db-derby-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From d..@apache.org
Subject svn commit: r552615 - in /db/derby/code/branches/10.3/java/testing/org/apache/derbyTesting/functionTests/tests/lang: DatabaseClassLoadingTest.java dcl_id.jar
Date Mon, 02 Jul 2007 22:36:52 GMT
Author: djd
Date: Mon Jul  2 15:36:51 2007
New Revision: 552615

URL: http://svn.apache.org/viewvc?view=rev&rev=552615
Log:
DERBY-2331 Add test fixture to DatabaseClassLoaddingTest to
test that code in installed jars cannot call Derby's internal code directly.
Merge of 548424 from trunk.

Added:
    db/derby/code/branches/10.3/java/testing/org/apache/derbyTesting/functionTests/tests/lang/dcl_id.jar
      - copied unchanged from r548424, db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/dcl_id.jar
Modified:
    db/derby/code/branches/10.3/java/testing/org/apache/derbyTesting/functionTests/tests/lang/DatabaseClassLoadingTest.java

Modified: db/derby/code/branches/10.3/java/testing/org/apache/derbyTesting/functionTests/tests/lang/DatabaseClassLoadingTest.java
URL: http://svn.apache.org/viewvc/db/derby/code/branches/10.3/java/testing/org/apache/derbyTesting/functionTests/tests/lang/DatabaseClassLoadingTest.java?view=diff&rev=552615&r1=552614&r2=552615
==============================================================================
--- db/derby/code/branches/10.3/java/testing/org/apache/derbyTesting/functionTests/tests/lang/DatabaseClassLoadingTest.java
(original)
+++ db/derby/code/branches/10.3/java/testing/org/apache/derbyTesting/functionTests/tests/lang/DatabaseClassLoadingTest.java
Mon Jul  2 15:36:51 2007
@@ -104,6 +104,7 @@
                 "testLoadJavaClassDirectly2",
                 "testLoadJavaClassDirectly3",
                 "testLoadDerbyClassIndirectly",
+                "testIndirectLoading",
             };
             
             for (int i = 0; i < orderedTests.length; i++)
@@ -136,6 +137,7 @@
                    "functionTests/tests/lang/dcl_ot1.jar",
                    "functionTests/tests/lang/dcl_ot2.jar",
                    "functionTests/tests/lang/dcl_ot3.jar",
+                   "functionTests/tests/lang/dcl_id.jar",
                    });
            
            }
@@ -944,6 +946,52 @@
         ps3.setString(1, className);
         JDBC.assertSingleValueResultSet(ps3.executeQuery(), expectedLoader);
     }
+    
+    /**
+     * Test that loading of Derby's internal classes from
+     * an installed jar file is disallowed.
+     */
+    public void testIndirectLoading() throws SQLException, MalformedURLException
+    {
+        Statement s = createStatement();
+        
+        s.executeUpdate("CREATE SCHEMA ID");
+ /*       
+        s.execute("create function OT.WHICH_LOADER1(classname VARCHAR(256)) " +
+        "RETURNS VARCHAR(10) " +
+        "NO SQL " +
+        "external name " +
+        "'org.apache.derbyTesting.databaseclassloader.ot.OrderTest1.whichLoader' " +
+        "language java parameter style java");
+*/
+        installJar("dcl_id.jar", "ID.IDCODE");
+        
+        setDBClasspath("ID.IDCODE");
+        
+        // Create a procedure that is a method in an installed jar file
+        // that calls the internal static method to set a database property.
+        // If a user could do this then they bypass the grant/revoke on
+        // the system procedure and instead are able to control the database
+        // as they please.
+        s.execute("CREATE PROCEDURE ID.SETDB(pkey VARCHAR(256), pvalue VARCHAR(256)) " +
+                "NO SQL " +
+                "external name " +
+                "'org.apache.derbyTesting.databaseclassloader.id.IndirectLoad.setDB' " +
+                "language java parameter style java");
+        
+        PreparedStatement ps = prepareCall("CALL ID.SETDB(?, ?)");
+
+        ps.close();
+
+        
+        setDBClasspath(null);
+
+              
+
+        s.close();
+        
+    }
+
             
   
     private void installJar(String resource, String jarName) throws SQLException, MalformedURLException



Mime
View raw message