fix missing deseialization filter init call, enable commented out test case

Signed-off-by: Ceki Gulcu <[email protected]>

Author: ceki

logback-core/src/main/java/ch/qos/logback/core/net/HardenedObjectInputStream.java

@@ -60,7 +60,7 @@ private void initObjectFilter() {
     }
     public HardenedObjectInputStream(InputStream in, List<String> whitelist) throws IOException {
         super(in);
-
+        this.initObjectFilter();
         this.whitelistedClassNames = new ArrayList<String>();
         this.whitelistedClassNames.addAll(whitelist);
     }

logback-core/src/test/java/ch/qos/logback/core/net/HardenedObjectInputStreamTest.java

@@ -3,13 +3,18 @@
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
+import java.io.InvalidClassException;
 import java.io.ObjectOutputStream;
+import java.util.HashSet;
+import java.util.Set;
 
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertThrows;
 
 public class HardenedObjectInputStreamTest {
 
@@ -53,39 +58,38 @@ private void writeObject(ObjectOutputStream oos, Object o) throws IOException {
         oos.close();
     }
 
-//    @Ignore
-//    @Test
-//    public void denialOfService() throws ClassNotFoundException, IOException {
-//        ByteArrayInputStream bis = new ByteArrayInputStream(payload());
-//        inputStream = new HardenedObjectInputStream(bis, whitelist);
-//        try {
-//            Set set = (Set) inputStream.readObject();
-//            assertNotNull(set);
-//        } finally {
-//            inputStream.close();
-//        }
-//    }
-//
-//    private byte[] payload() throws IOException {
-//        Set root = buildEvilHashset();
-//        return serialize(root);
-//    }
-//
-//    private Set buildEvilHashset() {
-//        Set root = new HashSet();
-//        Set s1 = root;
-//        Set s2 = new HashSet();
-//        for (int i = 0; i < 100; i++) {
-//            Set t1 = new HashSet();
-//            Set t2 = new HashSet();
-//            t1.add("foo"); // make it not equal to t2
-//            s1.add(t1);
-//            s1.add(t2);
-//            s2.add(t1);
-//            s2.add(t2);
-//            s1 = t1;
-//            s2 = t2;
-//        }
-//        return root;
-//    }
+    @Test
+    public void denialOfService() throws ClassNotFoundException, IOException {
+        ByteArrayInputStream bis = new ByteArrayInputStream(payload());
+        inputStream = new HardenedObjectInputStream(bis, whitelist);
+        try {
+            assertThrows(InvalidClassException.class, () -> inputStream.readObject());
+        } finally {
+            inputStream.close();
+        }
+    }
+
+    private byte[] payload() throws IOException {
+        Set root = buildEvilHashset();
+        writeObject(oos, root);
+        return bos.toByteArray();
+    }
+
+    private Set buildEvilHashset() {
+        Set root = new HashSet();
+        Set s1 = root;
+        Set s2 = new HashSet();
+        for (int i = 0; i < 100; i++) {
+            Set t1 = new HashSet();
+            Set t2 = new HashSet();
+            t1.add("foo"); // make it not equal to t2
+            s1.add(t1);
+            s1.add(t2);
+            s2.add(t1);
+            s2.add(t2);
+            s1 = t1;
+            s2 = t2;
+        }
+        return root;
+    }
 }