iSharkFly-Docs/java-tutorials
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/JonCook/tutorials

Browse Source
This commit is contained in:
Jonathan Cook
2019-10-23 15:01:44 +02:00
parent db85c8f275
commit 684ec0d2e3
20486 changed files with 1642483 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
xstream/src/main/java/com/baeldung/annotation/pojo/Customer.java
+45
View File
@@ -0,0 +1,45 @@
package com.baeldung.annotation.pojo;
import com.thoughtworks.xstream.annotations.XStreamAlias;
import java.util.Date;
@XStreamAlias("customer")
public class Customer {
@XStreamAlias("fn")
private String firstName;
private String lastName;
private Date dob;
public String getFirstName() {
return firstName;
}
public void setFirstName(String firstName) {
this.firstName = firstName;
}
public String getLastName() {
return lastName;
}
public void setLastName(String lastName) {
this.lastName = lastName;
}
public Date getDob() {
return dob;
}
public void setDob(Date dob) {
this.dob = dob;
}
@Override
public String toString() {
return "Customer [firstName=" + firstName + ", lastName=" + lastName + ", dob=" + dob + "]";
}
}
xstream/src/main/java/com/baeldung/annotation/pojo/CustomerOmitField.java
+47
View File
@@ -0,0 +1,47 @@
package com.baeldung.annotation.pojo;
import com.thoughtworks.xstream.annotations.XStreamAlias;
import com.thoughtworks.xstream.annotations.XStreamOmitField;
import java.util.Date;
@XStreamAlias("customer")
public class CustomerOmitField {
@XStreamOmitField
private String firstName;
private String lastName;
private Date dob;
public String getFirstName() {
return firstName;
}
public void setFirstName(String firstName) {
this.firstName = firstName;
}
public String getLastName() {
return lastName;
}
public void setLastName(String lastName) {
this.lastName = lastName;
}
public Date getDob() {
return dob;
}
public void setDob(Date dob) {
this.dob = dob;
}
@Override
public String toString() {
return "CustomerOmitAnnotation [firstName=" + firstName + ", lastName=" + lastName + ", dob=" + dob + "]";
}
}
xstream/src/main/java/com/baeldung/complex/pojo/ContactDetails.java
+45
View File
@@ -0,0 +1,45 @@
package com.baeldung.complex.pojo;
import com.thoughtworks.xstream.annotations.XStreamAlias;
import com.thoughtworks.xstream.annotations.XStreamAsAttribute;
@XStreamAlias("ContactDetails")
public class ContactDetails {
private String mobile;
private String landline;
@XStreamAsAttribute
private String contactType;
public String getMobile() {
return mobile;
}
public void setMobile(String mobile) {
this.mobile = mobile;
}
public String getLandline() {
return landline;
}
public void setLandline(String landline) {
this.landline = landline;
}
public String getContactType() {
return contactType;
}
public void setContactType(String contactType) {
this.contactType = contactType;
}
@Override
public String toString() {
return "ContactDetails [mobile=" + mobile + ", landline=" + landline + ", contactType=" + contactType + "]";
}
}
xstream/src/main/java/com/baeldung/complex/pojo/Customer.java
+55
View File
@@ -0,0 +1,55 @@
package com.baeldung.complex.pojo;
import com.thoughtworks.xstream.annotations.XStreamAlias;
import java.util.Date;
import java.util.List;
@XStreamAlias("customer")
public class Customer {
private String firstName;
private String lastName;
private Date dob;
private List<ContactDetails> contactDetailsList;
public String getFirstName() {
return firstName;
}
public void setFirstName(String firstName) {
this.firstName = firstName;
}
public String getLastName() {
return lastName;
}
public void setLastName(String lastName) {
this.lastName = lastName;
}
public Date getDob() {
return dob;
}
public void setDob(Date dob) {
this.dob = dob;
}
public List<ContactDetails> getContactDetailsList() {
return contactDetailsList;
}
public void setContactDetailsList(List<ContactDetails> contactDetailsList) {
this.contactDetailsList = contactDetailsList;
}
@Override
public String toString() {
