Add org.apache.commons.beanutils.SuppressPropertiesBeanIntrospector.SUPPRESS_DECLARING_CLASS

Author: garydgregory

src/changes/changes.xml

@@ -54,6 +54,7 @@
       <action type="fix" dev="ggregory" due-to="Gary Gregory">ResultSetIterator.set(String, Object) now throws IllegalArgumentException instead of RuntimeException to wrap cases of SQLException.</action>
       <action type="fix" dev="ggregory" due-to="Gary Gregory">ResultSetIterator.set(String, String, Object) now throws IllegalArgumentException instead of RuntimeException to wrap cases of SQLException.</action>
       <!-- ADD -->
+      <action type="add" dev="ggregory" due-to="Gary Gregory">Add org.apache.commons.beanutils.SuppressPropertiesBeanIntrospector.SUPPRESS_DECLARING_CLASS.</action>
       <!-- UPDATE -->
       <action type="update" dev="ggregory" due-to="Gary Gregory, Dependabot">Bump org.apache.commons:commons-parent from 78 to 84 #348.</action>
       <action type="update" dev="ggregory" due-to="Gary Gregory">Bump commons-logging:commons-logging from 1.3.4 to 1.3.5.</action>
@@ -258,6 +259,21 @@
         Do not implement Serializable.
       </action>
     </release>
+    <release version="1.11.0" date="YYYY-MM-DD" description="This is a maintenance release and requires Java 8.">
+      <!-- FIX -->
+      <action type="fix" dev="ggregory" due-to="Gary Gregory">BeanComparator.compare(T, T) now throws IllegalArgumentException instead of RuntimeException to wrap all cases of ReflectiveOperationException.</action>
+      <action type="fix" dev="ggregory" due-to="Gary Gregory">MappedMethodReference.get() now throws IllegalStateException instead of RuntimeException to wrap cases of NoSuchMethodException.</action>
+      <action type="fix" dev="ggregory" due-to="Gary Gregory">ResultSetIterator.get(String) now throws IllegalArgumentException instead of RuntimeException to wrap cases of SQLException.</action>
+      <action type="fix" dev="ggregory" due-to="Gary Gregory">ResultSetIterator.hasNext() now throws IllegalStateException instead of RuntimeException to wrap cases of SQLException.</action>
+      <action type="fix" dev="ggregory" due-to="Gary Gregory">ResultSetIterator.next() now throws IllegalStateException instead of RuntimeException to wrap cases of SQLException.</action>
+      <action type="fix" dev="ggregory" due-to="Gary Gregory">ResultSetIterator.set(String, Object) now throws IllegalArgumentException instead of RuntimeException to wrap cases of SQLException.</action>
+      <action type="fix" dev="ggregory" due-to="Gary Gregory">ResultSetIterator.set(String, String, Object) now throws IllegalArgumentException instead of RuntimeException to wrap cases of SQLException.</action>
+      <!-- ADD -->
+      <action type="add" dev="ggregory" due-to="Gary Gregory">Add org.apache.commons.beanutils.SuppressPropertiesBeanIntrospector.SUPPRESS_DECLARING_CLASS.</action>
+      <!-- UPDATE -->
+      <action dev="ggregory" type="update" due-to="Gary Gregory">Bump org.apache.commons:commons-parent from 81 to 84.</action>
+      <action dev="ggregory" type="update" due-to="Gary Gregory">Bump commons-logging:commons-logging from 1.3.4 to 1.3.5.</action>
+    </release>
     <release version="1.10.1" date="2025-01-31" description="This is a maintenance release and requires Java 8.">
       <!-- FIX -->
       <action type="fix" issue="BEANUTILS-541" dev="ggregory" due-to="Sergey Chernov">FluentPropertyBeanIntrospector concurrency issue (backport to 1.X) #325.</action>

src/main/java/org/apache/commons/beanutils2/PropertyUtilsBean.java

@@ -1201,6 +1201,7 @@ public final void resetBeanIntrospectors() {
         introspectors.clear();
         introspectors.add(DefaultBeanIntrospector.INSTANCE);
         introspectors.add(SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS);
+        introspectors.add(SuppressPropertiesBeanIntrospector.SUPPRESS_DECLARING_CLASS);
     }
 
