Re: [PR] Extend scheme validation to inner schemes of jar: URLs [commons-configuration]

via GitHub Tue, 12 May 2026 04:18:13 -0700


ppkarwasz commented on code in PR #636:
URL: 
https://github.com/apache/commons-configuration/pull/636#discussion_r3225921737



##########
src/test/java/org/apache/commons/configuration2/io/TestAbstractFileLocationStrategy.java:
##########
@@ -17,17 +17,100 @@
 
 package org.apache.commons.configuration2.io;
 
+import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
 import static org.junit.jupiter.api.Assertions.assertThrows;
 
+import java.net.URL;
+import java.util.LinkedHashSet;
+import java.util.Set;
+import java.util.regex.Pattern;
+import java.util.stream.Stream;
+
+import org.apache.commons.configuration2.ex.ConfigurationDeniedException;
 import org.junit.jupiter.api.Test;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.Arguments;
+import org.junit.jupiter.params.provider.MethodSource;
 
 /**
  * Tests {@link AbstractFileLocationStrategy}.
  */
 public class TestAbstractFileLocationStrategy {
 
+    private static URL url(final String spec) throws Exception {
+        return new URL(spec);
+    }
+
+    // Bypasses the validation of the single-arg constructor
+    private static URL jarUrl(final String spec) throws Exception {
+        return new URL("jar", null,  spec);
+    }
+
+    private static Set<String> schemes(final String... values) {
+        return new LinkedHashSet<>(java.util.Arrays.asList(values));
+    }
+
+    private static Set<Pattern> hosts(final String... regexes) {
+        final LinkedHashSet<Pattern> set = new LinkedHashSet<>();
+        for (final String r : regexes) {
+            set.add(Pattern.compile(r, Pattern.CASE_INSENSITIVE));
+        }
+        return set;
+    }
+
+    static Stream<Arguments> testCheckUrlAccepts() throws Exception {
+        return Stream.of(
+                // Empty scheme allows all.
+                Arguments.of(url("file:/tmp/x.properties"), schemes(), 
hosts()),
+                Arguments.of(url("https://example.com/x.properties";), 
schemes(), hosts()),
+                // Bare schemes that match the allow-set.
+                Arguments.of(url("file:/tmp/x.properties"), schemes("file"), 
hosts()),
+                Arguments.of(url("https://example.com/x.properties";), 
schemes("https"), hosts()),
+                // jar: unwraps to the inner scheme, which is in the allow-set.
+                Arguments.of(url("jar:file:/tmp/x.jar!/y.properties"), 
schemes("file", "jar"), hosts()),
+                
Arguments.of(url("jar:https://example.com/x.jar!/y.properties";), 
schemes("https", "jar"), hosts()),
+                // Empty host allow-set means "any host".
+                Arguments.of(url("file:///tmp/x.properties"), schemes("file"), 
hosts()),
+                Arguments.of(url("http://anything.example/x.properties";), 
schemes("http"), hosts()),
+                
Arguments.of(url("jar:https://anything.example/x.jar!/y.properties";), 
schemes("https", "jar"), hosts()),
+                // Host satisfies allow-set
+                Arguments.of(url("file:///tmp/x.properties"), schemes("file"), 
hosts("trusted\\.example")),
+                Arguments.of(url("https://trusted.example/x.properties";), 
schemes("https", "jar"), hosts("trusted\\.example")),
+                
Arguments.of(url("jar:https://trusted.example/x.jar!/y.properties";), 
schemes("https", "jar"), hosts("trusted\\.example"))
+        );
+    }
+
+    static Stream<Arguments> testCheckUrlRejects() throws Exception {
+        return Stream.of(
+                // Plain scheme not in the allow-set.
+                Arguments.of(url("http://example.com/x.properties";), 
schemes("file", "jar"), hosts()),
+                // jar: is allowed but the inner scheme is not.
+                Arguments.of(url("jar:file:/tmp/x.jar!/y.properties"), 
schemes("jar"), hosts()),
+                
Arguments.of(url("jar:https://example.com/x.jar!/y.properties";), 
schemes("jar"), hosts()),
+                // Invalid jar URL
+                Arguments.of(jarUrl("file:/tmp/x.properties"), schemes("file", 
"jar"), hosts()),
+                Arguments.of(jarUrl("invalid url!/y.properties"), 
schemes("file", "jar"), hosts()),
+                // Host is not allowed
+                Arguments.of(url("https://evilhost/x.properties";), schemes(), 
hosts("trusted\\.example")),
+                Arguments.of(url("jar:https://evilhost/x.jar!/y.properties";), 
schemes(), hosts("trusted\\.example"))
+        );
+    }
+
     @Test
     void testBuilder() {
         assertThrows(NullPointerException.class, () -> new 
AbstractFileLocationStrategy.StrategyBuilder<>(null));
     }
+
+    @ParameterizedTest(name = "[{index}] {0}")

Review Comment:
   I never used the option to run selected test cases in IDEA, but I removed it 
to improve testing under Eclipse.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Re: [PR] Extend scheme validation to inner schemes of jar: URLs [commons-configuration]

Reply via email to