Setting JavaBean properties is security sensitive. Doing it with untrusted values has led in the past to the following vulnerability:
JavaBeans can have their properties or nested properties set by population functions. An attacker can leverage this feature to push into the
JavaBean malicious data that can compromise the software integrity. A typical attack will try to manipulate the ClassLoader and finally execute
malicious code.
This rule raises an issue when:
- BeanUtils.populate(…) or BeanUtilsBean.populate(…) from Apache Commons
BeanUtils are called
- BeanUtils.setProperty(…) or BeanUtilsBean.setProperty(…) from Apache Commons
BeanUtils are called
- org.springframework.beans.BeanWrapper.setPropertyValue(…) or org.springframework.beans.BeanWrapper.setPropertyValues(…) from Spring is called
Ask Yourself Whether
- the new property values might have been tampered with or provided by an untrusted source.
- sensitive properties can be modified, for example:
class.classLoader
There is a risk if you answered yes to any of those questions.
Recommended Secure Coding Practices
Sanitize all values used as JavaBean properties.
Don’t set any sensitive properties. Keep full control over which properties are set. If the property names are provided by an unstrusted source,
filter them with a whitelist.
Sensitive Code Example
Company bean = new Company();
HashMap map = new HashMap();
Enumeration names = request.getParameterNames();
while (names.hasMoreElements()) {
String name = (String) names.nextElement();
map.put(name, request.getParameterValues(name));
}
BeanUtils.populate(bean, map); // Sensitive: "map" is populated with data coming from user input, here "request.getParameterNames()"
See