     /**

src/main/java/org/apache/commons/beanutils2/SuppressPropertiesBeanIntrospector.java

@@ -35,14 +35,26 @@
  * @since 1.9.2
  */
 public class SuppressPropertiesBeanIntrospector implements BeanIntrospector {
+
     /**
      * A specialized instance which is configured to suppress the special {@code class} properties of Java beans. Unintended access to the property
      * {@code class} (which is common to all Java objects) can be a security risk because it also allows access to the class loader. Adding this instance as
      * {@code BeanIntrospector} to an instance of {@code PropertyUtilsBean} suppresses the {@code class} property; it can then no longer be accessed.
      */
     public static final SuppressPropertiesBeanIntrospector SUPPRESS_CLASS = new SuppressPropertiesBeanIntrospector(Collections.singleton("class"));
 
-    /** A set with the names of the properties to be suppressed. */
+    /**
+     * A specialized instance which is configured to suppress the special {@code class} properties of Java beans. Unintended access to the call for
+     * {@code declaringClass} (which is common to all Java {@code enum}) can be a security risk because it also allows access to the class loader. Adding this
+     * instance as {@code BeanIntrospector} to an instance of {@code PropertyUtilsBean} suppresses the {@code class} property; it can then no longer be
+     * accessed.
+     *
+     * @since 2.0.0-M2
+     */
+    public static final SuppressPropertiesBeanIntrospector SUPPRESS_DECLARING_CLASS = new SuppressPropertiesBeanIntrospector(
+            Collections.singleton("declaringClass"));
+
+/** A set with the names of the properties to be suppressed. */
     private final Set<String> propertyNames;
 
     /**

src/main/java/org/apache/commons/beanutils2/TestEnum.java

@@ -0,0 +1,33 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.commons.beanutils2;
+
+/**
+ * An {@code enum} test fixture.
+ */
+public enum TestEnum {
+
+    /** Test fixture. */
+    A,
+
+    /** Test fixture. */
+    B,
+
+    /** Test fixture. */
+    C
+}

src/main/java/org/apache/commons/beanutils2/package-info.java

@@ -424,7 +424,7 @@
  *
  * <p>A good use case for suppressing properties is the special {@code class}
  * property which is per default available for all beans; it is generated from the
- * {@code getClass()</code> method inherited from <code>Object} which follows the
+ * {@code getClass()} method inherited from {@code Object} which follows the
  * naming conventions for property get methods. Exposing this property in an
  * uncontrolled way can lead to a security vulnerability as it allows access to
  * the class loader. More information can be found at
@@ -437,6 +437,12 @@
  * {@code SUPPRESS_CLASS} constant of
  * {@code SuppressPropertiesBeanIntrospector}.</p>
  *
+ * <p>Another problematic property is the {@code enum} "declaredClass" property,
+ * through which you can also access that class' class loader. The {@code SuppressPropertiesBeanIntrospector}
+ * provides {@code SUPPRESS_DECLARING_CLASS} to workaround this issue.</p>
+ *
+ * <p>Both {@code SUPPRESS_CLASS} and {@code SUPPRESS_DECLARING_CLASS} are enabled by default.</p>
+ *
  * <a id="dynamic"></a>
  * <h2>3. Dynamic Beans (DynaBeans)</h2>
  *

