From 6afdbd6fd39cd1c5020dafde65215cfa66fa781f Mon Sep 17 00:00:00 2001
From: Stypox <stypox@pm.me>
Date: Wed, 27 Mar 2024 15:12:57 +0100
Subject: [PATCH] Add test: vulnerable settings should fail importing

---
 .../settings/ImportExportManagerTest.kt       |  19 ++++++++++++++++++
 .../settings/vulnerable_serialization.zip     | Bin 0 -> 3536 bytes
 2 files changed, 19 insertions(+)
 create mode 100644 app/src/test/resources/settings/vulnerable_serialization.zip

diff --git a/app/src/test/java/org/schabi/newpipe/settings/ImportExportManagerTest.kt b/app/src/test/java/org/schabi/newpipe/settings/ImportExportManagerTest.kt
index 7b219df18..2743ba098 100644
--- a/app/src/test/java/org/schabi/newpipe/settings/ImportExportManagerTest.kt
+++ b/app/src/test/java/org/schabi/newpipe/settings/ImportExportManagerTest.kt
@@ -3,6 +3,7 @@ package org.schabi.newpipe.settings
 import android.content.SharedPreferences
 import org.junit.Assert.assertEquals
 import org.junit.Assert.assertFalse
+import org.junit.Assert.assertThrows
 import org.junit.Assert.assertTrue
 import org.junit.Assume
 import org.junit.Before
@@ -192,4 +193,22 @@ class ImportExportManagerTest {
         verify(editor, atLeastOnce()).putString(anyString(), anyString())
         verify(editor, atLeastOnce()).putInt(anyString(), anyInt())
     }
+
+    @Test
+    fun `Importing preferences with a serialization injected class should fail`() {
+        val settings = File.createTempFile("newpipe_", "")
+        `when`(fileLocator.settings).thenReturn(settings)
+
+        val emptyZip = File(classloader.getResource("settings/vulnerable_serialization.zip")?.file!!)
+        `when`(storedFileHelper.stream).thenReturn(FileStream(emptyZip))
+        Assume.assumeTrue(ImportExportManager(fileLocator).extractSettings(storedFileHelper))
+
+        val preferences = Mockito.mock(SharedPreferences::class.java, withSettings().stubOnly())
+        val editor = Mockito.mock(SharedPreferences.Editor::class.java)
+        `when`(preferences.edit()).thenReturn(editor)
+
+        assertThrows(ClassNotFoundException::class.java) {
+            ImportExportManager(fileLocator).loadSharedPreferences(preferences)
+        }
+    }
 }
diff --git a/app/src/test/resources/settings/vulnerable_serialization.zip b/app/src/test/resources/settings/vulnerable_serialization.zip
new file mode 100644
index 0000000000000000000000000000000000000000..d57a5f8d0150cd11dec35d7c29ed2bcb9e65a774
GIT binary patch
literal 3536
zcmZ`+XHb*d)(#yhDpd?dLKO(Th$2W8L3-~<M|u?$0TDzgf+7&Q^o~@403lQXsSyH%
zCe0v4iu96@8<;uYIcL6mpLb@jz1p+(>>umhOGllAlo0>`Py*abY>n3H!!d^x1XY9>
zKt&K94gp@yUJgR`w!depA9d<5lFz4)>zE6Cwx-L-&Ghs7PO(j7@yJ`~0mnvm#O)a2
z`Glju#p3xzO@3G-B}eksQpU^+c6&LjT4BPvgCTQ3***@=FVrFO#cZLJSCR5FdTD!u
z_h4w^?2bQkGeZbcW(ix<yPi(Lw*UObHA4M)?abc}`#W;N&s&^@hzN$G*pP(5)(8{A
zR^Ck7biFDlWme;K-<gGA2z~9oi%-5vP1vfohm7Cf@aQ`}@fS50kQ#Hrp%d^Vgq)rF
zW4vo586hO!<^$$<lh<B**oh*cbjF~?@$BW5>T{Ydzo|SAS^O!U?L2Jw5Kj;v?jOsY
zYuaa52x3+Ig6ss2|6AMsh5#V}fHo1z-7O$n{?qF1-Ct+t3}<^U3G2})o^by8;WNVR
zhRU5@II!m|ZCMwTFAvW7v5oi(KkmZ+`y$czqR7jW3;!yf5Vc)&o>=E9I4q=O1J_M!
