From 62e82ad92cf4818709d6044aaf257b73d42659a4 Mon Sep 17 00:00:00 2001 From: Rob Tompkins Date: Wed, 5 Jun 2019 20:38:37 -0400 Subject: [PATCH] BEANUTILS-520: mitigation for CVE-2014-0114 --- pom.xml | 10 ++++ src/changes/changes.xml | 6 ++ .../commons/beanutils/PropertyUtilsBean.java | 1 + .../BeanIntrospectionDataTestCase.java | 1 + .../beanutils/bugs/Jira157TestCase.java | 5 ++ .../beanutils/bugs/Jira520TestCase.java | 55 +++++++++++++++++++ 6 files changed, 78 insertions(+) create mode 100644 src/test/java/org/apache/commons/beanutils/bugs/Jira520TestCase.java diff --git a/pom.xml b/pom.xml index 86130b4b6..2126fe969 100644 --- a/pom.xml +++ b/pom.xml @@ -195,6 +195,12 @@ +0 The Apache Software Foundation + + chtompki + Rob Tompkins + chtompki@apache.org + The Apache Software Foundation + @@ -298,6 +304,10 @@ Bernhard Seebass + + Melloware + + diff --git a/src/changes/changes.xml b/src/changes/changes.xml index 56178979f..bf3ba3269 100644 --- a/src/changes/changes.xml +++ b/src/changes/changes.xml @@ -29,6 +29,12 @@ + + + BeanUtils mitigate CVE-2014-0114. + + + Update dependency from JUnit 3.8.1 to 4.12. diff --git a/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java b/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java index 5e76d97b6..36eb7f57b 100644 --- a/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java +++ b/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java @@ -188,6 +188,7 @@ public void setResolver(final Resolver resolver) { public final void resetBeanIntrospectors() { introspectors.clear(); introspectors.add(DefaultBeanIntrospector.INSTANCE); + introspectors.add(SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS); } /** diff --git a/src/test/java/org/apache/commons/beanutils/BeanIntrospectionDataTestCase.java b/src/test/java/org/apache/commons/beanutils/BeanIntrospectionDataTestCase.java index e2085932b..95ad65e3d 100644 --- a/src/test/java/org/apache/commons/beanutils/BeanIntrospectionDataTestCase.java +++ b/src/test/java/org/apache/commons/beanutils/BeanIntrospectionDataTestCase.java @@ -42,6 +42,7 @@ public class BeanIntrospectionDataTestCase extends TestCase { */ private static PropertyDescriptor[] fetchDescriptors() { final PropertyUtilsBean pub = new PropertyUtilsBean(); + pub.removeBeanIntrospector(SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS); pub.addBeanIntrospector(new FluentPropertyBeanIntrospector()); return pub.getPropertyDescriptors(BEAN_CLASS); } diff --git a/src/test/java/org/apache/commons/beanutils/bugs/Jira157TestCase.java b/src/test/java/org/apache/commons/beanutils/bugs/Jira157TestCase.java index 79d71aadd..869d630ec 100644 --- a/src/test/java/org/apache/commons/beanutils/bugs/Jira157TestCase.java +++ b/src/test/java/org/apache/commons/beanutils/bugs/Jira157TestCase.java @@ -24,6 +24,8 @@ import junit.framework.TestSuite; import org.apache.commons.beanutils.BeanUtils; +import org.apache.commons.beanutils.BeanUtilsBean; +import org.apache.commons.beanutils.SuppressPropertiesBeanIntrospector; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; @@ -74,6 +76,9 @@ public static Test suite() { @Override protected void setUp() throws Exception { super.setUp(); + BeanUtilsBean custom = new BeanUtilsBean(); + custom.getPropertyUtils().removeBeanIntrospector(SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS); + BeanUtilsBean.setInstance(custom); } /** diff --git a/src/test/java/org/apache/commons/beanutils/bugs/Jira520TestCase.java b/src/test/java/org/apache/commons/beanutils/bugs/Jira520TestCase.java new file mode 100644 index 000000000..ab64bcd2a --- /dev/null +++ b/src/test/java/org/apache/commons/beanutils/bugs/Jira520TestCase.java @@ -0,0 +1,55 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.commons.beanutils.bugs; + +import org.apache.commons.beanutils.AlphaBean; +import org.apache.commons.beanutils.BeanUtilsBean; +import org.apache.commons.beanutils.SuppressPropertiesBeanIntrospector; + +import junit.framework.TestCase; + +/** + * Fix CVE: https://nvd.nist.gov/vuln/detail/CVE-2014-0114 + * + * @see https://issues.apache.org/jira/browse/BEANUTILS-520 + */ +public class Jira520TestCase extends TestCase { + /** + * By default opt-in to security that does not allow access to "class". + */ + public void testSuppressClassPropertyByDefault() throws Exception { + final BeanUtilsBean bub = new BeanUtilsBean(); + final AlphaBean bean = new AlphaBean(); + try { + bub.getProperty(bean, "class"); + fail("Could access class property!"); + } catch (final NoSuchMethodException ex) { + // ok + } + } + + /** + * Allow opt-out to make your app less secure but allow access to "class". + */ + public void testAllowAccessToClassProperty() throws Exception { + final BeanUtilsBean bub = new BeanUtilsBean(); + bub.getPropertyUtils().removeBeanIntrospector(SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS); + final AlphaBean bean = new AlphaBean(); + String result = bub.getProperty(bean, "class"); + assertEquals("Class property should have been accessed", "class org.apache.commons.beanutils.AlphaBean", result); + } +} \ No newline at end of file