View Javadoc
1   /*
2    * Licensed to the Apache Software Foundation (ASF) under one or more
3    * contributor license agreements.  See the NOTICE file distributed with
4    * this work for additional information regarding copyright ownership.
5    * The ASF licenses this file to You under the Apache License, Version 2.0
6    * (the "License"); you may not use this file except in compliance with
7    * the License.  You may obtain a copy of the License at
8    *
9    *      https://www.apache.org/licenses/LICENSE-2.0
10   *
11   * Unless required by applicable law or agreed to in writing, software
12   * distributed under the License is distributed on an "AS IS" BASIS,
13   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14   * See the License for the specific language governing permissions and
15   * limitations under the License.
16   */
17  package org.apache.commons.beanutils2.bugs;
18  
19  import static org.junit.jupiter.api.Assertions.assertEquals;
20  import static org.junit.jupiter.api.Assertions.assertThrows;
21  
22  import org.apache.commons.beanutils2.AlphaBean;
23  import org.apache.commons.beanutils2.BeanUtilsBean;
24  import org.apache.commons.beanutils2.SuppressPropertiesBeanIntrospector;
25  import org.junit.jupiter.api.Test;
26  
27  /**
28   * Fix CVE: https://nvd.nist.gov/vuln/detail/CVE-2014-0114
29   *
30   * @see <a href="https://issues.apache.org/jira/browse/BEANUTILS-520">https://issues.apache.org/jira/browse/BEANUTILS-520</a>
31   */
32  public class Jira520Test {
33  
34      /**
35       * Allow opt-out to make your app less secure but allow access to "class".
36       */
37      @Test
38      public void testAllowAccessToClassProperty() throws Exception {
39          final BeanUtilsBean bub = new BeanUtilsBean();
40          bub.getPropertyUtils().removeBeanIntrospector(SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS);
41          final AlphaBean bean = new AlphaBean();
42          final String result = bub.getProperty(bean, "class");
43          assertEquals("org.apache.commons.beanutils2.AlphaBean", result, "Class property should have been accessed");
44      }
45  
46      /**
47       * By default opt-in to security that does not allow access to "class".
48       */
49      @Test
50      public void testSuppressClassPropertyByDefault() throws Exception {
51          final BeanUtilsBean bub = new BeanUtilsBean();
52          final AlphaBean bean = new AlphaBean();
53          assertThrows(NoSuchMethodException.class, () -> bub.getProperty(bean, "class"));
54      }
55  }