-
Notifications
You must be signed in to change notification settings - Fork 211
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
BEANUTILS-520: Mitigate CVE-2014-0114 by enabling SuppressPropertiesB… #7
Conversation
…eanIntrospector.SUPPRESS_CLASS by default.
Please rebase on master and you should have a green build here, I updated JaCoCo which now gives us a green build on Java 13-EA. |
Thanks @garydgregory looks like all checks passed now! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Change looks good to me too, with good and simple tests. 👍
Thank you. Will a release be occurring soon that includes this mitigation? |
@Siebes I hope so. I have been waiting for a 2.0.0 release of BeanUtils for a while. |
Yes, I'm working towards that. Pardon my being remiss over it. I've been fairly busy lately. |
I noticed this fix was merged into version 1.x and is part of the 1.9.4 tag. What's usually the timeline for getting a new version in maven? |
I upgraded my lib to 1.9.4 and added the suggested opt-out to my code. But PropertyUtilsBean.getSimpleProperty() is still throwing a "NoSuchMethodException" when trying to get the property of "class". My code is BeanMap beanMap = new BeanMap(myObject);
PropertyUtilsBean propertyUtils = new PropertyUtilsBean();
for (Object propertyNameObject : beanMap.keySet()) {
String propertyName = (String) propertyNameObject;
try {
myObjPropertyValue = propertyUtils.getProperty(myObject, propertyName);
} catch (IllegalAccessException | InvocationTargetException | NoSuchMethodException e) {
Errors errors = ErrorUtils.createBindException();
errors.reject("Error occured while returing property values and propertyName: %s", propertyName);
throw new ErrorEnabledRuntimeException(errors);
} |
Your code is wrong. Change to.. BeanMap beanMap = new BeanMap(oldObject);
PropertyUtilsBean propertyUtils = new PropertyUtilsBean();
propertyUtils.removeBeanIntrospector(SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS);
for (Object propertyNameObject : beanMap.keySet()) {
...
} |
Perfect. thanks @melloware |
Just to follow up. If the security violation is because of trying to access the properties of "class" . Why not exclude "class" properties when building "BeanMap"? |
I think the seucrity violation is being able to set the property using property utils. Reading it would be fine. the ability to manipulate it is what is a security issue. |
Fixes CVE-2014-0114: https://nvd.nist.gov/vuln/detail/CVE-2014-0114
This patch by default enables the
SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS
. So you are secure by default.To opt-out and allow access to the "class" property making it work like BeanUtils 1.9.3 or lower simply add this one line of code to remove the feature.
This makes the library more secure by default and but still allows backward compatibility.