return "Customer [firstName=" + firstName + ", lastName=" + lastName + ", dob=" + dob + ", contactDetailsList=" + contactDetailsList + "]";
}
}
xstream/src/main/java/com/baeldung/implicit/collection/pojo/ContactDetails.java
+45
View File
@@ -0,0 +1,45 @@
package com.baeldung.implicit.collection.pojo;
import com.thoughtworks.xstream.annotations.XStreamAlias;
import com.thoughtworks.xstream.annotations.XStreamAsAttribute;
@XStreamAlias("ContactDetails")
public class ContactDetails {
private String mobile;
private String landline;
@XStreamAsAttribute
private String contactType;
public String getMobile() {
return mobile;
}
public void setMobile(String mobile) {
this.mobile = mobile;
}
public String getLandline() {
return landline;
}
public void setLandline(String landline) {
this.landline = landline;
}
public String getContactType() {
return contactType;
}
public void setContactType(String contactType) {
this.contactType = contactType;
}
@Override
public String toString() {
return "ContactDetails [mobile=" + mobile + ", landline=" + landline + ", contactType=" + contactType + "]";
}
}
xstream/src/main/java/com/baeldung/implicit/collection/pojo/Customer.java
+57
View File
@@ -0,0 +1,57 @@
package com.baeldung.implicit.collection.pojo;
import com.thoughtworks.xstream.annotations.XStreamAlias;
import com.thoughtworks.xstream.annotations.XStreamImplicit;
import java.util.Date;
import java.util.List;
@XStreamAlias("customer")
public class Customer {
private String firstName;
private String lastName;
private Date dob;
@XStreamImplicit
private List<ContactDetails> contactDetailsList;
public String getFirstName() {
return firstName;
}
public void setFirstName(String firstName) {
this.firstName = firstName;
}
public String getLastName() {
return lastName;
}
public void setLastName(String lastName) {
this.lastName = lastName;
}
public Date getDob() {
return dob;
}
public void setDob(Date dob) {
this.dob = dob;
}
public List<ContactDetails> getContactDetailsList() {
return contactDetailsList;
}
public void setContactDetailsList(List<ContactDetails> contactDetailsList) {
this.contactDetailsList = contactDetailsList;
}
@Override
public String toString() {
return "Customer [firstName=" + firstName + ", lastName=" + lastName + ", dob=" + dob + ", contactDetailsList=" + contactDetailsList + "]";
}
}
xstream/src/main/java/com/baeldung/initializer/SimpleXstreamInitializer.java
+20
View File
@@ -0,0 +1,20 @@
package com.baeldung.initializer;
import com.thoughtworks.xstream.XStream;
import com.thoughtworks.xstream.io.json.JettisonMappedXmlDriver;
import com.thoughtworks.xstream.io.json.JsonHierarchicalStreamDriver;
public class SimpleXstreamInitializer {
public XStream getXstreamInstance() {
return new XStream();
}
public XStream getXstreamJettisonMappedInstance() {
return new XStream(new JettisonMappedXmlDriver());
}
public XStream getXstreamJsonHierarchicalInstance() {
return new XStream(new JsonHierarchicalStreamDriver());
}
}
xstream/src/main/java/com/baeldung/pojo/AddressDetails.java
+40
View File
@@ -0,0 +1,40 @@
package com.baeldung.pojo;
import com.thoughtworks.xstream.annotations.XStreamAlias;
import java.util.List;
@XStreamAlias("AddressDetails")
public class AddressDetails {
private String address;
private String zipcode;
private List<ContactDetails> contactDetails;
public String getZipcode() {
return zipcode;
}
public void setZipcode(String zipcode) {
this.zipcode = zipcode;
}
public List<ContactDetails> getContactDetails() {
return contactDetails;
}
public void setContactDetails(List<ContactDetails> contactDetails) {
this.contactDetails = contactDetails;
}
public String getAddress() {
return address;
}
public void setAddress(String address) {
this.address = address;
}
}
xstream/src/main/java/com/baeldung/pojo/ContactDetails.java
+28
View File
@@ -0,0 +1,28 @@
package com.baeldung.pojo;
import com.thoughtworks.xstream.annotations.XStreamAlias;
@XStreamAlias("ContactDetails")