src/test/java/org/apache/commons/beanutils2/bugs/EnumDeclaringClassTest.java

@@ -0,0 +1,108 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.commons.beanutils2.bugs;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertInstanceOf;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+
+import org.apache.commons.beanutils2.BeanUtilsBean;
+import org.apache.commons.beanutils2.PropertyUtilsBean;
+import org.apache.commons.beanutils2.SuppressPropertiesBeanIntrospector;
+import org.apache.commons.beanutils2.TestEnum;
+import org.junit.jupiter.api.Test;
+
+public class EnumDeclaringClassTest {
+
+    public static class Fixture {
+
+        String name = "default";
+        TestEnum testEnum = TestEnum.A;
+
+        public String getName() {
+            return name;
+        }
+
+        public TestEnum getTestEnum() {
+            return testEnum;
+        }
+
+        public void setName(final String name) {
+            this.name = name;
+        }
+
+        public void setTestEnum(final TestEnum day) {
+            this.testEnum = day;
+        }
+    }
+
+    /**
+     * Allow opt-out to make your app less secure but allow access to "declaringClass".
+     */
+    @Test
+    public void testAllowAccessToClassPropertyFromBeanUtilsBean() throws ReflectiveOperationException {
+        final BeanUtilsBean bub = new BeanUtilsBean();
+        final PropertyUtilsBean propertyUtilsBean = bub.getPropertyUtils();
+        propertyUtilsBean.removeBeanIntrospector(SuppressPropertiesBeanIntrospector.SUPPRESS_DECLARING_CLASS);
+        final Fixture fixture = new Fixture();
+        final String string = bub.getProperty(fixture, "testEnum.declaringClass");
+        assertEquals(TestEnum.class.getName(), string);
+        final Class<TestEnum> teClass = assertInstanceOf(Class.class, propertyUtilsBean.getNestedProperty(fixture, "testEnum.declaringClass"));
+        final ClassLoader classLoader = teClass.getClassLoader();
+        assertNotNull(classLoader);
+        assertNotNull(bub.getProperty(fixture, "testEnum.declaringClass.classLoader"));
+        assertInstanceOf(ClassLoader.class, propertyUtilsBean.getNestedProperty(fixture, "testEnum.declaringClass.classLoader"));
+    }
+
+    /**
+     * Allow opt-out to make your app less secure but allow access to "declaringClass".
+     */
+    @Test
+    public void testAllowAccessToClassPropertyFromPropertyUtilsBean() throws ReflectiveOperationException {
+        final PropertyUtilsBean propertyUtilsBean = new PropertyUtilsBean();
+        propertyUtilsBean.removeBeanIntrospector(SuppressPropertiesBeanIntrospector.SUPPRESS_DECLARING_CLASS);
+        final Fixture fixture = new Fixture();
+        final Object cls = propertyUtilsBean.getNestedProperty(fixture, "testEnum.declaringClass");
+        final Class<TestEnum> teClass = assertInstanceOf(Class.class, cls);
+        final ClassLoader classLoader = teClass.getClassLoader();
+        assertNotNull(classLoader);
+        assertInstanceOf(ClassLoader.class, propertyUtilsBean.getNestedProperty(fixture, "testEnum.declaringClass.classLoader"));
+    }
+
+    /**
+     * By default opt-in to security that does not allow access to "declaringClass".
+     */
+    @Test
+    public void testSuppressClassPropertyByDefaultFromBeanUtilsBean() throws ReflectiveOperationException {
+        final Fixture fixture = new Fixture();
+        final BeanUtilsBean bub = new BeanUtilsBean();
+        assertThrows(NoSuchMethodException.class, () -> bub.getProperty(fixture, "testEnum.declaringClass.classLoader"));
+        assertThrows(NoSuchMethodException.class, () -> bub.getPropertyUtils().getNestedProperty(fixture, "testEnum.declaringClass.classLoader"));
+    }
+
+    /**
+     * By default opt-in to security that does not allow access to "declaringClass".
+     */
+    @Test
+    public void testSuppressClassPropertyByDefaultFromPropertyUtilsBean() throws ReflectiveOperationException {
+        final Fixture fixture = new Fixture();
+        final PropertyUtilsBean propertyUtilsBean = new PropertyUtilsBean();
+        assertThrows(NoSuchMethodException.class, () -> propertyUtilsBean.getNestedProperty(fixture, "testEnum.declaringClass.classLoader"));
+    }
+}