I can see the last artificat of Hamcrest released on maven central was back in 2015. But the latest master has many updates which are not availabe on that maven build. For example empty matcher for Map. So please release the binaries for latest master on maven central. So we can consume it in our projects. Also the latest master and binaries on maven central should be in sync.

There have been a number of changes since hamcrest-java-1.3 was released in 2012 and, for people who use Hamcrest's binary releases, it would be good to get them into a public 1.4 release.

There was some discussion on the mailing list back in 2013 about a Java Hamcrest 1.4 Release Plan, which suggested that #32 was the blocker for a release. However, discussion on that pull request now implies that a new release is unlikely.

A new release would be a great resolution for this, but it would also be good to have some expectation-setting, so users can decide whether waiting, making their own releases, or forking would be their best option for getting a current Hamcrest build, or if there's any way to help out.

Why the JavaHamcrest is not built on Maven POM files? I guess the committers would have easier life, and it is bulletproof to deploy Maven artifacts to the Maven central repository. Some features could be maybe already accepted if the Maven build was established.

Evolution of Hamcrest and JUnit has been held back by the dependencies between the two projects. If they can be decoupled, both projects can move forward with less coordination required.

Plan:

• create a new project (hamcrest-junit, say) that contains a copy of the JUnit code that uses Hamcrest, repackaged somewhere under org.hamcrest (org.hamcrest.junit, say) so that they can live side-by-side with existing JUnit and Hamcrest code.
• Deprecate existing code in JUnit that depends on Hamcrest
• Perhaps deprecate Hamcrest's MatcherAssert class, now that it is duplicated in the hamcrest-junit module.
• Eventually delete the deprecated code.
• Run a CI "matrix" that reports the compatibility of Hamcrest and JUnit versions.

The uses of Hamcrest in JUnit are:

• Assert and Assume in org.junit, for which we'd have to duplicate the methods using matchers as (for instance) MatcherAssert and MatcherAssume
• ErrorCollector and ExpectedException (and a package-protected supporting class) in org.junit.rules, which we'd have to duplicate.
• several classes in the org.junit.internal packages, which client code should not be using

I cannot find any class allowing me to write my tests like:

String actual = tested.buildUrlWithRandomPort("foo", "bar");
assertThat(actual, matchesRegex("^foo://bar:\\d+/$");
// fails with a message like:
// expected <foo://bar:/> to match a regular expression <^foo://bar:\d+/$>

I think that Hamcrest Library should offer matchesReges() together with containsString(), endsWith() and startsWith().

Is there a matcher like this available in the master branch? If not, I could write one (something similar to Hamcrest Regex Matcher) and create a pull request.

public static org.hamcrest.Matcher isA(java.lang.Class type) { return org.hamcrest.core.Is.isA(type); }

means you have to cast the thing to the type you are asserting it should be. Really it should be a matcher of anything (Object) not T.

e.g. class hierarchy Foo extends Bar

Bar thing = somemethod(); assertThat(thing, isA(Foo.class))

to assert that you are getting the right subclass back - yeah ok, it might not be the best test, but anyhow......

I've seen discussion of this at http://code.google.com/p/hamcrest/issues/detail?id=173 , and the topic has come up in regards to doing the same for Junit (https://github.com/KentBeck/junit/issues/212). Is there any plan for this ?

Problem SamePropertyValuesAs does not support ignoring fields

Either:

1. change private methods to protected so the class can be enhanced to ignore certain properties, or
2. add the feature to ignore fields in this class

I'm willing to make the change. Please let me know if this feature is intentionally omitted.

Thanks!

My proposal of implementation of the issue #249 .

Should work fine for both Collections::unmodifiable* implementations, and guava Immutable* collections.

When implementing a library to test compiler command-line arguments in the form:

-x foo -y -z bar

I found I needed a Hamcrest matcher which would look for a consecutive sequence of items anywhere inside a collection of items.

I was surprised that Hamcrest had matchers which:

1. Match if a collection includes a single item anywhere (hasItem)
2. Match if a collection includes multiple items anywhere (hasItems)
3. Match if a collection includes multiple items in order anywhere, consecutive or not (containsInRelativeOrder)
4. Match if a collection exactly matches another collection in order (contains)
5. Match if a collection exactly matches another collection in any order (containsInAnyOrder)

but not for a consecutive sequence of items anywhere inside the collection.