public class ContactDetails {
private String mobile;
private String landline;
public String getMobile() {
return mobile;
}
public void setMobile(String mobile) {
this.mobile = mobile;
}
public String getLandline() {
return landline;
}
public void setLandline(String landline) {
this.landline = landline;
}
}
xstream/src/main/java/com/baeldung/pojo/Customer.java
+57
View File
@@ -0,0 +1,57 @@
package com.baeldung.pojo;
import com.thoughtworks.xstream.annotations.XStreamAlias;
import com.thoughtworks.xstream.annotations.XStreamImplicit;
import java.util.Date;
import java.util.List;
@XStreamAlias("customer")
public class Customer {
private String firstName;
private String lastName;
private Date dob;
@XStreamImplicit
private List<ContactDetails> contactDetailsList;
public String getFirstName() {
return firstName;
}
public void setFirstName(String firstName) {
this.firstName = firstName;
}
public String getLastName() {
return lastName;
}
public void setLastName(String lastName) {
this.lastName = lastName;
}
public Date getDob() {
return dob;
}
public void setDob(Date dob) {
this.dob = dob;
}
public List<ContactDetails> getContactDetailsList() {
return contactDetailsList;
}
public void setContactDetailsList(List<ContactDetails> contactDetailsList) {
this.contactDetailsList = contactDetailsList;
}
@Override
public String toString() {
return "Customer [firstName=" + firstName + ", lastName=" + lastName + ", dob=" + dob + "]";
}
}
xstream/src/main/java/com/baeldung/pojo/CustomerAddressDetails.java
+49
View File
@@ -0,0 +1,49 @@
package com.baeldung.pojo;
import com.thoughtworks.xstream.annotations.XStreamAlias;
import java.util.List;
@XStreamAlias("CustomerAddressDetails")
public class CustomerAddressDetails {
private List<AddressDetails> addressDetails;
private String firstName;
private String lastName;
private int age;
public String getFirstName() {
return firstName;
}
public void setFirstName(String firstName) {
this.firstName = firstName;
}
public String getLastName() {
return lastName;
}
public void setLastName(String lastName) {
this.lastName = lastName;
}
public int getAge() {
return age;
}
public void setAge(int age) {
this.age = age;
}
public List<AddressDetails> getAddressDetails() {
return addressDetails;
}
public void setAddressDetails(List<AddressDetails> addressDetails) {
this.addressDetails = addressDetails;
}
}
xstream/src/main/java/com/baeldung/pojo/CustomerPortfolio.java
+20
View File
@@ -0,0 +1,20 @@
package com.baeldung.pojo;
import com.thoughtworks.xstream.annotations.XStreamAlias;
import java.util.List;
@XStreamAlias("CustomerPortfolio")
public class CustomerPortfolio {
private List<CustomerAddressDetails> customerAddressDetailsList;
public List<CustomerAddressDetails> getCustomerAddressDetailsList() {
return customerAddressDetailsList;
}
public void setCustomerAddressDetailsList(List<CustomerAddressDetails> customerAddressDetailsList) {
this.customerAddressDetailsList = customerAddressDetailsList;
}
}
xstream/src/main/java/com/baeldung/rce/App.java
+92
View File
@@ -0,0 +1,92 @@
package com.baeldung.rce;
import com.sun.net.httpserver.HttpServer;
import com.thoughtworks.xstream.XStream;
import com.thoughtworks.xstream.security.NoTypePermission;
import com.thoughtworks.xstream.security.NullPermission;
import com.thoughtworks.xstream.security.PrimitiveTypePermission;
import java.io.IOException;
import java.net.InetSocketAddress;
import java.util.HashSet;
import java.util.Set;
/**
* Web application which is intentionally vulnerable to an XStream remote code
* exploitation (RCE).
*
* <p>
* This test application is meant to maintain a set of {@link Person} models. It
* exposes a "/persons" endpoint which supports the following operations:
*
* <ol>
* <li>{@code POST} XML for adding a new {@link Person} to the set
* <li>{@code GET} for retrieving the set of {@link Person} models as XML
* </ol>
*
* The {@code POST} handler is vulnerable to an RCE exploit.
