From 863e08bed2a0ce1a6df37c4fd28482cfbc614a99 Mon Sep 17 00:00:00 2001 From: Gary Gregory Date: Sun, 25 May 2025 09:07:32 -0400 Subject: [PATCH 2/2] Fix CVE-2025-48734 Backported from upstream commit 28ad955a1613ed5885870cc7da52093c1ce739dc --- .../apache/commons/beanutils/PropertyUtilsBean.java | 1 + .../beanutils/SuppressPropertiesBeanIntrospector.java | 11 +++++++++++ .../org/apache/commons/beanutils/package-info.java | 6 ++++++ 3 files changed, 18 insertions(+) diff --git a/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java b/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java index 36eb7f57..04d99576 100644 --- a/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java +++ b/src/main/java/org/apache/commons/beanutils/PropertyUtilsBean.java @@ -189,6 +189,7 @@ public class PropertyUtilsBean { introspectors.clear(); introspectors.add(DefaultBeanIntrospector.INSTANCE); introspectors.add(SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS); + introspectors.add(SuppressPropertiesBeanIntrospector.SUPPRESS_DECLARING_CLASS); } /** diff --git a/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java b/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java index bd6b2cdc..cff34969 100644 --- a/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java +++ b/src/main/java/org/apache/commons/beanutils/SuppressPropertiesBeanIntrospector.java @@ -48,6 +48,17 @@ public class SuppressPropertiesBeanIntrospector implements BeanIntrospector { public static final SuppressPropertiesBeanIntrospector SUPPRESS_CLASS = new SuppressPropertiesBeanIntrospector(Collections.singleton("class")); + /** + * A specialized instance which is configured to suppress the special {@code class} properties of Java beans. Unintended access to the call for + * {@code declaringClass} (which is common to all Java {@code enum}) can be a security risk because it also allows access to the class loader. Adding this + * instance as {@code BeanIntrospector} to an instance of {@code PropertyUtilsBean} suppresses the {@code class} property; it can then no longer be + * accessed. + * + * @since 1.11.0 + */ + public static final SuppressPropertiesBeanIntrospector SUPPRESS_DECLARING_CLASS = new SuppressPropertiesBeanIntrospector( + Collections.singleton("declaringClass")); + /** A set with the names of the properties to be suppressed. */ private final Set propertyNames; diff --git a/src/main/java/org/apache/commons/beanutils/package-info.java b/src/main/java/org/apache/commons/beanutils/package-info.java index 3cb9d34c..ac8d2a1f 100644 --- a/src/main/java/org/apache/commons/beanutils/package-info.java +++ b/src/main/java/org/apache/commons/beanutils/package-info.java @@ -444,6 +444,12 @@ * SUPPRESS_CLASS constant of * SuppressPropertiesBeanIntrospector.

* + *

Another problematic property is the {@code enum} "declaredClass" property, + * through which you can also access that class' class loader. The {@code SuppressPropertiesBeanIntrospector} + * provides {@code SUPPRESS_DECLARING_CLASS} to workaround this issue.

+ * + *

Both {@code SUPPRESS_CLASS} and {@code SUPPRESS_DECLARING_CLASS} are enabled by default.

+ * * *

3. Dynamic Beans (DynaBeans)

* -- 2.49.0