This implements such a matcher (hasSubsequence) and adds tests. I borrowed the tests from containsInRelativeOrder, so let me know if there are better tests I should include. I wasn't sure about the WithValue stuff so I just copy-pasted it from that test.

This request is to support the is prefix for Boolean object getters. Since PropertyDescriptor that is created lacks readMethod if the getter does not start with get. For example, classes that are generated by JAXB, always contain getters for Boolean types with is prefix, and without this minor fix, I cannot match those fields in any of my UT cases.

assertThat(Int::class.java, typeCompatibleWith(Number::class.java)) in kotlin always fails

But open class Base class Extended: Base() assertThat(Extended::class.java, typeCompatibleWith(Base::class.java)) succeed

Describe the bug I have the following simple assertion in my test:

hasProperty("name")

For the following record:

public record AnyDto(
    Long id,
    
    @NotBlank
    String name,
    
    String description) { }

And even though I can see the object does have the property (set with a value), the test fails.

I have tracked this down, and it seems the "issue" is generated in the PropertyUtil class, in the propertyDescriptorsFor method:

https://github.com/hamcrest/JavaHamcrest/blob/5d76642543b4d8c3e5f1b4cd4684d31be0724fde/hamcrest/src/main/java/org/hamcrest/beans/PropertyUtil.java#L49

This is what Introspector.getBeanInfo(fromObj.getClass(), stopClass) retrieves for a Record class:

If I change the AnyDto to a regular class, the test passes, because the Introspector method above does contain PropertyDescriptors for the class:

Note: the Record does contain name as a MethodDescriptor, maybe we can rely on these for the Records?

This is a related Stackoverflow Question: https://stackoverflow.com/questions/66982522/how-can-i-assert-hasproperty-with-a-java-record

Are you planning on participating in the Hacktoberfest? See https://hacktoberfest.com/ You would just need to add the label "hacktoberfest" to the repo.

Hi all,

we have prepared the Initial Integration of hamcrest into Google OSS-Fuzz which will provide more security for your project.

Why do you need Fuzzing? The Code Intelligence JVM fuzzer Jazzer has already found hundreds of bugs in open source projects including for example OpenJDK, Protobuf or jsoup. Fuzzing proved to be very effective having no false positives. It provides a crashing input which helps you to reproduce and debug any finding easily. The integration of your project into the OSS-Fuzz platform will enable continuous fuzzing of your project by Jazzer.

What do you need to do? The integration requires the maintainer or one established project commiter to deal with the bug reports.

You need to create or provide one email address that is associated with a google account as per here. When a bug is found, you will receive an email that will provide you with access to ClusterFuzz, crash reports, code coverage reports and fuzzer statistics. More than 1 person can be included.

How Code Intelligence can support? We will continue to add more fuzz targets to improve code coverage over time. Furthermore, we are permanently enhancing fuzzing technologies by developing new fuzzers and more bug detectors.

Please let me know if you have any questions regarding fuzzing or the OSS-Fuzz integration.

Security Vulnerability Fix

This pull request fixes either 1.) Temporary Directory Hijacking Vulnerability, or 2.) Temporary Directory Information Disclosure Vulnerability, which existed in this project.

Preamble

The system temporary directory is shared between all users on most unix-like systems (not MacOS, or Windows). Thus, code interacting with the system temporary directory must be careful about file interactions in this directory, and must ensure that the correct file permissions are set.

This PR was generated because the following chain of calls was detected in this repository in a way that leaves this project vulnerable. File.createTempFile(..) -> file.delete() -> either file.mkdir() or file.mkdirs().

Impact

This vulnerability can have one of two impacts depending upon which vulnerability it is.

1. Temporary Directory Information Disclosure - Information in this directory is visable to other local users, allowing a malicious actor co-resident on the same machine to view potentially sensitive files.
2. Temporary Directory Hijacking Vulnerability - Same impact as 1. above, but also, ther local users can manipulate/add contents to this directory. If code is being executed out of this temporary directory, it can lead to local priviledge escalation.

Temporary Directory Hijacking

This vulnerability exists because the return value from file.mkdir() or file.mkdirs() is not checked to determine if the call succeeded. Say, for example, because another local user created the directory before this process.

