1 /* 2 * Licensed to the Apache Software Foundation (ASF) under one or more 3 * contributor license agreements. See the NOTICE file distributed with 4 * this work for additional information regarding copyright ownership. 5 * The ASF licenses this file to You under the Apache License, Version 2.0 6 * (the "License"); you may not use this file except in compliance with 7 * the License. You may obtain a copy of the License at 8 * 9 * http://www.apache.org/licenses/LICENSE-2.0 10 * 11 * Unless required by applicable law or agreed to in writing, software 12 * distributed under the License is distributed on an "AS IS" BASIS, 13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 * See the License for the specific language governing permissions and 15 * limitations under the License. 16 */ 17 package org.apache.commons.beanutils.bugs; 18 19 import org.apache.commons.beanutils.AlphaBean; 20 import org.apache.commons.beanutils.BeanUtilsBean; 21 import org.apache.commons.beanutils.SuppressPropertiesBeanIntrospector; 22 23 import junit.framework.TestCase; 24 25 /** 26 * Fix CVE: https://nvd.nist.gov/vuln/detail/CVE-2014-0114 27 * 28 * @see <a href="https://issues.apache.org/jira/browse/BEANUTILS-520">https://issues.apache.org/jira/browse/BEANUTILS-520</a> 29 */ 30 public class Jira520TestCase extends TestCase { 31 /** 32 * By default opt-in to security that does not allow access to "class". 33 */ testSuppressClassPropertyByDefault()34 public void testSuppressClassPropertyByDefault() throws Exception { 35 final BeanUtilsBean bub = new BeanUtilsBean(); 36 final AlphaBean bean = new AlphaBean(); 37 try { 38 bub.getProperty(bean, "class"); 39 fail("Could access class property!"); 40 } catch (final NoSuchMethodException ex) { 41 // ok 42 } 43 } 44 45 /** 46 * Allow opt-out to make your app less secure but allow access to "class". 47 */ testAllowAccessToClassProperty()48 public void testAllowAccessToClassProperty() throws Exception { 49 final BeanUtilsBean bub = new BeanUtilsBean(); 50 bub.getPropertyUtils().removeBeanIntrospector(SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS); 51 final AlphaBean bean = new AlphaBean(); 52 String result = bub.getProperty(bean, "class"); 53 assertEquals("Class property should have been accessed", "class org.apache.commons.beanutils.AlphaBean", result); 54 } 55 }