Add possibility to skip long running unit tests for DoS attacks.

Author: joehni

xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013, 2014, 2017, 2018, 2020, 2021, 2022, 2024 XStream Committers.
+ * Copyright (C) 2013, 2014, 2017, 2018, 2020, 2021, 2022, 2024, 2025 XStream Committers.
  * All rights reserved.
  *
  * The software in this package is published under the terms of the BSD
@@ -42,6 +42,7 @@
 public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
 
     private final static StringBuffer BUFFER = new StringBuffer();
+    private final static boolean SKIP_DOS_ATTACK_TESTS = Boolean.getBoolean("skipDoSAttackTests");
 
     @Override
     protected void setUp() throws Exception {
@@ -52,13 +53,25 @@ protected void setUp() throws Exception {
         xstream.addPermission(ProxyTypePermission.PROXIES);
     }
 
+    @Override
+    protected void setupSecurity(final XStream xstream) {
+        xstream.allowTypes(Exec.class);
+    }
+
+    public static class Exec {
+
+        public void exec() {
+            BUFFER.append("Executed!");
+        }
+    }
+
     public void testCannotInjectEventHandler() {
         final String xml = ""
             + "<string class='runnable-array'>\n"
             + "  <dynamic-proxy>\n"
             + "    <interface>java.lang.Runnable</interface>\n"
             + "    <handler class='java.beans.EventHandler'>\n"
-            + "      <target class='com.thoughtworks.acceptance.SecurityVulnerabilityTest$Exec'/>\n"
+            + "      <target class='com.thoughtworks.acceptance.SecurityVulnerabilityTest_-Exec'/>\n"
             + "      <action>exec</action>\n"
             + "    </handler>\n"
             + "  </dynamic-proxy>\n"
@@ -213,13 +226,6 @@ public void testExplicitlyConvertSwingUIDefaults() {
         assertNotNull(hashtable);
     }
 
-    public static class Exec {
-
-        public void exec() {
-            BUFFER.append("Executed!");
-        }
-    }
-
     public void testInstanceOfVoid() {
         try {
             xstream.fromXML("<void/>");
@@ -353,6 +359,10 @@ public void testExplicitlyUnmarshalEndlessByteArrayInputStream() throws IOExcept
     }
 
     public void testDoSAttackWithHashSet() {
+        if (SKIP_DOS_ATTACK_TESTS) {
+            return;
+        }
+
         final Set<Object> set = new HashSet<>();
         Set<Object> s1 = set;
         Set<Object> s2 = new HashSet<>();
@@ -380,6 +390,10 @@ public void testDoSAttackWithHashSet() {
     }
 
     public void testDoSAttackWithLinkedHashSet() {
+        if (SKIP_DOS_ATTACK_TESTS) {
+            return;
+        }
+
         final Set<Object> set = new LinkedHashSet<>();
         Set<Object> s1 = set;
         Set<Object> s2 = new LinkedHashSet<>();
@@ -407,6 +421,10 @@ public void testDoSAttackWithLinkedHashSet() {
     }
 
     public void testDoSAttackWithHashMap() {
+        if (SKIP_DOS_ATTACK_TESTS) {
+            return;
+        }
+
         final Map<Object, Object> map = new HashMap<>();
         Map<Object, Object> m1 = map;
         Map<Object, Object> m2 = new HashMap<>();
@@ -434,6 +452,10 @@ public void testDoSAttackWithHashMap() {
     }
 
     public void testDoSAttackWithLinkedHashMap() {
+        if (SKIP_DOS_ATTACK_TESTS) {
+            return;
+        }
+
         final Map<Object, Object> map = new LinkedHashMap<>();
         Map<Object, Object> m1 = map;
         Map<Object, Object> m2 = new LinkedHashMap<>();
@@ -461,6 +483,10 @@ public void testDoSAttackWithLinkedHashMap() {
     }
 
     public void testDoSAttackWithHashtable() {
+        if (SKIP_DOS_ATTACK_TESTS) {
+            return;
+        }
+
         final Map<Object, Object> map = new Hashtable<>();
         Map<Object, Object> m1 = map;
         Map<Object, Object> m2 = new Hashtable<>();