Add org.apache.commons.beanutils.SuppressPropertiesBeanIntrospector.SUPPRESS_DECLARING_CLASS

Author: garydgregory

pom.xml

@@ -24,7 +24,7 @@
   <modelVersion>4.0.0</modelVersion>
   <groupId>commons-beanutils</groupId>
   <artifactId>commons-beanutils</artifactId>
-  <version>1.10.2-SNAPSHOT</version>
+  <version>1.11.0-SNAPSHOT</version>
   <name>Apache Commons BeanUtils</name>
 
   <inceptionYear>2000</inceptionYear>
@@ -38,8 +38,8 @@
       <commons.componentid>beanutils</commons.componentid>
       <commons.main.branch>1.X</commons.main.branch>
       <commons.release.branch>release-1.x</commons.release.branch>
-      <commons.release.version>1.10.1</commons.release.version>
-      <commons.release.next>1.10.2</commons.release.next>
+      <commons.release.version>1.11.0</commons.release.version>
+      <commons.release.next>1.11.1</commons.release.next>
       <commons.jira.id>BEANUTILS</commons.jira.id>
       <commons.jira.pid>12310460</commons.jira.pid>
       <!-- Limit memory size see BEANUTILS-291; allow command-line override -->
@@ -99,6 +99,11 @@
       <artifactId>junit-vintage-engine</artifactId>
       <scope>test</scope>
     </dependency>
+    <dependency>
+      <groupId>org.junit.jupiter</groupId>
+      <artifactId>junit-jupiter</artifactId>
+      <scope>test</scope>
+    </dependency>
   </dependencies>
 
   <build>

src/changes/changes.xml

@@ -28,7 +28,7 @@
     <title>Release Notes</title>
   </properties>
   <body>
-    <release version="1.10.2" date="YYYY-MM-DD" description="This is a maintenance release and requires Java 8.">
+    <release version="1.11.0" date="YYYY-MM-DD" description="This is a maintenance release and requires Java 8.">
       <!-- FIX -->
       <action type="fix" dev="ggregory" due-to="Gary Gregory">BeanComparator.compare(T, T) now throws IllegalArgumentException instead of RuntimeException to wrap all cases of ReflectiveOperationException.</action>
       <action type="fix" dev="ggregory" due-to="Gary Gregory">MappedMethodReference.get() now throws IllegalStateException instead of RuntimeException to wrap cases of NoSuchMethodException.</action>
@@ -38,6 +38,7 @@
       <action type="fix" dev="ggregory" due-to="Gary Gregory">ResultSetIterator.set(String, Object) now throws IllegalArgumentException instead of RuntimeException to wrap cases of SQLException.</action>
       <action type="fix" dev="ggregory" due-to="Gary Gregory">ResultSetIterator.set(String, String, Object) now throws IllegalArgumentException instead of RuntimeException to wrap cases of SQLException.</action>
       <!-- ADD -->
+      <action type="add" dev="ggregory" due-to="Gary Gregory">Add org.apache.commons.beanutils.SuppressPropertiesBeanIntrospector.SUPPRESS_DECLARING_CLASS.</action>
       <!-- UPDATE -->
       <action dev="ggregory" type="update" due-to="Gary Gregory">Bump org.apache.commons:commons-parent from 81 to 84.</action>
       <action dev="ggregory" type="update" due-to="Gary Gregory">Bump commons-logging:commons-logging from 1.3.4 to 1.3.5.</action>

src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java

@@ -1478,6 +1478,7 @@ public final void resetBeanIntrospectors() {
         introspectors.clear();
         introspectors.add(DefaultBeanIntrospector.INSTANCE);
         introspectors.add(SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS);
+        introspectors.add(SuppressPropertiesBeanIntrospector.SUPPRESS_DECLARING_CLASS);
     }
 
