Commons BeanUtils
  1. Commons BeanUtils
  2. BEANUTILS-463

Class loader vulnerability in DefaultResolver

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.9.0, 1.9.1
    • Fix Version/s: 1.9.2
    • Component/s: Expression Syntax
    • Labels:
      None

      Description

      There is no check for the "class" keyword when getting nested properties. Please see here (and translate it) for a more detailed explanation:

      http://qiita.com/kawasima/items/670d2591bc8fea19dc1d

        Activity

        Hide
        Yoshitaka Kawashima added a comment - - edited

        +1

        I wrote this article.
        http://qiita.com/kawasima/items/670d2591bc8fea19dc1d

        Considering CVE-2014-0114, It'd be great if the "class" keyword don't be regarded as a bean property in DefaultResolver.
        As follows:
        https://gist.github.com/nakamura-to/11347570

        But considering the wide-ranging impact, I think it's okay to build the alternative resolver like the above one into the commons-beanutils.

        Show
        Yoshitaka Kawashima added a comment - - edited +1 I wrote this article. http://qiita.com/kawasima/items/670d2591bc8fea19dc1d Considering CVE-2014-0114, It'd be great if the "class" keyword don't be regarded as a bean property in DefaultResolver. As follows: https://gist.github.com/nakamura-to/11347570 But considering the wide-ranging impact, I think it's okay to build the alternative resolver like the above one into the commons-beanutils.
        Hide
        Oliver Heger added a comment -

        We had some internal discussions about this topic. Because BeanUtils is a very low-level library and may be used widely I am reluctant to build in a change which ignores the class property by default. This may break existing code.

        BeanUtils 1.9 intorduced the possibility to customize bean introspection. It should be possible to write a custom bean introspector which ignores the class property. We can implement such an introspector and ship it with BeanUtils. In order to make it active, it has to be registered explicitly at a BeanUtilsBean instance or the central BeanUtils object.

        Do you think this is sufficient?

        Show
        Oliver Heger added a comment - We had some internal discussions about this topic. Because BeanUtils is a very low-level library and may be used widely I am reluctant to build in a change which ignores the class property by default. This may break existing code. BeanUtils 1.9 intorduced the possibility to customize bean introspection. It should be possible to write a custom bean introspector which ignores the class property. We can implement such an introspector and ship it with BeanUtils. In order to make it active, it has to be registered explicitly at a BeanUtilsBean instance or the central BeanUtils object. Do you think this is sufficient?
        Hide
        Patrick Trainor added a comment -

        Yes I think this would be sufficient. Thanks Oliver and thanks Yoshitaka for making us aware of this vulnerability.

        Show
        Patrick Trainor added a comment - Yes I think this would be sufficient. Thanks Oliver and thanks Yoshitaka for making us aware of this vulnerability.
        Hide
        Yoshitaka Kawashima added a comment -

        Thank you. I think so too.
        I hope that it'll help the developers to build the secure applications.

        Show
        Yoshitaka Kawashima added a comment - Thank you. I think so too. I hope that it'll help the developers to build the secure applications.
        Hide
        Oliver Heger added a comment -

        A specialized BeanIntrospector implementation has been added which allows suppressing properties. There is also a pre-configured instance removing the class property from beans. Some notes have been added to the user's guide.

        Fixed in SVN in revision 1597346.

        Show
        Oliver Heger added a comment - A specialized BeanIntrospector implementation has been added which allows suppressing properties. There is also a pre-configured instance removing the class property from beans. Some notes have been added to the user's guide. Fixed in SVN in revision 1597346.

          People

          • Assignee:
            Unassigned
            Reporter:
            Patrick Trainor
          • Votes:
            2 Vote for this issue
            Watchers:
            7 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development