zYCx4;76RJIELx)MSPDHl6U&m<K*OmLY2iqTr2Lz9HX|{av7hDIx~EbWw5zH*(Nk#C
zs(_DQ)U-Yp?gJ}#SvLod5nDmWJHf5Hn2Z5#F!<<DVF*w9FW~R@&fyuZ{u9_!kzu^S
zNiYqL6Z|h6omK@Z$@mAEdz==W+=Q854FFs8VGcKcRQnzlfbK19S}NXeup8=~GKv1d
zpe~ns>a~fu`(A%b&q?J|teYAl11FlAcgR)2?bt0h5J;CLrBt|wE;6Chqy+!Dt0I4n
zZMHU8d~SQ1Bx=vd5{3><t58%}mb64xuQx6+Rp?++To#a|Jt%l7uofW&?E>oa8#i)V
zMDS@FrS71*x_Ao5^^*GeQ4&_k_AHLxxq8x8#TgE9-cBtDwC2FVH!5Rky~|Hhr~*>T
zyfEII2ExG4^@#C$zXS)zHRbO#0dOxDxXw=vwfOXT8TxV6xRLBGy>68fz7F&8D~K0w
zAs-7NYwkZ9*@d!3HC0M1eh!J$t&~XaE=yX(6usMUOVK2O7Hk$|0%7$>Pb5qzjPJte
z6<a*U6_g#Q$I7b6$TBM-8--`I5goGlsiqB9wNN!^w5jPtg%lTPN739^vFt-<51;Z;
z{?`*zHK3PWV)Z?ppxBA*K&4V8M&UUlR?AgYsXzLdk#BrOd%6rQ5fcL=eq*z*Q<;DJ
zK?~c_Ec@W468Jbya@yE+LVsG{%2P9?!{BL+fy!>2FQ&AiYO_UY-6O&rGi2@Sr{>uf
z3NzNk`9qZX>J1f=6CIB%&1fH7&6!GPMr~_>mvNO}Ffp16F4iNg^zc>AVrOd4Rd*s&
zvp4~uw75v>y$2)kaX3=ZeGSUBv``zsAi?s`l4G5liV<~^bhD&M$s(o8T)9goo#&t~
zfIXnD+}jH}c0>AwVD$W(qsZ<{411==Is4C^36YO>9{l9mn@0BlA&w*SKc)Lp_Li%H
zb<4{1`e}MveMBrd{1#~aZGVlqe)pvN6nU$yI~HXMY4v}ofT(D&soi87>Ja;_U*Sn5
zHuGA=jbb3Xz3D0Hi`#KmSR1+cpXldLTc73Rxr$pjfoHDzwKtz-JP}fqg#A!nAzeGs
z_gnpF&~TjxV%rOOBdf{XwmfJs+ZTgmG$b=rf71lcoj&dH7PuE8Sc}L(MUa2-7#>QM
z6|WaL;DP=SJv3ZXUt3+7{*LWEn;dp3TCv>;UVO?SyRM6!DQ^+q)Mv6kXqfkhlAAZ^
zb@M}PN^^VR0#Bs*)nL|4(3;RRQ{gC^pee4Xs;Cp3`&o3hWwrR!Wc>&{z|+|0l486k
z_;Imo+J+JhB}>Ktkt~Nq_jbsQ{Q+;<s+Nby_stl}H4@e<8mI2l?{ilRY-O!WEJ~qN
z3=B@qiWR-UBqj;ikZw0fyQp@@%hYg6@Mg>!|5VL3;!d7h?GXesojDB>bx|>iK(A8U
zJ*n){y>ehG6Pd<VV7}ncGcO`w$o7V&lSA0t!YMuF)j+jdc%t_b?s?EL=baaU&xtLT
z!cJG&kCI|WD&Vy=8yQCX{#ptF(WSf5(YJ#uyp93U&AwQR`jmAS)1@{&V7b|Yr*TKB
z>sGP*oIej+o@F-h@g%JUUtf!rI?6RjMrMD=c_;e#phLR5Cd7Gtj;O=<B=@UCuYEB^
zp4P|!UOg-d7&L+%=XQC)>Jxi5K!V9?Rh)Q5icXF)%Q<*tv6kU6NkgmUS@>@E=1#GW
z5wgoj2{tQ#ix}@eSxKHVy_sV%DX@Eee>#X2#ew3{DW5Dh8T^X5Ce&@pCR+Pa9txH8
z5Xc|2T=g4YY?(vK4b88&7oAC-`ny%$Kl<=4>r19mvnSgyaDW)7f#I{8(M0TmXNQ6Q
zWdTMODgJa;Q8qJZ?n||Qf?372hKgQ&ERxP6QS^KLBu%i&tyAM#V56)CdZB_dt35v8
