Merge pull request spring-projects#2 from cesarhernandezgt/v.4.3.30.RELEASE-TT.x-patch

backport for CVE-2022-22970 and CVE-2022-22971

Author: cesarhernandezgt

spring-beans/src/main/java/org/springframework/beans/CachedIntrospectionResults.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2020 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -20,6 +20,7 @@
 import java.beans.IntrospectionException;
 import java.beans.Introspector;
 import java.beans.PropertyDescriptor;
+import java.net.URL;
 import java.security.ProtectionDomain;
 import java.util.Collections;
 import java.util.Iterator;
@@ -30,6 +31,7 @@
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.concurrent.ConcurrentMap;
 
+
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 
@@ -93,11 +95,13 @@ public class CachedIntrospectionResults {
 	 */
 	public static final String IGNORE_BEANINFO_PROPERTY_NAME = "spring.beaninfo.ignore";
 
+	private static final PropertyDescriptor[] EMPTY_PROPERTY_DESCRIPTOR_ARRAY = {};
+
 
 	private static final boolean shouldIntrospectorIgnoreBeaninfoClasses =
 			SpringProperties.getFlag(IGNORE_BEANINFO_PROPERTY_NAME);
 
-	/** Stores the BeanInfoFactory instances */
+	/** Stores the BeanInfoFactory instances. */
 	private static final List<BeanInfoFactory> beanInfoFactories = SpringFactoriesLoader.loadFactories(
 			BeanInfoFactory.class, CachedIntrospectionResults.class.getClassLoader());
 
@@ -176,7 +180,6 @@ public static void clearClassLoader(ClassLoader classLoader) {
 	 * @return the corresponding CachedIntrospectionResults
 	 * @throws BeansException in case of introspection failure
 	 */
-	@SuppressWarnings("unchecked")
 	static CachedIntrospectionResults forClass(Class<?> beanClass) throws BeansException {
 		CachedIntrospectionResults results = strongClassCache.get(beanClass);
 		if (results != null) {
@@ -244,14 +247,32 @@ private static boolean isUnderneathClassLoader(ClassLoader candidate, ClassLoade
 		return false;
 	}
 
+	/**
+	 * Retrieve a {@link BeanInfo} descriptor for the given target class.
+	 * @param beanClass the target class to introspect
+	 * @return the resulting {@code BeanInfo} descriptor (never {@code null})
+	 * @throws IntrospectionException from the underlying {@link Introspector}
+	 */
+	private static BeanInfo getBeanInfo(Class<?> beanClass) throws IntrospectionException {
+		for (BeanInfoFactory beanInfoFactory : beanInfoFactories) {
+			BeanInfo beanInfo = beanInfoFactory.getBeanInfo(beanClass);
+			if (beanInfo != null) {
+				return beanInfo;
+			}
+		}
+		return (shouldIntrospectorIgnoreBeaninfoClasses ?
+				Introspector.getBeanInfo(beanClass, Introspector.IGNORE_ALL_BEANINFO) :
+				Introspector.getBeanInfo(beanClass));
+	}
+
 
-	/** The BeanInfo object for the introspected bean class */
+	/** The BeanInfo object for the introspected bean class. */
 	private final BeanInfo beanInfo;
 
-	/** PropertyDescriptor objects keyed by property name String */
-	private final Map<String, PropertyDescriptor> propertyDescriptorCache;
+	/** PropertyDescriptor objects keyed by property name String. */
+	private final Map<String, PropertyDescriptor> propertyDescriptors;
 
-	/** TypeDescriptor objects keyed by PropertyDescriptor */
+	/** TypeDescriptor objects keyed by PropertyDescriptor. */
 	private final ConcurrentMap<PropertyDescriptor, TypeDescriptor> typeDescriptorCache;
 
 
@@ -265,37 +286,27 @@ private CachedIntrospectionResults(Class<?> beanClass) throws BeansException {
 			if (logger.isTraceEnabled()) {
 				logger.trace("Getting BeanInfo for class [" + beanClass.getName() + "]");
 			}
-
-			BeanInfo beanInfo = null;
-			for (BeanInfoFactory beanInfoFactory : beanInfoFactories) {
-				beanInfo = beanInfoFactory.getBeanInfo(beanClass);
-				if (beanInfo != null) {
-					break;
-				}
-			}
-			if (beanInfo == null) {
-				// If none of the factories supported the class, fall back to the default
-				beanInfo = (shouldIntrospectorIgnoreBeaninfoClasses ?
-						Introspector.getBeanInfo(beanClass, Introspector.IGNORE_ALL_BEANINFO) :
-						Introspector.getBeanInfo(beanClass));
-			}
-			this.beanInfo = beanInfo;
+			this.beanInfo = getBeanInfo(beanClass);
 
 			if (logger.isTraceEnabled()) {
 				logger.trace("Caching PropertyDescriptors for class [" + beanClass.getName() + "]");
 			}
-			this.propertyDescriptorCache = new LinkedHashMap<String, PropertyDescriptor>();
+			this.propertyDescriptors = new LinkedHashMap<String, PropertyDescriptor>();
 