     /**

src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java

@@ -36,16 +36,24 @@
  * @since 1.9.2
  */
 public class SuppressPropertiesBeanIntrospector implements BeanIntrospector {
+
     /**
-     * A specialized instance which is configured to suppress the special {@code class}
-     * properties of Java beans. Unintended access to the property {@code class} (which is
-     * common to all Java objects) can be a security risk because it also allows access to
-     * the class loader. Adding this instance as {@code BeanIntrospector} to an instance
-     * of {@code PropertyUtilsBean} suppresses the {@code class} property; it can then no
-     * longer be accessed.
+     * A specialized instance which is configured to suppress the special {@code class} properties of Java beans. Unintended access to the property
+     * {@code class} (which is common to all Java objects) can be a security risk because it also allows access to the class loader. Adding this instance as
+     * {@code BeanIntrospector} to an instance of {@code PropertyUtilsBean} suppresses the {@code class} property; it can then no longer be accessed.
+     */
+    public static final SuppressPropertiesBeanIntrospector SUPPRESS_CLASS = new SuppressPropertiesBeanIntrospector(Collections.singleton("class"));
+
+    /**
+     * A specialized instance which is configured to suppress the special {@code class} properties of Java beans. Unintended access to the call for
+     * {@code declaringClass} (which is common to all Java {@code enum}) can be a security risk because it also allows access to the class loader. Adding this
+     * instance as {@code BeanIntrospector} to an instance of {@code PropertyUtilsBean} suppresses the {@code class} property; it can then no longer be
+     * accessed.
+     *
+     * @since 1.11.0
      */
-    public static final SuppressPropertiesBeanIntrospector SUPPRESS_CLASS =
-            new SuppressPropertiesBeanIntrospector(Collections.singleton("class"));
+    public static final SuppressPropertiesBeanIntrospector SUPPRESS_DECLARING_CLASS = new SuppressPropertiesBeanIntrospector(
+            Collections.singleton("declaringClass"));
 
     /** A set with the names of the properties to be suppressed. */
     private final Set<String> propertyNames;

src/main/java/org/apache/commons/beanutils/package-info.java

@@ -420,20 +420,26 @@
  * then be removed if they have been detected by other <code>BeanIntrospector</code>
  * instances during processing of a bean class.</p>
  *
- * <p>A good use case for suppressing properties is the special <code>class</code>
+ * <p>A good use case for suppressing properties is the special {@code class}
  * property which is per default available for all beans; it is generated from the
- * <code>getClass()</code> method inherited from <code>Object</code> which follows the
+ * {@code getClass()} method inherited from {@code Object} which follows the
  * naming conventions for property get methods. Exposing this property in an
  * uncontrolled way can lead to a security vulnerability as it allows access to
  * the class loader. More information can be found at
  * <a href="https://issues.apache.org/jira/browse/BEANUTILS-463">
  * https://issues.apache.org/jira/browse/BEANUTILS-463</a>.</p>
  *
- * <p>Because the <code>class</code> property is undesired in many use cases
- * there is already an instance of <code>SuppressPropertiesBeanIntrospector</code>
+ * <p>Because the {@code class} property is undesired in many use cases
+ * there is already an instance of {@code SuppressPropertiesBeanIntrospector}
  * which is configured to suppress this property. It can be obtained via the
- * <code>SUPPRESS_CLASS</code> constant of
- * <code>SuppressPropertiesBeanIntrospector</code>.</p>
+ * {@code SUPPRESS_CLASS} constant of
+ * {@code SuppressPropertiesBeanIntrospector}.</p>
+ *
+ * <p>Another problematic property is the {@code enum} "declaredClass" property,
+ * through which you can also access that class' class loader. The {@code SuppressPropertiesBeanIntrospector}
+ * provides {@code SUPPRESS_DECLARING_CLASS} to workaround this issue.</p>
+ *
+ * <p>Both {@code SUPPRESS_CLASS} and {@code SUPPRESS_DECLARING_CLASS} are enabled by default.</p>
  *
  * <h2>3. Dynamic Beans (DynaBeans)</h2>
  *

src/test/java/org/apache/commons/beanutils/TestEnum.java

@@ -0,0 +1,33 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.commons.beanutils;
+
+/**
+ * An {@code enum} test fixture.
+ */
+public enum TestEnum {
+
+    /** Test fixture. */
+    A,
+
+    /** Test fixture. */
+    B,
+
+    /** Test fixture. */
+    C
+}