*/
public final class App {
public static App createHardened(int port) {
final XStream xstream = new XStream();
xstream.addPermission(NoTypePermission.NONE);
xstream.addPermission(NullPermission.NULL);
xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
xstream.allowTypes(new Class<?>[] { Person.class });
return new App(port, xstream);
}
public static App createVulnerable(int port) {
return new App(port, new XStream());
}
private final int port;
private final Set<Person> persons;
private final XStream xstream;
private HttpServer server;
private App(int port, XStream xstream) {
this.port = port;
persons = new HashSet<>();
// this app is vulnerable because XStream security is not configured
this.xstream = xstream;
this.xstream.alias("person", Person.class);
}
void start() throws IOException {
server = HttpServer.create(new InetSocketAddress("localhost", port), 0);
server.createContext("/persons", exchange -> {
switch (exchange.getRequestMethod()) {
case "POST":
final Person person = (Person) xstream.fromXML(exchange.getRequestBody());
persons.add(person);
exchange.sendResponseHeaders(201, 0);
exchange.close();
break;
case "GET":
exchange.sendResponseHeaders(200, 0);
xstream.toXML(persons, exchange.getResponseBody());
exchange.close();
break;
default:
exchange.sendResponseHeaders(405, 0);
exchange.close();
}
});
server.start();
}
void stop() {
if (server != null) {
server.stop(0);
}
}
int port() {
if (server == null)
throw new IllegalStateException("Server not started");
return server.getAddress()
.getPort();
}
}
xstream/src/main/java/com/baeldung/rce/Person.java
+43
View File
@@ -0,0 +1,43 @@
package com.baeldung.rce;
import java.util.Objects;
/** Person model */
public final class Person {
private String first;
private String last;
public String getFirst() {
return first;
}
public void setFirst(String first) {
this.first = first;
}
public String getLast() {
return last;
}
public void setLast(String last) {
this.last = last;
}
@Override
public boolean equals(Object o) {
if (this == o) {
return true;
}
if (!(o instanceof Person)) {
return false;
}
Person person = (Person) o;
return Objects.equals(first, person.first) && Objects.equals(last, person.last);
}
@Override
public int hashCode() {
return Objects.hash(first, last);
}
}
xstream/src/main/java/com/baeldung/utility/MyDateConverter.java
+40
View File
@@ -0,0 +1,40 @@
package com.baeldung.utility;
import com.thoughtworks.xstream.converters.ConversionException;
import com.thoughtworks.xstream.converters.Converter;
import com.thoughtworks.xstream.converters.MarshallingContext;
import com.thoughtworks.xstream.converters.UnmarshallingContext;
import com.thoughtworks.xstream.io.HierarchicalStreamReader;
import com.thoughtworks.xstream.io.HierarchicalStreamWriter;
import java.text.ParseException;
import java.text.SimpleDateFormat;
import java.util.Date;
import java.util.GregorianCalendar;
public class MyDateConverter implements Converter {
private SimpleDateFormat formatter = new SimpleDateFormat("dd-MM-yyyy");
@Override
public boolean canConvert(Class clazz) {
return Date.class.isAssignableFrom(clazz);
}
@Override
public void marshal(Object value, HierarchicalStreamWriter writer, MarshallingContext arg2) {
Date date = (Date) value;
writer.setValue(formatter.format(date));
}
@Override
public Object unmarshal(HierarchicalStreamReader reader, UnmarshallingContext arg1) {
GregorianCalendar calendar = new GregorianCalendar();
try {
calendar.setTime(formatter.parse(reader.getValue()));
} catch (ParseException e) {
throw new ConversionException(e.getMessage(), e);
}
return calendar;
}
}
xstream/src/main/java/com/baeldung/utility/MySingleValueConverter.java
+28
View File
@@ -0,0 +1,28 @@
package com.baeldung.utility;
import com.baeldung.pojo.Customer;
import com.thoughtworks.xstream.converters.SingleValueConverter;
import java.text.SimpleDateFormat;
import java.util.Date;
public class MySingleValueConverter implements SingleValueConverter {
@Override
public boolean canConvert(Class clazz) {
return Customer.class.isAssignableFrom(clazz);
}
@Override
public Object fromString(String arg0) {
return null;
}
@Override
public String toString(Object obj) {
SimpleDateFormat formatter = new SimpleDateFormat("dd-MM-yyyy");
Date date = ((Customer) obj).getDob();
return ((Customer) obj).getFirstName() + "," + ((Customer) obj).getLastName() + "," + formatter.format(date);
}
}
xstream/src/main/java/com/baeldung/utility/SimpleDataGeneration.java
+37
View File
@@ -0,0 +1,37 @@
package com.baeldung.utility;
import com.baeldung.pojo.ContactDetails;
import com.baeldung.pojo.Customer;
import java.util.ArrayList;
import java.util.Calendar;
import java.util.List;
public class SimpleDataGeneration {
public static Customer generateData() {
Customer customer = new Customer();
Calendar cal = Calendar.getInstance();
cal.set(1986, 01, 14);
customer.setDob(cal.getTime());
customer.setFirstName("XStream");
customer.setLastName("Java");
List<ContactDetails> contactDetailsList = new ArrayList<ContactDetails>();
ContactDetails contactDetails1 = new ContactDetails();
contactDetails1.setLandline("0124-2460311");
contactDetails1.setMobile("6673543265");
ContactDetails contactDetails2 = new ContactDetails();
contactDetails2.setLandline("0120-223312");
contactDetails2.setMobile("4676543565");
contactDetailsList.add(contactDetails1);
contactDetailsList.add(contactDetails2);
customer.setContactDetailsList(contactDetailsList);
return customer;
}
}