René's URL Explorer Experiment

Title: Add SecurityManager support to block suspicious code #622 by Markoutte · Pull Request #625 · UnitTestBot/UTBotJava · GitHub

Open Graph Title: Add SecurityManager support to block suspicious code #622 by Markoutte · Pull Request #625 · UnitTestBot/UTBotJava

X Title: Add SecurityManager support to block suspicious code #622 by Markoutte · Pull Request #625 · UnitTestBot/UTBotJava

Description: Description This commit introduces support of SecurityManager in instrumentation.jar to restrict all suspicious code from running (File IO, Socket IO, Property reading and etc.). Security is enabled by default and limits all permissions to a small set that needed for execution. Settings can be extended by editing .utbot/sandbox.policy (more about policy file and syntax). Fixes #622 Type of Change Breaking change (fix or feature that would cause existing functionality to not work as expected) How Has This Been Tested? Automated Testing All existing tests should pass Manual Scenario Disable symbolic execution test generation and leave only fuzzing (in the settings by choosing "Simpler" for "Code analysis"). Run test generations for these methods: public class SecurityCheck { public int normalTest(int value) { if (value < 0) { return -value; } return value; } public int read(File path) throws IOException { byte[] bytes = Files.readAllBytes(path.toPath()); return bytes.length; } public int connect(Socket socket) throws IOException { socket.connect(new InetSocketAddress("0.0.0.0", 22)); return 0; } public String property(String key) { return System.getProperty(key); } public String systemExit() { System.exit(0); return "bad"; } } For every method except normatTest() there are should be several methods that look like: public void testPropertyWithBlankString() { SecurityCheck securityCheck = new SecurityCheck(); /* This test fails because method [com.company.security.SecurityCheck.property] produces [java.security.AccessControlException: access denied ("java.util.PropertyPermission" " " "read")] java.security.AccessControlContext.checkPermission(AccessControlContext.java:472) java.security.AccessController.checkPermission(AccessController.java:886) java.lang.SecurityManager.checkPermission(SecurityManager.java:549) java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1294) java.lang.System.getProperty(System.java:719) com.company.security.SecurityCheck.property(SecurityCheck.java:32) */ } Try to edit {user.home}/.utbot/sandbox.policy: grant { permission java.util.PropertyPermission "*", "read"; }; and generate test for String property(String key). Tests should be generated without access exception. Checklist: The change followed the style guidelines of the UTBot project Self-review of the code is passed The change contains enough commentaries, particularly in hard-to-understand areas New documentation is provided or existed one is altered No new warnings New tests have been added All tests pass locally with my changes

Open Graph Description: Description This commit introduces support of SecurityManager in instrumentation.jar to restrict all suspicious code from running (File IO, Socket IO, Property reading and etc.). Security is enable...

X Description: Description This commit introduces support of SecurityManager in instrumentation.jar to restrict all suspicious code from running (File IO, Socket IO, Property reading and etc.). Security is enable...

Opengraph URL: https://github.com/UnitTestBot/UTBotJava/pull/625

X: @github

direct link

Domain: github.com

Links:

Viewport: width=device-width