com.atlassian.crowd.acceptance.tests.applications.crowd.CrowdWebDriverTest

com.atlassian.crowd.acceptance.tests.applications.crowd.XWorkELClassloaderTest

public class XWorkELClassloaderTest extends CrowdWebDriverTest

This test specifically targets https://jira.atlassian.com/browse/CWD-3880 , a vulnerability that allows EL expressions in XWork actions to traverse the object graph to the classloader and call setters to change its configuration.

Field Summary

Fields inherited from class com.atlassian.crowd.acceptance.tests.applications.crowd.CrowdWebDriverTest
applinksClient, BACKUP_RESOURCE, BATCHED_TEST_RULE, COOKIE_ABSENT, i18n, IMMUTABLE_USER_NAME, IMMUTABLE_USER_PW, JSESSIONID_COOKIE, log, REMEMBER_ME_COOKIE, restAdminClient, SSO_COOKIE, TEST_USER_DISPLAYNAME, TEST_USER_NAME, TEST_USER_PW, testedProduct, testkitClient, webDriverRules
Constructor Summary

Constructors

Constructor

Description

XWorkELClassloaderTest()
Method Summary

Modifier and Type

Method

Description

void

ELClassloaderWithBracketNotation()

void

ELClassloaderWithDotNotation()

Methods inherited from class com.atlassian.crowd.acceptance.tests.applications.crowd.CrowdWebDriverTest
assertAtRelativePath, assertAtURIContaining, assertAtURIEndingWith, assertAtUrl, assertHasError, assertHasErrorKey, bind, bind, clearAndInvalidateSsoCookieIfPresent, clearAndInvalidateSsoCookieOrFail, deleteAllCookies, deleteCookie, expectState, getBaseUrl, getBaseUrlWithoutPort, getCookie, getCookieOrThrow, getCurrentUrl, getDriver, getSsoCookieOrFail, getTestkitClient, hasCookie, hasSsoCookie, intendToModifyLdapData, loginAsExpiredPasswordUser, loginAsNonAdmin, loginAsNonAdmin, loginAsSysAdmin, loginAsSysAdmin, loginAsSysAdminWithRememberMe, loginAsUser, loginExpectingFailure, loginImmutableUser, loginImmutableUser, loginTestUser, loginTestUser, logout, manage, navigateToAndBind, navigateToUrl, restoreBaseSetup, restoreCrowdFromXML, restoreCrowdFromXML, setUp, waitForUrl, waitUntilAsyncFinished

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details
- XWorkELClassloaderTest
  
  public XWorkELClassloaderTest()
Method Details
- ELClassloaderWithDotNotation
  
  public void ELClassloaderWithDotNotation()
- ELClassloaderWithBracketNotation
  
  public void ELClassloaderWithBracketNotation()

Class XWorkELClassloaderTest

Field Summary

Fields inherited from class com.atlassian.crowd.acceptance.tests.applications.crowd.CrowdWebDriverTest

Constructor Summary

Method Summary

Methods inherited from class com.atlassian.crowd.acceptance.tests.applications.crowd.CrowdWebDriverTest

Methods inherited from class java.lang.Object

Constructor Details

XWorkELClassloaderTest

Method Details

ELClassloaderWithDotNotation

ELClassloaderWithBracketNotation