src/test/java/org/apache/commons/beanutils/bugs/EnumDeclaringClassTest.java

@@ -0,0 +1,108 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.commons.beanutils.bugs;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertInstanceOf;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+
+import org.apache.commons.beanutils.BeanUtilsBean;
+import org.apache.commons.beanutils.PropertyUtilsBean;
+import org.apache.commons.beanutils.SuppressPropertiesBeanIntrospector;
+import org.apache.commons.beanutils.TestEnum;
+import org.junit.jupiter.api.Test;
+
+public class EnumDeclaringClassTest {
+
+    public static class Fixture {
+
+        String name = "default";
+        TestEnum testEnum = TestEnum.A;
+
+        public String getName() {
+            return name;
+        }
+
+        public TestEnum getTestEnum() {
+            return testEnum;
+        }
+
+        public void setName(final String name) {
+            this.name = name;
+        }
+
+        public void setTestEnum(final TestEnum day) {
+            this.testEnum = day;
+        }
+    }
+
+    /**
+     * Allow opt-out to make your app less secure but allow access to "declaringClass".
+     */
+    @Test
+    public void testAllowAccessToClassPropertyFromBeanUtilsBean() throws ReflectiveOperationException {
+        final BeanUtilsBean bub = new BeanUtilsBean();
+        final PropertyUtilsBean propertyUtilsBean = bub.getPropertyUtils();
+        propertyUtilsBean.removeBeanIntrospector(SuppressPropertiesBeanIntrospector.SUPPRESS_DECLARING_CLASS);
+        final Fixture fixture = new Fixture();
+        final String string = bub.getProperty(fixture, "testEnum.declaringClass");
+        assertEquals("class " + TestEnum.class.getName(), string);
+        final Class<TestEnum> teClass = assertInstanceOf(Class.class, propertyUtilsBean.getNestedProperty(fixture, "testEnum.declaringClass"));
+        final ClassLoader classLoader = teClass.getClassLoader();
+        assertNotNull(classLoader);
+        assertNotNull(bub.getProperty(fixture, "testEnum.declaringClass.classLoader"));
+        assertInstanceOf(ClassLoader.class, propertyUtilsBean.getNestedProperty(fixture, "testEnum.declaringClass.classLoader"));
+    }
+
+    /**
+     * Allow opt-out to make your app less secure but allow access to "declaringClass".
+     */
+    @Test
+    public void testAllowAccessToClassPropertyFromPropertyUtilsBean() throws ReflectiveOperationException {
+        final PropertyUtilsBean propertyUtilsBean = new PropertyUtilsBean();
+        propertyUtilsBean.removeBeanIntrospector(SuppressPropertiesBeanIntrospector.SUPPRESS_DECLARING_CLASS);
+        final Fixture fixture = new Fixture();
+        final Object cls = propertyUtilsBean.getNestedProperty(fixture, "testEnum.declaringClass");
+        final Class<TestEnum> teClass = assertInstanceOf(Class.class, cls);
+        final ClassLoader classLoader = teClass.getClassLoader();
+        assertNotNull(classLoader);
+        assertInstanceOf(ClassLoader.class, propertyUtilsBean.getNestedProperty(fixture, "testEnum.declaringClass.classLoader"));
+    }
+
+    /**
+     * By default opt-in to security that does not allow access to "declaringClass".
+     */
+    @Test
+    public void testSuppressClassPropertyByDefaultFromBeanUtilsBean() throws ReflectiveOperationException {
+        final Fixture fixture = new Fixture();
+        final BeanUtilsBean bub = new BeanUtilsBean();
+        assertThrows(NoSuchMethodException.class, () -> bub.getProperty(fixture, "testEnum.declaringClass.classLoader"));
+        assertThrows(NoSuchMethodException.class, () -> bub.getPropertyUtils().getNestedProperty(fixture, "testEnum.declaringClass.classLoader"));
+    }
+
+    /**
+     * By default opt-in to security that does not allow access to "declaringClass".
+     */
+    @Test
+    public void testSuppressClassPropertyByDefaultFromPropertyUtilsBean() throws ReflectiveOperationException {
+        final Fixture fixture = new Fixture();
+        final PropertyUtilsBean propertyUtilsBean = new PropertyUtilsBean();
+        assertThrows(NoSuchMethodException.class, () -> propertyUtilsBean.getNestedProperty(fixture, "testEnum.declaringClass.classLoader"));
+    }
+}