File tmpDir = File.createTempFile("temp", ".dir"); // Attacker knows the full path of the directory that will be later created
// delete the file that was created
tmpDir.delete(); // Attacker sees file is deleted and begins a race to create their own directory before the java code.
// and makes a directory of the same name
// SECURITY VULNERABILITY: Race Condition! - Attacker beats java code and now owns this directory
tmpDir.mkdirs(); // This method returns 'false' because it was unable to create the directory. No exception is thrown.
// Attacker can write any new files to this directory that they wish.
// Attacker can read any files created within this directory.

Other Examples

• CVE-2021-20202 - Keycloak/Keycloak
• CVE-2020-27216 - eclipse/jetty.project

Temporary Directory Information Disclosure

This vulnerability exists because, although the return values of file.mkdir() or file.mkdirs() are correctly checked, the permissions of the directory that is created follows the default system uname settings. Thus, the directory is created with everyone-readable permissions. As such, any files/directories written into this directory are viewable by all other local users on the system.

File tmpDir = File.createTempFile("temp", ".dir");
tmpDir.delete();
if (!tmpDir.mkdirs()) { // Guard correctly prevents temporary directory hijacking, but directory contents are everyone-readable.
    throw new IOException("Failed to create temporary directory");
}

Other Examples

• CVE-2020-15250 - junit-team/junit
• CVE-2021-21364 - swagger-api/swagger-codegen
• CVE-2022-24823 - netty/netty
• CVE-2022-24823 - netty/netty

The Fix

The fix has been to convert the logic above to use the following API that was introduced in Java 1.7.

File tmpDir = Files.createTempDirectory("temp dir").toFile();

The API both created the directory securely, ie with a random, non-conflicting name, with directory permissions that only allow the currently executing user to read or write the contents of this directory.

:arrow_right: Vulnerability Disclosure :arrow_left:

:wave: Vulnerability disclosure is a super important part of the vulnerability handling process and should not be skipped! This may be completely new to you, and that's okay, I'm here to assist!

First question, do we need to perform vulnerability disclosure? It depends!

1. Is the vulnerable code only in tests or example code? No disclosure required!
2. Is the vulnerable code in code shipped to your end users? Vulnerability disclosure is probably required!

Vulnerability Disclosure How-To

You have a few options options to perform vulnerability disclosure. However, I'd like to suggest the following 2 options:

1. Request a CVE number from GitHub by creating a repository-level GitHub Security Advisory. This has the advantage that, if you provide sufficient information, GitHub will automatically generate Dependabot alerts for your downstream consumers, resolving this vulnerability more quickly.
2. Reach out to the team at Snyk to assist with CVE issuance. They can be reached at the Snyk's Disclosure Email.

Detecting this and Future Vulnerabilities

This vulnerability was automatically detected by GitHub's LGTM.com using this CodeQL Query.

You can automatically detect future vulnerabilities like this by enabling the free (for open-source) GitHub Action.

I'm not an employee of GitHub, I'm simply an open-source security researcher.

Source

This contribution was automatically generated with an OpenRewrite refactoring recipe, which was lovingly hand crafted to bring this security fix to your repository.

The source code that generated this PR can be found here: UseFilesCreateTempDirectory

Opting-Out

If you'd like to opt-out of future automated security vulnerability fixes like this, please consider adding a file called .github/GH-ROBOTS.txt to your repository with the line:

User-agent: JLLeitschuh/security-research
Disallow: *

This bot will respect the ROBOTS.txt format for future contributions.

Alternatively, if this project is no longer actively maintained, consider archiving the repository.

CLA Requirements

This section is only relevant if your project requires contributors to sign a Contributor License Agreement (CLA) for external contributions.

It is unlikely that I'll be able to directly sign CLAs. However, all contributed commits are already automatically signed-off.

The meaning of a signoff depends on the project, but it typically certifies that committer has the rights to submit this work under the same license and agrees to a Developer Certificate of Origin (see https://developercertificate.org/ for more information).

- Git Commit Signoff documentation

If signing your organization's CLA is a strict-requirement for merging this contribution, please feel free to close this PR.

Sponsorship & Support

This contribution is sponsored by HUMAN Security Inc. and the new Dan Kaminsky Fellowship, a fellowship created to celebrate Dan's memory and legacy by funding open-source work that makes the world a better (and more secure) place.

This PR was generated by Moderne, a free-for-open source SaaS offering that uses format-preserving AST transformations to fix bugs, standardize code style, apply best practices, migrate library versions, and fix common security vulnerabilities at scale.

