Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security18 hibernate validator vulnerability #7222

Merged
merged 8 commits into from
Aug 26, 2020
8 changes: 6 additions & 2 deletions pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -294,9 +294,13 @@
<version>1.7</version> <!-- Or 1.8-SNAPSHOT -->
</dependency>
<dependency>
<groupId>org.hibernate</groupId>
<groupId>org.hibernate.validator</groupId>
<artifactId>hibernate-validator</artifactId>
<version>5.0.3.Final</version>
</dependency>
<dependency>
<groupId>org.glassfish</groupId>
<artifactId>jakarta.el</artifactId>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>commons-lang</groupId>
Expand Down
8 changes: 6 additions & 2 deletions src/test/java/edu/harvard/iq/dataverse/URLValidatorTest.java
Original file line number Diff line number Diff line change
Expand Up @@ -7,13 +7,17 @@

import org.hibernate.validator.internal.engine.constraintvalidation.ConstraintValidatorContextImpl;
import org.hibernate.validator.internal.engine.path.PathImpl;
import javax.validation.Validation;
import javax.validation.ValidatorFactory;
import org.junit.Test;

/**
*
* @author skraffmi
*/
public class URLValidatorTest {
ValidatorFactory validatorFactory = Validation.buildDefaultValidatorFactory();


@Test
public void testIsURLValid() {
Expand All @@ -35,15 +39,15 @@ public void testIsValidWithUnspecifiedContext() {
@Test
public void testIsValidWithContextAndValidURL() {
String value = "https://twitter.com/";
ConstraintValidatorContext context = new ConstraintValidatorContextImpl(null, PathImpl.createPathFromString(""), null);
ConstraintValidatorContext context = new ConstraintValidatorContextImpl(validatorFactory.getClockProvider(), PathImpl.createPathFromString(""),null, null);

assertEquals(true, new URLValidator().isValid(value, context));
}

@Test
public void testIsValidWithContextButInvalidURL() {
String value = "cnn.com";
ConstraintValidatorContext context = new ConstraintValidatorContextImpl(null, PathImpl.createPathFromString(""), null);
ConstraintValidatorContext context = new ConstraintValidatorContextImpl(validatorFactory.getClockProvider(), PathImpl.createPathFromString(""),null, null);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The complete test class should be refactored to use a JUnit5 @ParameterizedTest, usable for both unit tests.
The context object should be mocked. Creating a real object is of no use here and at least on my machine creates errors. Happy to create a PR against this PR.


assertEquals(false, new URLValidator().isValid(value, context));
}
Expand Down