1 /*
2  * Licensed to the Apache Software Foundation (ASF) under one or more
3  * contributor license agreements.  See the NOTICE file distributed with
4  * this work for additional information regarding copyright ownership.
5  * The ASF licenses this file to You under the Apache License, Version 2.0
6  * (the "License"); you may not use this file except in compliance with
7  * the License.  You may obtain a copy of the License at
8  *
9  *      http://www.apache.org/licenses/LICENSE-2.0
10  *
11  * Unless required by applicable law or agreed to in writing, software
12  * distributed under the License is distributed on an "AS IS" BASIS,
13  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14  * See the License for the specific language governing permissions and
15  * limitations under the License.
16  */
17 package org.apache.commons.beanutils.bugs;
18 
19 import org.apache.commons.beanutils.AlphaBean;
20 import org.apache.commons.beanutils.BeanUtilsBean;
21 import org.apache.commons.beanutils.SuppressPropertiesBeanIntrospector;
22 
23 import junit.framework.TestCase;
24 
25 /**
26  * Fix CVE: https://nvd.nist.gov/vuln/detail/CVE-2014-0114
27  *
28  * @see <a href="https://issues.apache.org/jira/browse/BEANUTILS-520">https://issues.apache.org/jira/browse/BEANUTILS-520</a>
29  */
30 public class Jira520TestCase extends TestCase {
31     /**
32      * By default opt-in to security that does not allow access to "class".
33      */
testSuppressClassPropertyByDefault()34     public void testSuppressClassPropertyByDefault() throws Exception {
35         final BeanUtilsBean bub = new BeanUtilsBean();
36         final AlphaBean bean = new AlphaBean();
37         try {
38             bub.getProperty(bean, "class");
39             fail("Could access class property!");
40         } catch (final NoSuchMethodException ex) {
41             // ok
42         }
43     }
44 
45     /**
46      * Allow opt-out to make your app less secure but allow access to "class".
47      */
testAllowAccessToClassProperty()48     public void testAllowAccessToClassProperty() throws Exception {
49         final BeanUtilsBean bub = new BeanUtilsBean();
50         bub.getPropertyUtils().removeBeanIntrospector(SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS);
51         final AlphaBean bean = new AlphaBean();
52         String result = bub.getProperty(bean, "class");
53         assertEquals("Class property should have been accessed", "class org.apache.commons.beanutils.AlphaBean", result);
54     }
55 }