execution>";
getPipelineStateful( ksession ).insert( inXml,
@@ -474,11 +475,24 @@
outXml = (String) resultHandler.getObject();
result = (ExecutionResults) BatchExecutionHelper.newXStreamMarshaller().fromXML( outXml );
Cheese cheddar = (Cheese) result.getValue( "outCheddar" );
- assertEquals( "cheddar",
- cheddar.getType() );
- assertEquals( 55,
- cheddar.getPrice() );
+ assertEquals( 42, cheddar.getOldPrice() );
+ assertEquals( 55, cheddar.getPrice() );
+
+ //now test for code injection:
+ ModifyCommand.ALLOW_MODIFY_EXPRESSIONS = false;
+ inXml = "";
+ inXml += "<batch-execution>";
+ inXml += " <modify factHandle='" + factHandle.toExternalForm() + "'> <set accessor='type' value='44\"; System.exit(1);' /><set accessor='price' value='50' /></modify>";
+ inXml += " <fire-all-rules />";
+ inXml += "</batch-execution>";
+ getPipelineStateful( ksession ).insert( inXml,
+ resultHandler );
+ outXml = (String) resultHandler.getObject();
+ result = (ExecutionResults) BatchExecutionHelper.newXStreamMarshaller().fromXML( outXml );
+ ModifyCommand.ALLOW_MODIFY_EXPRESSIONS = true;
+
+
}
public void testInsertElements() throws Exception {
More information about the jboss-svn-commits
mailing list