You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@commons.apache.org by oh...@apache.org on 2014/05/24 22:11:58 UTC
svn commit: r1597344 - in /commons/proper/beanutils/trunk/src:
main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java
test/java/org/apache/commons/beanutils/bugs/Jira463TestCase.java
Author: oheger
Date: Sat May 24 20:11:58 2014
New Revision: 1597344
URL: http://svn.apache.org/r1597344
Log:
[BEANUTILS-463] Added an easy way to suppress the class property.
A specialized instance suppressing the class property common to all Java
objects has been added as constant to SuppressPropertiesBeanIntrospector. A
test case was created demonstrating that the property can no longer be accessed
with this introspector being active.
Added:
commons/proper/beanutils/trunk/src/test/java/org/apache/commons/beanutils/bugs/Jira463TestCase.java
Modified:
commons/proper/beanutils/trunk/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java
Modified: commons/proper/beanutils/trunk/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java
URL: http://svn.apache.org/viewvc/commons/proper/beanutils/trunk/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java?rev=1597344&r1=1597343&r2=1597344&view=diff
==============================================================================
--- commons/proper/beanutils/trunk/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java (original)
+++ commons/proper/beanutils/trunk/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java Sat May 24 20:11:58 2014
@@ -21,6 +21,17 @@ import java.util.Set;
* @since 1.9.2
*/
public class SuppressPropertiesBeanIntrospector implements BeanIntrospector {
+ /**
+ * A specialized instance which is configured to suppress the special {@code class}
+ * properties of Java beans. Unintended access to the property {@code class} (which is
+ * common to all Java objects) can be a security risk because it also allows access to
+ * the class loader. Adding this instance as {@code BeanIntrospector} to an instance
+ * of {@code PropertyUtilsBean} suppresses the {@code class} property; it can then no
+ * longer be accessed.
+ */
+ public static final SuppressPropertiesBeanIntrospector SUPPRESS_CLASS =
+ new SuppressPropertiesBeanIntrospector(Collections.singleton("class"));
+
/** A set with the names of the properties to be suppressed. */
private final Set<String> propertyNames;
Added: commons/proper/beanutils/trunk/src/test/java/org/apache/commons/beanutils/bugs/Jira463TestCase.java
URL: http://svn.apache.org/viewvc/commons/proper/beanutils/trunk/src/test/java/org/apache/commons/beanutils/bugs/Jira463TestCase.java?rev=1597344&view=auto
==============================================================================
--- commons/proper/beanutils/trunk/src/test/java/org/apache/commons/beanutils/bugs/Jira463TestCase.java (added)
+++ commons/proper/beanutils/trunk/src/test/java/org/apache/commons/beanutils/bugs/Jira463TestCase.java Sat May 24 20:11:58 2014
@@ -0,0 +1,48 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.commons.beanutils.bugs;
+
+import junit.framework.TestCase;
+
+import org.apache.commons.beanutils.AlphaBean;
+import org.apache.commons.beanutils.BeanUtilsBean;
+import org.apache.commons.beanutils.SuppressPropertiesBeanIntrospector;
+
+/**
+ * Class loader vulnerability in DefaultResolver
+ *
+ * @version $Id$
+ * @see <a href="https://issues.apache.org/jira/browse/BEANUTILS-463">https://issues.apache.org/jira/browse/BEANUTILS-463</a>
+ */
+public class Jira463TestCase extends TestCase {
+ /**
+ * Tests that with a specialized {@code BeanIntrospector} implementation the class
+ * property can be suppressed.
+ */
+ public void testSuppressClassProperty() throws Exception {
+ BeanUtilsBean bub = new BeanUtilsBean();
+ bub.getPropertyUtils().addBeanIntrospector(
+ SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS);
+ AlphaBean bean = new AlphaBean();
+ try {
+ bub.getProperty(bean, "class");
+ fail("Could access class property!");
+ } catch (NoSuchMethodException ex) {
+ // ok
+ }
+ }
+}