ExecutionResults.class );
Cheese stilton = (Cheese) result.getValue( "outStilton" );
assertEquals( 30,
stilton.getPrice() );
FactHandle factHandle = ((FactHandle) result.getFactHandle( "outStilton" ));
String expectedXml = "";
expectedXml += "<execution-results>\n";
expectedXml += " <result identifier=\"outStilton\">\n";
expectedXml += " <org.drools.camel.testdomain.Cheese>\n";
expectedXml += " <type>stilton</type>\n";
expectedXml += " <oldPrice>0</oldPrice>\n";
expectedXml += " <price>30</price>\n";
expectedXml += " </org.drools.camel.testdomain.Cheese>\n";
expectedXml += " </result>\n";
expectedXml += " <fact-handle identifier=\"outStilton\" external-form=\"" + factHandle.toExternalForm() + "\" /> \n";
expectedXml += "</execution-results>\n";
assertXMLEqual( expectedXml,
outXml );
inXml = "";
inXml += "<batch-execution>";
inXml += " <modify fact-handle='" + factHandle.toExternalForm() + "'> <set accessor='oldPrice' value='42' /><set accessor='price' value='50' /></modify>";
inXml += " <fire-all-rules />";
inXml += "</batch-execution>";
template.requestBody( "direct:exec",
inXml,
String.class );
inXml = "";
inXml += "<batch-execution>";
inXml += " <get-object out-identifier='outCheddar' fact-handle='" + factHandle.toExternalForm() + "' />";
inXml += "</batch-execution>";
setExec( ksession );
outXml = template.requestBody( "direct:exec",
inXml,
String.class );
result = template.requestBody( "direct:unmarshal",
outXml,
ExecutionResults.class );
Cheese cheddar = (Cheese) result.getValue( "outCheddar" );
assertEquals( 42,
cheddar.getOldPrice() );
assertEquals( 55,
cheddar.getPrice() );
//now test for code injection:
ModifyCommand.ALLOW_MODIFY_EXPRESSIONS = false;
inXml = "";
inXml += "<batch-execution>";
inXml += " <modify fact-handle='" + factHandle.toExternalForm() + "'> <set accessor='type' value='44\"; System.exit(1);' /><set accessor='price' value='50' /></modify>";
inXml += " <fire-all-rules />";
inXml += "</batch-execution>";
outXml = template.requestBody( "direct:exec",
inXml,