Skip to content

Commit 0c9ee02

Browse files
Copilottvaron3
andcommitted
Fix code review issues: improve test assertions and add clarifying comments
Co-authored-by: tvaron3 <70857381+tvaron3@users.noreply.github.com>
1 parent 0971089 commit 0c9ee02

4 files changed

Lines changed: 11 additions & 4 deletions

File tree

sdk/cosmos/azure-cosmos-tests/src/test/java/com/azure/cosmos/SerializableDocumentCollectionTests.java

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -81,7 +81,7 @@ public void deserializeWithInvalidClassType_shouldFail() throws Exception {
8181
SerializableDocumentCollection deserializedDocumentCollection = (SerializableDocumentCollection) ois.readObject();
8282

8383
// Should not reach here
84-
assertThat(false).as("Expected InvalidClassException to be thrown").isTrue();
84+
org.testng.Assert.fail("Expected InvalidClassException to be thrown");
8585
} catch (java.io.InvalidClassException e) {
8686
// Expected - the malicious class type was rejected
8787
assertThat(e.getMessage()).contains("Expected ObjectNode");

sdk/cosmos/azure-cosmos-tests/src/test/java/com/azure/cosmos/implementation/caches/SerializableAsyncCacheTest.java

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -144,7 +144,7 @@ public void deserializeWithInvalidClassType_shouldFail() throws Exception {
144144
SerializableAsyncCollectionCache cache = (SerializableAsyncCollectionCache) ois.readObject();
145145

146146
// Should not reach here
147-
assertThat(false).as("Expected InvalidClassException to be thrown").isTrue();
147+
org.testng.Assert.fail("Expected InvalidClassException to be thrown");
148148
} catch (java.io.InvalidClassException e) {
149149
// Expected - the malicious class type was rejected
150150
assertThat(e.getMessage()).contains("Expected SerializableDocumentCollection");
@@ -172,7 +172,7 @@ public void safeObjectInputStream_rejectsUnauthorizedClasses() throws Exception
172172
AsyncCache<String, DocumentCollection> cache = snapshot.getCollectionInfoByNameCache();
173173

174174
// Should not reach here
175-
assertThat(false).as("Expected exception to be thrown for unauthorized class").isTrue();
175+
org.testng.Assert.fail("Expected exception to be thrown for unauthorized class");
176176
} catch (Exception e) {
177177
// Expected - the unauthorized class was rejected
178178
// The exception could be wrapped in a CosmosException, so check the cause chain

sdk/cosmos/azure-cosmos/src/main/java/com/azure/cosmos/implementation/caches/AsyncCache.java

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -253,7 +253,7 @@ private void readObject(ObjectInputStream ois) throws ClassNotFoundException, IO
253253
// 1. All existing production code uses the default equality comparer
254254
// 2. The serialization format remains unchanged (we still write the comparer for backward compatibility)
255255
// 3. Future format changes should increment the serialVersionUID to handle compatibility explicitly
256-
ois.readObject(); // Read and discard the serialized comparer to maintain format compatibility
256+
Object unusedComparer = ois.readObject(); // Read and discard the serialized comparer to maintain format compatibility
257257

258258
// Use the default equality comparer (same as AsyncCache constructor)
259259
@SuppressWarnings("unchecked")

sdk/cosmos/azure-cosmos/src/main/java/com/azure/cosmos/implementation/caches/SafeObjectInputStream.java

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,13 @@
1717
/**
1818
* A secure ObjectInputStream that restricts deserialization to a whitelist of allowed classes.
1919
* This prevents Remote Code Execution (RCE) attacks via unsafe deserialization.
20+
*
21+
* <p>Note: This class only validates the top-level class being deserialized from the stream.
22+
* Nested objects deserialized within a class's {@code readObject()} method are not checked
23+
* by this class - they must be validated by the class's own deserialization logic.
24+
* For example, when deserializing a {@code SerializableAsyncCollectionCache}, this class
25+
* validates the outer cache object, while the cache's {@code readObject()} method is
26+
* responsible for validating the individual collection objects it deserializes.</p>
2027
*/
2128
public class SafeObjectInputStream extends ObjectInputStream {
2229
private static final Logger LOGGER = LoggerFactory.getLogger(SafeObjectInputStream.class);

0 commit comments

Comments
 (0)