(prep for CVE-2022-22970) - Restore ability to configure setClassLoad…

…er methods Closes spring-projectsgh-28269 (cherry picked from commit 9f91168) (cherry picked from commit 69c7eb9)
Datameer-Inc · Nov 1, 2022 · c32c216 · c32c216
1 parent 84ee258
commit c32c216
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 6 deletions.
diff --git a/spring-beans/src/main/java/org/springframework/beans/CachedIntrospectionResults.java b/spring-beans/src/main/java/org/springframework/beans/CachedIntrospectionResults.java
@@ -289,13 +289,15 @@ private CachedIntrospectionResults(Class<?> beanClass) throws BeansException {
 			// This call is slow so we do it once.
 			PropertyDescriptor[] pds = this.beanInfo.getPropertyDescriptors();
 			for (PropertyDescriptor pd : pds) {
-				if (Class.class == beanClass && (!"name".equals(pd.getName()) && !pd.getName().endsWith("Name"))) {
+				if (Class.class == beanClass && !("name".equals(pd.getName()) ||
+						(pd.getName().endsWith("Name") && String.class == pd.getPropertyType()))) {
 					// Only allow all name variants of Class properties
 					continue;
 				}
-				if (pd.getPropertyType() != null && (ClassLoader.class.isAssignableFrom(pd.getPropertyType())
-						|| ProtectionDomain.class.isAssignableFrom(pd.getPropertyType()))) {
-					// Ignore ClassLoader and ProtectionDomain types - nobody needs to bind to those
+				if (pd.getWriteMethod() == null && pd.getPropertyType() != null &&
+						(ClassLoader.class.isAssignableFrom(pd.getPropertyType()) ||
+								ProtectionDomain.class.isAssignableFrom(pd.getPropertyType()))) {
+					// Ignore ClassLoader and ProtectionDomain read-only properties - no need to bind to those
 					continue;
 				}
 				if (logger.isTraceEnabled()) {

diff --git a/spring-beans/src/test/java/org/springframework/beans/BeanWrapperTests.java b/spring-beans/src/test/java/org/springframework/beans/BeanWrapperTests.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2016 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -23,7 +23,10 @@
 import org.junit.Test;
 
 import org.springframework.tests.sample.beans.TestBean;
+import org.springframework.core.OverridingClassLoader;
+import org.springframework.core.io.DefaultResourceLoader;
 
+import static org.assertj.core.api.Assertions.assertThat;
 import static org.junit.Assert.*;
 
 /**
@@ -108,7 +111,7 @@ public void checkNotWritablePropertyHoldPossibleMatches() {
 		}
 	}
 
-	@Test // Can't be shared; there is no such thing as a read-only field
+	@Test  // Can't be shared; there is no such thing as a read-only field
 	public void setReadOnlyMapProperty() {
 		TypedReadOnlyMap map = new TypedReadOnlyMap(Collections.singletonMap("key", new TestBean()));
 		TypedReadOnlyMapClient target = new TypedReadOnlyMapClient();
@@ -165,6 +168,34 @@ public void propertyDescriptors() {
 		assertEquals("b", accessor.getPropertyValue("spouse.name"));
 		assertEquals(String.class, accessor.getPropertyDescriptor("name").getPropertyType());
 		assertEquals(String.class, accessor.getPropertyDescriptor("spouse.name").getPropertyType());
+
+		assertThat(target.getName()).isEqualTo("a");
+		assertThat(target.getSpouse().getName()).isEqualTo("b");
+		assertThat(accessor.getPropertyValue("name")).isEqualTo("a");
+		assertThat(accessor.getPropertyValue("spouse.name")).isEqualTo("b");
+		assertThat(accessor.getPropertyDescriptor("name").getPropertyType()).isEqualTo(String.class);
+		assertThat(accessor.getPropertyDescriptor("spouse.name").getPropertyType()).isEqualTo(String.class);
+
+		assertThat(accessor.isReadableProperty("class.package")).isFalse();
+		assertThat(accessor.isReadableProperty("class.module")).isFalse();
+		assertThat(accessor.isReadableProperty("class.classLoader")).isFalse();
+		assertThat(accessor.isReadableProperty("class.name")).isTrue();
+		assertThat(accessor.isReadableProperty("class.simpleName")).isTrue();
+		assertThat(accessor.getPropertyValue("class.name")).isEqualTo(TestBean.class.getName());
+		assertThat(accessor.getPropertyValue("class.simpleName")).isEqualTo(TestBean.class.getSimpleName());
+		assertThat(accessor.getPropertyDescriptor("class.name").getPropertyType()).isEqualTo(String.class);
+		assertThat(accessor.getPropertyDescriptor("class.simpleName").getPropertyType()).isEqualTo(String.class);
+
+		accessor = createAccessor(new DefaultResourceLoader());
+
+		assertThat(accessor.isReadableProperty("class.package")).isFalse();
+		assertThat(accessor.isReadableProperty("class.module")).isFalse();
+		assertThat(accessor.isReadableProperty("class.classLoader")).isFalse();
+		assertThat(accessor.isReadableProperty("classLoader")).isTrue();
+		assertThat(accessor.isWritableProperty("classLoader")).isTrue();
+		OverridingClassLoader ocl = new OverridingClassLoader(getClass().getClassLoader());
+		accessor.setPropertyValue("classLoader", ocl);
+		assertThat(accessor.getPropertyValue("classLoader")).isSameAs(ocl);
 	}
 
 	@Test