Add test: vulnerable settings should fail importing

2024-03-27 15:12:57 +01:00 · 2024-03-27 15:12:57 +01:00 · 6afdbd6fd3
parent d8668ed226
commit 6afdbd6fd3
2 changed files with 19 additions and 0 deletions
--- a/app/src/test/java/org/schabi/newpipe/settings/ImportExportManagerTest.kt
+++ b/app/src/test/java/org/schabi/newpipe/settings/ImportExportManagerTest.kt
@ -3,6 +3,7 @@ package org.schabi.newpipe.settings
 import android.content.SharedPreferences
 import org.junit.Assert.assertEquals
 import org.junit.Assert.assertFalse
+import org.junit.Assert.assertThrows
 import org.junit.Assert.assertTrue
 import org.junit.Assume
 import org.junit.Before
@ -192,4 +193,22 @@ class ImportExportManagerTest {
        verify(editor, atLeastOnce()).putString(anyString(), anyString())
        verify(editor, atLeastOnce()).putInt(anyString(), anyInt())
    }
+
+    @Test
+    fun `Importing preferences with a serialization injected class should fail`() {
+        val settings = File.createTempFile("newpipe_", "")
+        `when`(fileLocator.settings).thenReturn(settings)
+
+        val emptyZip = File(classloader.getResource("settings/vulnerable_serialization.zip")?.file!!)
+        `when`(storedFileHelper.stream).thenReturn(FileStream(emptyZip))
+        Assume.assumeTrue(ImportExportManager(fileLocator).extractSettings(storedFileHelper))
+
+        val preferences = Mockito.mock(SharedPreferences::class.java, withSettings().stubOnly())
+        val editor = Mockito.mock(SharedPreferences.Editor::class.java)
+        `when`(preferences.edit()).thenReturn(editor)
+
+        assertThrows(ClassNotFoundException::class.java) {
+            ImportExportManager(fileLocator).loadSharedPreferences(preferences)
+        }
+    }
 }
--- a/app/src/test/resources/settings/vulnerable_serialization.zip
+++ b/app/src/test/resources/settings/vulnerable_serialization.zip