View Javadoc
1   /*
2    * Licensed to the Apache Software Foundation (ASF) under one or more
3    * contributor license agreements.  See the NOTICE file distributed with
4    * this work for additional information regarding copyright ownership.
5    * The ASF licenses this file to You under the Apache License, Version 2.0
6    * (the "License"); you may not use this file except in compliance with
7    * the License.  You may obtain a copy of the License at
8    *
9    *      http://www.apache.org/licenses/LICENSE-2.0
10   *
11   * Unless required by applicable law or agreed to in writing, software
12   * distributed under the License is distributed on an "AS IS" BASIS,
13   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14   * See the License for the specific language governing permissions and
15   * limitations under the License.
16   */
17  package org.apache.commons.beanutils.bugs;
18  
19  import org.apache.commons.beanutils.AlphaBean;
20  import org.apache.commons.beanutils.BeanUtilsBean;
21  import org.apache.commons.beanutils.SuppressPropertiesBeanIntrospector;
22  
23  import junit.framework.TestCase;
24  
25  /**
26   * Fix CVE: https://nvd.nist.gov/vuln/detail/CVE-2014-0114
27   *
28   * @see <a href="https://issues.apache.org/jira/browse/BEANUTILS-520">https://issues.apache.org/jira/browse/BEANUTILS-520</a>
29   */
30  public class Jira520TestCase extends TestCase {
31      /**
32       * By default opt-in to security that does not allow access to "class".
33       */
34      public void testSuppressClassPropertyByDefault() throws Exception {
35          final BeanUtilsBean bub = new BeanUtilsBean();
36          final AlphaBean bean = new AlphaBean();
37          try {
38              bub.getProperty(bean, "class");
39              fail("Could access class property!");
40          } catch (final NoSuchMethodException ex) {
41              // ok
42          }
43      }
44  
45      /**
46       * Allow opt-out to make your app less secure but allow access to "class".
47       */
48      public void testAllowAccessToClassProperty() throws Exception {
49          final BeanUtilsBean bub = new BeanUtilsBean();
50          bub.getPropertyUtils().removeBeanIntrospector(SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS);
51          final AlphaBean bean = new AlphaBean();
52          String result = bub.getProperty(bean, "class");
53          assertEquals("Class property should have been accessed", "class org.apache.commons.beanutils.AlphaBean", result);
54      }
55  }