1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
|
From 1c71f3400dceb84f6b88c3cd6070a2094a68d2d3 Mon Sep 17 00:00:00 2001
From: Gary Gregory <garydgregory@gmail.com>
Date: Sun, 25 May 2025 09:07:32 -0400
Subject: Add
org.apache.commons.beanutils.SuppressPropertiesBeanIntrospector.SUPPRESS_DECLARING_CLASS
---
.../commons/beanutils/PropertyUtilsBean.java | 1 +
.../SuppressPropertiesBeanIntrospector.java | 22 ++++++++++++-------
.../commons/beanutils/package-info.java | 18 ++++++++++-----
3 files changed, 27 insertions(+), 14 deletions(-)
diff --git a/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java b/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java
index 3e0941d5..89986f80 100644
--- a/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java
+++ b/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java
@@ -1478,6 +1478,7 @@ public class PropertyUtilsBean {
introspectors.clear();
introspectors.add(DefaultBeanIntrospector.INSTANCE);
introspectors.add(SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS);
+ introspectors.add(SuppressPropertiesBeanIntrospector.SUPPRESS_DECLARING_CLASS);
}
/**
diff --git a/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java b/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java
index 17fd21c3..afd58013 100644
--- a/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java
+++ b/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java
@@ -36,16 +36,22 @@ import java.util.Set;
* @since 1.9.2
*/
public class SuppressPropertiesBeanIntrospector implements BeanIntrospector {
+
+ /**
+ * A specialized instance which is configured to suppress the special {@code class} properties of Java beans. Unintended access to the property
+ * {@code class} (which is common to all Java objects) can be a security risk because it also allows access to the class loader. Adding this instance as
+ * {@code BeanIntrospector} to an instance of {@code PropertyUtilsBean} suppresses the {@code class} property; it can then no longer be accessed.
+ */
+ public static final SuppressPropertiesBeanIntrospector SUPPRESS_CLASS = new SuppressPropertiesBeanIntrospector(Collections.singleton("class"));
+
/**
- * A specialized instance which is configured to suppress the special {@code class}
- * properties of Java beans. Unintended access to the property {@code class} (which is
- * common to all Java objects) can be a security risk because it also allows access to
- * the class loader. Adding this instance as {@code BeanIntrospector} to an instance
- * of {@code PropertyUtilsBean} suppresses the {@code class} property; it can then no
- * longer be accessed.
+ * A specialized instance which is configured to suppress the special {@code class} properties of Java beans. Unintended access to the call for
+ * {@code declaringClass} (which is common to all Java {@code enum}) can be a security risk because it also allows access to the class loader. Adding this
+ * instance as {@code BeanIntrospector} to an instance of {@code PropertyUtilsBean} suppresses the {@code class} property; it can then no longer be
+ * accessed.
*/
- public static final SuppressPropertiesBeanIntrospector SUPPRESS_CLASS =
- new SuppressPropertiesBeanIntrospector(Collections.singleton("class"));
+ public static final SuppressPropertiesBeanIntrospector SUPPRESS_DECLARING_CLASS = new SuppressPropertiesBeanIntrospector(
+ Collections.singleton("declaringClass"));
/** A set with the names of the properties to be suppressed. */
private final Set<String> propertyNames;
diff --git a/src/main/java/org/apache/commons/beanutils/package-info.java b/src/main/java/org/apache/commons/beanutils/package-info.java
index 1d0bf13a..d5cd1985 100644
--- a/src/main/java/org/apache/commons/beanutils/package-info.java
+++ b/src/main/java/org/apache/commons/beanutils/package-info.java
@@ -420,20 +420,26 @@
* then be removed if they have been detected by other <code>BeanIntrospector</code>
* instances during processing of a bean class.</p>
*
- * <p>A good use case for suppressing properties is the special <code>class</code>
+ * <p>A good use case for suppressing properties is the special {@code class}
* property which is per default available for all beans; it is generated from the
- * <code>getClass()</code> method inherited from <code>Object</code> which follows the
+ * {@code getClass()} method inherited from {@code Object} which follows the
* naming conventions for property get methods. Exposing this property in an
* uncontrolled way can lead to a security vulnerability as it allows access to
* the class loader. More information can be found at
* <a href="https://issues.apache.org/jira/browse/BEANUTILS-463">
* https://issues.apache.org/jira/browse/BEANUTILS-463</a>.</p>
*
- * <p>Because the <code>class</code> property is undesired in many use cases
- * there is already an instance of <code>SuppressPropertiesBeanIntrospector</code>
+ * <p>Because the {@code class} property is undesired in many use cases
+ * there is already an instance of {@code SuppressPropertiesBeanIntrospector}
* which is configured to suppress this property. It can be obtained via the
- * <code>SUPPRESS_CLASS</code> constant of
- * <code>SuppressPropertiesBeanIntrospector</code>.</p>
+ * {@code SUPPRESS_CLASS} constant of
+ * {@code SuppressPropertiesBeanIntrospector}.</p>
+ *
+ * <p>Another problematic property is the {@code enum} "declaredClass" property,
+ * through which you can also access that class' class loader. The {@code SuppressPropertiesBeanIntrospector}
+ * provides {@code SUPPRESS_DECLARING_CLASS} to workaround this issue.</p>
+ *
+ * <p>Both {@code SUPPRESS_CLASS} and {@code SUPPRESS_DECLARING_CLASS} are enabled by default.</p>
*
* <h2>3. Dynamic Beans (DynaBeans)</h2>
*
--
2.30.2
|