z+h%I_&D3PTuibVs5S@aMMw4|@TA{*yZP`1HbW#I68n@@v=NCSKUnh`Q0X9jl{Knz*
zF}Fiz#E?OtL2Wm9>v}<FM`LlRX<uY>;^9*XCkf%8RkG&CCe!z%-;z%Xj8$td#YOnW
zcR$|=2MxK~9P~&v_||3fQ){vue7nBxMfcjSm00Kho(FNoc1D9-BwUrG0D$i$0N^U&
zNA%b8z}Lag&)LJtH`efBFM|SOi1WdYd6l&=8rfw<iJpEWz{0B1{%td*+|7R?brPnl
zL)x!EMz-&GmzQ@u=9+Be%Ga=s+{iF80SY=@I?}IFwdq~Vk{>2#8+H-Lh>3$eb5$?$
zaFCHIG$XdqA^xYd9*>1nA><=<q)5NtO(65~gs$a{$pGv&%r)=RS8&=ZM<E*&Gcmb6
zQkJQyXl=8kyy*k{!RYlTt6~rD<SvfvS6$~o#Qfr6&4AqKSyZ#ihbCn>Bx^3Cxn<VW
z7k3KwI%WIwu6~nu(#?-4{g5_DR{fOU+MZL4O1wZsU(UJ^*S)ijB{>dv%DlJm=|H#}
zTuncf5(E`49@GqKr8i5FQIC2MOCv!y1e)av1NKK^bcM2mRXPe~Y|KiIyS{q)QRXI(
zfuxjss#GmEI`0?`+I-;%{j&zv{YcM!H+h?bgF8*G$)~PA?L|ubB(l#ZQZ#*~!v^?;
z@qx<o@6|MOnPN;oD+k{&!)`Cgab%CtP(L362gY;ww34$IdrlqvnL>xZKc$IPbmNv-
zeIm9I*6lPYcK;1|CN-*1BiiV`X`hB|PDY?e;<!%S;?hY)GrQ1Mkh908M<lqKhkJy>
zpZ&UWn;nubxx~CSY~lN=_+fHO;Hc|p25%EYCQ)=HD?%n#RPR{CR_6JyR_#1y+B8#?
zP^2w6y)uFUDXI#UfiQ`*1%36S-bF9GHGbr1CQ9)jt6!3t$aq#>^CR4O{aamTzUee`
z^m~r2?|9Q!B)@dndHc=cV0-&N0Y4g&nG9P@bo`@ch_asHF7>}S!iTA&^^+!6uTA5W
zbR(T|nCMv6;kS4vvg@2#QIC7=F%Dpl1bW(G^~CCdaEhd;-px#6Ti49^nx50!cY^N=
zV))WGk03mU&nACAz$$7idn*}0<-?|WTL-cO@@o9N!iBR>s4cu{ZRcodIhSscc1=j<
zF~+>24K2L)$$j9!%`zo!Hs(MMzxUIHwr--2gF<lEXIR3h4I9vh%embFQjg}j@&c9#
zrV-cs%7m=^Zjh#c488ur?uk5S-0M;PME?b~_q%0pS|Sw{!?m78-+IfEWz;|VXvKc#
zt^!25e3@L<#m<4Q^R|7i-r+a-bRc~+RqfP*)O!~NT6cK^@esihb3spyj7HcFn7RJh
z;@g@l;$v91f+}@+aS*4%<YOvFKIoj;Xkj;0>Frj~P5<4RzQdQnEzA14e(#z`nS<=+
zG;~0tj_xdJWF|dwhe3B9`yk=@SdlFfpICYm$dWZZP3a|Np9M1fpuEsaCZ~$S6?#3`
zIRDbqma`o|$dZIAr5^HKc98{<orSPxYT#q+_$7EEXmsVY)1=%>L0xSv-8RxWCZ|!?
zu3N)oLsaeTv24ms+2XmdWE``0>E+SLKCR(w&=NgEbM@*(XUK0kK52TjV%~S<%l<v9
zePTp{Wn%>conx2lu*~evpwDlPE0yHj>RTF&Z#XY1eFkbD8<ua4cnL7_t{-7ns)x-3
zv=S9)iW2Y)II>TSh^4((R-X^$W|_jcd2nKBow=EXu%<Oc86;wy7zLUi-`CFklZScM
zv9FBg<H58a46$-#S5%;Qy>VMQ>O{nHfd4i9a1k2ZIYKYiznh)CEfoNKVIu+%#tzpW
zekIMx^V#HI_$T-OZ=HW}g9$lolz(&o)kyzY;d4F2oLcL@RUjijFG)=J5Cn;(IoJLJ
D$x)Jd

literal 0
HcmV?d00001