BEANUTILS-520: Mitigate CVE-2014-0114 by enabling SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS by default. (#7)

melloware · garydgregory · commit dd48f4e58946 · 2019-05-28T08:31:14.000-04:00
Squash and merge.
diff --git a/src/main/java/org/apache/commons/beanutils2/PropertyUtilsBean.java b/src/main/java/org/apache/commons/beanutils2/PropertyUtilsBean.java
@@ -185,6 +185,7 @@ public void setResolver(final Resolver resolver) {
     public final void resetBeanIntrospectors() {
         introspectors.clear();
         introspectors.add(DefaultBeanIntrospector.INSTANCE);
+        introspectors.add(SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS);
     }
 
     /**
diff --git a/src/test/java/org/apache/commons/beanutils2/BeanIntrospectionDataTestCase.java b/src/test/java/org/apache/commons/beanutils2/BeanIntrospectionDataTestCase.java
@@ -41,6 +41,7 @@ public class BeanIntrospectionDataTestCase extends TestCase {
      */
     private static PropertyDescriptor[] fetchDescriptors() {
         final PropertyUtilsBean pub = new PropertyUtilsBean();
+        pub.removeBeanIntrospector(SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS);
         pub.addBeanIntrospector(new FluentPropertyBeanIntrospector());
         return pub.getPropertyDescriptors(BEAN_CLASS);
     }
diff --git a/src/test/java/org/apache/commons/beanutils2/bugs/Jira157TestCase.java b/src/test/java/org/apache/commons/beanutils2/bugs/Jira157TestCase.java
@@ -20,6 +20,9 @@
 import java.util.Map;
 
 import org.apache.commons.beanutils2.BeanUtils;
+import org.apache.commons.beanutils2.BeanUtilsBean;
+import org.apache.commons.beanutils2.PropertyUtilsBean;
+import org.apache.commons.beanutils2.SuppressPropertiesBeanIntrospector;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 
@@ -73,6 +76,10 @@ public static Test suite() {
     @Override
     protected void setUp() throws Exception {
         super.setUp();
+        
+        BeanUtilsBean custom = new BeanUtilsBean();
+    	custom.getPropertyUtils().removeBeanIntrospector(SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS);
+    	BeanUtilsBean.setInstance(custom);
     }
 
     /**
diff --git a/src/test/java/org/apache/commons/beanutils2/bugs/Jira520TestCase.java b/src/test/java/org/apache/commons/beanutils2/bugs/Jira520TestCase.java
@@ -0,0 +1,55 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.commons.beanutils2.bugs;
+
+import org.apache.commons.beanutils2.AlphaBean;
+import org.apache.commons.beanutils2.BeanUtilsBean;
+import org.apache.commons.beanutils2.SuppressPropertiesBeanIntrospector;
+
+import junit.framework.TestCase;
+
+/**
+ * Fix CVE: https://nvd.nist.gov/vuln/detail/CVE-2014-0114
+ *
+ * @see <a href="https://issues.apache.org/jira/browse/BEANUTILS-520">https://issues.apache.org/jira/browse/BEANUTILS-520</a>
+ */
+public class Jira520TestCase extends TestCase {
+    /**
+     * By default opt-in to security that does not allow access to "class".
+     */
+    public void testSuppressClassPropertyByDefault() throws Exception {
+        final BeanUtilsBean bub = new BeanUtilsBean();
+        final AlphaBean bean = new AlphaBean();
+        try {
+            bub.getProperty(bean, "class");
+            fail("Could access class property!");
+        } catch (final NoSuchMethodException ex) {
+            // ok
+        }
+    }
+    
+    /**
+     * Allow opt-out to make your app less secure but allow access to "class".
+     */
+    public void testAllowAccessToClassProperty() throws Exception {
+        final BeanUtilsBean bub = new BeanUtilsBean();
+        bub.getPropertyUtils().removeBeanIntrospector(SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS);
+        final AlphaBean bean = new AlphaBean();
+        String result = bub.getProperty(bean, "class");
+        assertEquals("Class property should have been accessed", "class org.apache.commons.beanutils2.AlphaBean", result);
+    }
+}

Original file line number	Diff line number	Diff line change
`@@ -185,6 +185,7 @@ public void setResolver(final Resolver resolver) {`
`185`	`185`	`public final void resetBeanIntrospectors() {`
`186`	`186`	`introspectors.clear();`
`187`	`187`	`introspectors.add(DefaultBeanIntrospector.INSTANCE);`
	`188`	`+ introspectors.add(SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS);`
`188`	`189`	`}`
`189`	`190`
`190`	`191`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -41,6 +41,7 @@ public class BeanIntrospectionDataTestCase extends TestCase {`
`41`	`41`	`*/`
`42`	`42`	`private static PropertyDescriptor[] fetchDescriptors() {`
`43`	`43`	`final PropertyUtilsBean pub = new PropertyUtilsBean();`
	`44`	`+ pub.removeBeanIntrospector(SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS);`
`44`	`45`	`pub.addBeanIntrospector(new FluentPropertyBeanIntrospector());`
`45`	`46`	`return pub.getPropertyDescriptors(BEAN_CLASS);`
`46`	`47`	`}`