You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@commons.apache.org by oh...@apache.org on 2014/05/24 22:11:58 UTC

svn commit: r1597344 - in /commons/proper/beanutils/trunk/src: main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java test/java/org/apache/commons/beanutils/bugs/Jira463TestCase.java

Author: oheger
Date: Sat May 24 20:11:58 2014
New Revision: 1597344

URL: http://svn.apache.org/r1597344
Log:
[BEANUTILS-463] Added an easy way to suppress the class property.

A specialized instance suppressing the class property common to all Java
objects has been added as constant to SuppressPropertiesBeanIntrospector. A
test case was created demonstrating that the property can no longer be accessed
with this introspector being active.

Added:
    commons/proper/beanutils/trunk/src/test/java/org/apache/commons/beanutils/bugs/Jira463TestCase.java
Modified:
    commons/proper/beanutils/trunk/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java

Modified: commons/proper/beanutils/trunk/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java
URL: http://svn.apache.org/viewvc/commons/proper/beanutils/trunk/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java?rev=1597344&r1=1597343&r2=1597344&view=diff
==============================================================================
--- commons/proper/beanutils/trunk/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java (original)
+++ commons/proper/beanutils/trunk/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java Sat May 24 20:11:58 2014
@@ -21,6 +21,17 @@ import java.util.Set;
  * @since 1.9.2
  */
 public class SuppressPropertiesBeanIntrospector implements BeanIntrospector {
+    /**
+     * A specialized instance which is configured to suppress the special {@code class}
+     * properties of Java beans. Unintended access to the property {@code class} (which is
+     * common to all Java objects) can be a security risk because it also allows access to
+     * the class loader. Adding this instance as {@code BeanIntrospector} to an instance
+     * of {@code PropertyUtilsBean} suppresses the {@code class} property; it can then no
+     * longer be accessed.
+     */
+    public static final SuppressPropertiesBeanIntrospector SUPPRESS_CLASS =
+            new SuppressPropertiesBeanIntrospector(Collections.singleton("class"));
+
     /** A set with the names of the properties to be suppressed. */
     private final Set<String> propertyNames;
 

Added: commons/proper/beanutils/trunk/src/test/java/org/apache/commons/beanutils/bugs/Jira463TestCase.java
URL: http://svn.apache.org/viewvc/commons/proper/beanutils/trunk/src/test/java/org/apache/commons/beanutils/bugs/Jira463TestCase.java?rev=1597344&view=auto
==============================================================================
--- commons/proper/beanutils/trunk/src/test/java/org/apache/commons/beanutils/bugs/Jira463TestCase.java (added)
+++ commons/proper/beanutils/trunk/src/test/java/org/apache/commons/beanutils/bugs/Jira463TestCase.java Sat May 24 20:11:58 2014
@@ -0,0 +1,48 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.commons.beanutils.bugs;
+
+import junit.framework.TestCase;
+
+import org.apache.commons.beanutils.AlphaBean;
+import org.apache.commons.beanutils.BeanUtilsBean;
+import org.apache.commons.beanutils.SuppressPropertiesBeanIntrospector;
+
+/**
+ * Class loader vulnerability in DefaultResolver
+ *
+ * @version $Id$
+ * @see <a href="https://issues.apache.org/jira/browse/BEANUTILS-463">https://issues.apache.org/jira/browse/BEANUTILS-463</a>
+ */
+public class Jira463TestCase extends TestCase {
+    /**
+     * Tests that with a specialized {@code BeanIntrospector} implementation the class
+     * property can be suppressed.
+     */
+    public void testSuppressClassProperty() throws Exception {
+        BeanUtilsBean bub = new BeanUtilsBean();
+        bub.getPropertyUtils().addBeanIntrospector(
+                SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS);
+        AlphaBean bean = new AlphaBean();
+        try {
+            bub.getProperty(bean, "class");
+            fail("Could access class property!");
+        } catch (NoSuchMethodException ex) {
+            // ok
+        }
+    }
+}