Test sandbox security

deobfuscator-api/src/main/java/uwu/narumi/deobfuscator/api/helper/AsmHelper.java

@@ -6,6 +6,7 @@
 import org.jetbrains.annotations.NotNull;
 import org.jetbrains.annotations.Unmodifiable;
 import org.objectweb.asm.MethodVisitor;
+import org.objectweb.asm.NamedOpcodes;
 import org.objectweb.asm.Opcodes;
 import org.objectweb.asm.Type;
 import org.objectweb.asm.tree.*;
@@ -168,6 +169,10 @@ public static Map<AbstractInsnNode, Frame<OriginalSourceValue>> analyzeSource(
     return Collections.unmodifiableMap(frames);
   }
 
+  public static List<String> prettyInsnList(InsnList insnList) {
+    return Arrays.stream(insnList.toArray()).map(insn -> NamedOpcodes.map(insn.getOpcode())).toList();
+  }
+
   /**
    * Convert constant value to instruction that represents this constant
    *

deobfuscator-impl/src/test/java/uwu/narumi/deobfuscator/TestDeobfuscation.java

@@ -7,6 +7,7 @@
 import uwu.narumi.deobfuscator.core.other.impl.pool.InlineStaticFieldTransformer;
 import uwu.narumi.deobfuscator.core.other.impl.universal.UniversalNumberTransformer;
 import uwu.narumi.deobfuscator.base.TestDeobfuscationBase;
+import uwu.narumi.deobfuscator.transformer.TestSandboxSecurityTransformer;
 
 import java.util.List;
 
@@ -24,6 +25,9 @@ protected void registerAll() {
     register("Inline static fields", InputType.JAVA_CODE, List.of(InlineStaticFieldTransformer::new), Source.of("TestInlineStaticFields"));
     register("Inline static fields with modification", InputType.JAVA_CODE, List.of(InlineStaticFieldTransformer::new), Source.of("TestInlineStaticFieldsWithModification"));
 
+    // Sandbox security. Should throw
+    registerThrows("Sandbox security", InputType.JAVA_CODE, List.of(TestSandboxSecurityTransformer::new), Source.of("TestSandboxSecurity"));
+
     // Samples
     register("Some flow obf sample", InputType.CUSTOM_CLASS, List.of(ComposedGeneralFlowTransformer::new), Source.of("FlowObfSample"));
 

deobfuscator-impl/src/test/java/uwu/narumi/deobfuscator/base/TestDeobfuscationBase.java

@@ -1,5 +1,6 @@
 package uwu.narumi.deobfuscator.base;
 
+import com.sun.jdi.InvocationException;
 import org.apache.logging.log4j.Level;
 import org.apache.logging.log4j.core.config.Configurator;
 import org.jetbrains.annotations.Nullable;
@@ -24,6 +25,8 @@
 import java.util.function.Supplier;
 import java.util.stream.Stream;
 
+import static org.junit.jupiter.api.Assertions.*;
+
 @Timeout(60)
 public abstract class TestDeobfuscationBase {
   public static final Path TEST_DATA_PATH = Path.of("..", "testData");
@@ -47,8 +50,11 @@ public abstract class TestDeobfuscationBase {
    * @param sources You can choose one class or multiple classes for testing
    */
   protected void register(String testName, InputType inputType, List<Supplier<Transformer>> transformers, Source... sources) {
-    // Register
-    this.registeredTests.add(new RegisteredTest(testName, inputType, transformers, sources));
+    this.registeredTests.add(new RegisteredTest(testName, false, inputType, transformers, sources));
+  }
+
+  protected void registerThrows(String testName, InputType inputType, List<Supplier<Transformer>> transformers, Source... sources) {
+    this.registeredTests.add(new RegisteredTest(testName, true, inputType, transformers, sources));
   }
 
   @BeforeAll
@@ -72,6 +78,7 @@ public Stream<DynamicTest> testDeobfuscation() {
    */
   public record RegisteredTest(
       String testName,
+      boolean throwable,
       InputType inputType,
       List<Supplier<Transformer>> transformers,
       Source[] sources
@@ -129,7 +136,15 @@ private void runTest() {
           .outputDir(DEOBFUSCATED_CLASSES_PATH.resolve(this.inputType.directory()));
 
       // Build and run deobfuscator!
-      Deobfuscator.from(optionsBuilder.build()).start();
+      if (this.throwable) {
+        assertThrows(RuntimeException.class, () -> {
+          Deobfuscator.from(optionsBuilder.build()).start();
+        });
+        // If the deobfuscator throws an exception, then there is no output. Return
+        return;
+      } else {
+        Deobfuscator.from(optionsBuilder.build()).start();
+      }
 
       // Init context sources
       List<IContextSource> contextSources = new ArrayList<>();

deobfuscator-impl/src/test/java/uwu/narumi/deobfuscator/transformer/TestSandboxSecurityTransformer.java

@@ -0,0 +1,19 @@
+package uwu.narumi.deobfuscator.transformer;
+
+import uwu.narumi.deobfuscator.api.asm.ClassWrapper;
+import uwu.narumi.deobfuscator.api.context.Context;
+import uwu.narumi.deobfuscator.api.execution.SandboxClassLoader;
+import uwu.narumi.deobfuscator.api.transformer.Transformer;
+
+import java.lang.reflect.Method;
+
+public class TestSandboxSecurityTransformer extends Transformer {
+  @Override
+  protected void transform(ClassWrapper scope, Context context) throws Exception {
+    SandboxClassLoader sandboxClassLoader = new SandboxClassLoader(context);
+    Class<?> clazz = Class.forName("TestSandboxSecurity", true, sandboxClassLoader);
+    Method method = clazz.getDeclaredMethod("test");
+    // Invoke test method
+    method.invoke(null);
+  }
+}

testData/src/java/src/main/java/TestSandboxSecurity.java

@@ -0,0 +1,17 @@
+import java.io.IOException;
+import java.nio.file.Files;
+import java.nio.file.Path;
+
+public class TestSandboxSecurity {
+  public static int test() {
+    int a = 3;
+    int b = 4;
+    int result = a + b;
+    try {
+      Files.createFile(Path.of("test.txt"));
+    } catch (IOException e) {
+      throw new RuntimeException(e);
+    }
+    return result;
+  }
+}