From 5f81dd218aab36bf1c6a7410c88c29594bb1a0e7 Mon Sep 17 00:00:00 2001 From: Ralph Goers Date: Tue, 30 Nov 2021 22:38:22 -0700 Subject: [PATCH] Rename test. Various minor fixes --- .../logging/log4j/core/net/JndiManager.java | 31 +++++++++++++------ ...est.java => JndiRestrictedLookupTest.java} | 4 +-- ...-import.ldif => JndiRestrictedLookup.ldif} | 0 3 files changed, 24 insertions(+), 11 deletions(-) rename log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/{JndiLdapLookupTest.java => JndiRestrictedLookupTest.java} (98%) rename log4j-core/src/test/resources/{java-import.ldif => JndiRestrictedLookup.ldif} (100%) diff --git a/log4j-core/src/main/java/org/apache/logging/log4j/core/net/JndiManager.java b/log4j-core/src/main/java/org/apache/logging/log4j/core/net/JndiManager.java index 613a0551da..b392b938b4 100644 --- a/log4j-core/src/main/java/org/apache/logging/log4j/core/net/JndiManager.java +++ b/log4j-core/src/main/java/org/apache/logging/log4j/core/net/JndiManager.java @@ -21,12 +21,15 @@ import java.net.URISyntaxException; import java.util.ArrayList; import java.util.Arrays; +import java.util.HashMap; import java.util.List; import java.util.Locale; +import java.util.Map; import java.util.Properties; import java.util.concurrent.TimeUnit; import javax.naming.Context; +import javax.naming.NamingEnumeration; import javax.naming.NamingException; import javax.naming.directory.Attribute; import javax.naming.directory.Attributes; @@ -58,13 +61,12 @@ private static final List permanentAllowedHosts = NetUtils.getLocalIps(); private static final List permanentAllowedClasses = Arrays.asList(Boolean.class.getName(), Byte.class.getName(), Character.class.getName(), Double.class.getName(), Float.class.getName(), - Integer.class.getName(), Long.class.getName(), Number.class.getName(), Short.class.getName(), - String.class.getName()); + Integer.class.getName(), Long.class.getName(), Short.class.getName(), String.class.getName()); private static final List permanentAllowedProtocols = Arrays.asList(JAVA, LDAP, LDAPS); - private static final String SERIALIZED_DATA = "javaserializeddata"; - private static final String CLASS_NAME = "javaclassname"; - private static final String REFERENCE_ADDRESS = "javareferenceaddress"; - private static final String OBJECT_FACTORY = "javafactory"; + private static final String SERIALIZED_DATA = "javaSerializedData"; + private static final String CLASS_NAME = "javaClassName"; + private static final String REFERENCE_ADDRESS = "javaReferenceAddress"; + private static final String OBJECT_FACTORY = "javaFactory"; private final List allowedHosts; private final List allowedClasses; private final List allowedProtocols; @@ -218,8 +220,18 @@ protected boolean releaseSub(final long timeout, final TimeUnit timeUnit) { } Attributes attributes = this.context.getAttributes(name); if (attributes != null) { - Attribute classNameAttr = attributes.get(CLASS_NAME); - if (attributes.get(SERIALIZED_DATA) != null) { + // In testing the "key" for attributes seems to be lowercase while the attribute id is + // camelcase, but that may just be true for the test LDAP used here. This copies the Attributes + // to a Map ignoring the "key" and using the Attribute's id as the key in the Map so it matches + // the Java schema. + Map attributeMap = new HashMap<>(); + NamingEnumeration enumeration = attributes.getAll(); + while (enumeration.hasMore()) { + Attribute attribute = enumeration.next(); + attributeMap.put(attribute.getID(), attribute); + } + Attribute classNameAttr = attributeMap.get(CLASS_NAME); + if (attributeMap.get(SERIALIZED_DATA) != null) { if (classNameAttr != null) { String className = classNameAttr.get().toString(); if (!allowedClasses.contains(className)) { @@ -230,7 +242,8 @@ protected boolean releaseSub(final long timeout, final TimeUnit timeUnit) { LOGGER.warn("No class name provided for {}", name); return null; } - } else if (attributes.get(REFERENCE_ADDRESS) != null || attributes.get(OBJECT_FACTORY) != null){ + } else if (attributeMap.get(REFERENCE_ADDRESS) != null + || attributeMap.get(OBJECT_FACTORY) != null) { LOGGER.warn("Referenceable class is not allowed for {}", name); return null; } diff --git a/log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/JndiLdapLookupTest.java b/log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/JndiRestrictedLookupTest.java similarity index 98% rename from log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/JndiLdapLookupTest.java rename to log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/JndiRestrictedLookupTest.java index a26d927da4..032c9c4d85 100644 --- a/log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/JndiLdapLookupTest.java +++ b/log4j-core/src/test/java/org/apache/logging/log4j/core/lookup/JndiRestrictedLookupTest.java @@ -36,7 +36,7 @@ /** * JndiLookupTest */ -public class JndiLdapLookupTest { +public class JndiRestrictedLookupTest { private static final String LDAP_URL = "ldap://127.0.0.1:"; private static final String RESOURCE = "JndiExploit"; @@ -48,7 +48,7 @@ @Rule public EmbeddedLdapRule embeddedLdapRule = EmbeddedLdapRuleBuilder.newInstance().usingDomainDsn(DOMAIN_DSN) - .importingLdifs("java-import.ldif").build(); + .importingLdifs("JndiRestrictedLookup.ldif").build(); @BeforeClass public static void beforeClass() { diff --git a/log4j-core/src/test/resources/java-import.ldif b/log4j-core/src/test/resources/JndiRestrictedLookup.ldif similarity index 100% rename from log4j-core/src/test/resources/java-import.ldif rename to log4j-core/src/test/resources/JndiRestrictedLookup.ldif