Tracking

All PR's generated as part of this fix are tracked here: https://github.com/JLLeitschuh/security-research/issues/10

Given an actual map like this:

        Map actual = Map.of(
                "k1", Map.of(
                        "k11", "v11",
                        "k12", "v12"),
                "k2", List.of("v21", "v22"),
                "k3", "V3"
        );

I wish/expect to make an assertion with matcher that looks like this:

        assertThat(actual, AllOf.allOf(
                IsMapContaining.hasEntry("k1", AllOf.allOf(
                        IsMapContaining.hasEntry("k11", "v11"),
                        IsMapContaining.hasEntry("k12", "v12"))
                ),
                IsMapContaining.hasEntry("k2", IsIterableContainingInOrder.contains("v21","v22")),
                IsMapContaining.hasEntry("k3", "v3")
                )
        );```

But this fails with

java: no suitable method found for allOf(org.hamcrest.Matcher<java.util.Map<? extends java.lang.String,? extends org.hamcrest.Matcher<java.util.Map<? extends java.lang.String,? extends java.lang.String>>>>,org.hamcrest.Matcher<java.util.Map<? extends java.lang.String,? extends org.hamcrest.Matcher<java.lang.Iterable<? extends java.lang.String>>>>,org.hamcrest.Matcher<java.util.Map<? extends java.lang.String,? extends java.lang.String>>) method org.hamcrest.core.AllOf.allOf(java.lang.Iterable<org.hamcrest.Matcher<? super T>>) is not applicable (cannot infer type-variable(s) T (actual and formal argument lists differ in length)) method org.hamcrest.core.AllOf.allOf(org.hamcrest.Matcher<? super T>...) is not applicable (inferred type does not conform to upper bound(s) inferred: java.util.Map<? extends java.lang.String,? extends java.lang.String> upper bound(s): java.util.Map<? extends java.lang.String,? extends java.lang.String>,java.util.Map<? extends java.lang.String,? extends org.hamcrest.Matcher<java.lang.Iterable<? extends java.lang.String>>>,java.util.Map<? extends java.lang.String,? extends org.hamcrest.Matcher<java.util.Map<? extends java.lang.String,? extends java.lang.String>>>,java.lang.Object) method org.hamcrest.core.AllOf.allOf(org.hamcrest.Matcher<? super T>,org.hamcrest.Matcher<? super T>) is not applicable (cannot infer type-variable(s) T (actual and formal argument lists differ in length)) method org.hamcrest.core.AllOf.allOf(org.hamcrest.Matcher<? super T>,org.hamcrest.Matcher<? super T>,org.hamcrest.Matcher<? super T>) is not applicable (inferred type does not conform to upper bound(s) inferred: java.util.Map<? extends java.lang.String,? extends java.lang.String> upper bound(s): java.util.Map<? extends java.lang.String,? extends java.lang.String>,java.util.Map<? extends java.lang.String,? extends org.hamcrest.Matcher<java.lang.Iterable<? extends java.lang.String>>>,java.util.Map<? extends java.lang.String,? extends org.hamcrest.Matcher<java.util.Map<? extends java.lang.String,? extends java.lang.String>>>,java.lang.Object) method org.hamcrest.core.AllOf.allOf(org.hamcrest.Matcher<? super T>,org.hamcrest.Matcher<? super T>,org.hamcrest.Matcher<? super T>,org.hamcrest.Matcher<? super T>) is not applicable (cannot infer type-variable(s) T (actual and formal argument lists differ in length)) method org.hamcrest.core.AllOf.allOf(org.hamcrest.Matcher<? super T>,org.hamcrest.Matcher<? super T>,org.hamcrest.Matcher<? super T>,org.hamcrest.Matcher<? super T>,org.hamcrest.Matcher<? super T>) is not applicable (cannot infer type-variable(s) T (actual and formal argument lists differ in length)) method org.hamcrest.core.AllOf.allOf(org.hamcrest.Matcher<? super T>,org.hamcrest.Matcher<? super T>,org.hamcrest.Matcher<? super T>,org.hamcrest.Matcher<? super T>,org.hamcrest.Matcher<? super T>,org.hamcrest.Matcher<? super T>) is not applicable (cannot infer type-variable(s) T (actual and formal argument lists differ in length))