 			// This call is slow so we do it once.
 			PropertyDescriptor[] pds = this.beanInfo.getPropertyDescriptors();
 			for (PropertyDescriptor pd : pds) {
-				if (Class.class == beanClass && (!"name".equals(pd.getName()) && !pd.getName().endsWith("Name"))) {
+				if (Class.class == beanClass && !("name".equals(pd.getName()) ||
+						(pd.getName().endsWith("Name") && String.class == pd.getPropertyType()))) {
 					// Only allow all name variants of Class properties
 					continue;
 				}
-				if (pd.getPropertyType() != null && (ClassLoader.class.isAssignableFrom(pd.getPropertyType())
-						|| ProtectionDomain.class.isAssignableFrom(pd.getPropertyType()))) {
-					// Ignore ClassLoader and ProtectionDomain types - nobody needs to bind to those
+				if (URL.class == beanClass && "content".equals(pd.getName())) {
+					// Only allow URL attribute introspection, not content resolution
+					continue;
+				}
+				if (pd.getWriteMethod() == null && isInvalidReadOnlyPropertyType(pd.getPropertyType())) {
+					// Ignore read-only properties such as ClassLoader - no need to bind to those
 					continue;
 				}
 				if (logger.isTraceEnabled()) {
@@ -305,30 +316,15 @@ private CachedIntrospectionResults(Class<?> beanClass) throws BeansException {
 									"; editor [" + pd.getPropertyEditorClass().getName() + "]" : ""));
 				}
 				pd = buildGenericTypeAwarePropertyDescriptor(beanClass, pd);
-				this.propertyDescriptorCache.put(pd.getName(), pd);
+				this.propertyDescriptors.put(pd.getName(), pd);
 			}
 
 			// Explicitly check implemented interfaces for setter/getter methods as well,
 			// in particular for Java 8 default methods...
-			Class<?> clazz = beanClass;
-			while (clazz != null) {
-				Class<?>[] ifcs = clazz.getInterfaces();
-				for (Class<?> ifc : ifcs) {
-					BeanInfo ifcInfo = Introspector.getBeanInfo(ifc, Introspector.IGNORE_ALL_BEANINFO);
-					PropertyDescriptor[] ifcPds = ifcInfo.getPropertyDescriptors();
-					for (PropertyDescriptor pd : ifcPds) {
-						if (!this.propertyDescriptorCache.containsKey(pd.getName())) {
-							pd = buildGenericTypeAwarePropertyDescriptor(beanClass, pd);
-						    if (pd.getPropertyType() != null && (ClassLoader.class.isAssignableFrom(pd.getPropertyType())
-								    || ProtectionDomain.class.isAssignableFrom(pd.getPropertyType()))) {
-							    // Ignore ClassLoader and ProtectionDomain types - nobody needs to bind to those
-							    continue;
-						    }
-							this.propertyDescriptorCache.put(pd.getName(), pd);
-						}
-					}
-				}
-				clazz = clazz.getSuperclass();
+			Class<?> currClass = beanClass;
+			while (currClass != null && currClass != Object.class) {
+				introspectInterfaces(beanClass, currClass);
+				currClass = currClass.getSuperclass();
 			}
 
 			this.typeDescriptorCache = new ConcurrentReferenceHashMap<PropertyDescriptor, TypeDescriptor>();
@@ -338,6 +334,35 @@ private CachedIntrospectionResults(Class<?> beanClass) throws BeansException {
 		}
 	}
 
+	private void introspectInterfaces(Class<?> beanClass, Class<?> currClass) throws IntrospectionException {
+		for (Class<?> ifc : currClass.getInterfaces()) {
+			if (!ClassUtils.isJavaLanguageInterface(ifc)) {
+				for (PropertyDescriptor pd : getBeanInfo(ifc).getPropertyDescriptors()) {
+					PropertyDescriptor existingPd = this.propertyDescriptors.get(pd.getName());
+					if (existingPd == null ||
+							(existingPd.getReadMethod() == null && pd.getReadMethod() != null)) {
+						// GenericTypeAwarePropertyDescriptor leniently resolves a set* write method
+						// against a declared read method, so we prefer read method descriptors here.
+						pd = buildGenericTypeAwarePropertyDescriptor(beanClass, pd);
+						if (pd.getWriteMethod() == null && isInvalidReadOnlyPropertyType(pd.getPropertyType())) {
+							// Ignore read-only properties such as ClassLoader - no need to bind to those
+							continue;
+						}
+						this.propertyDescriptors.put(pd.getName(), pd);
+					}
+				}
+				introspectInterfaces(ifc, ifc);
+			}
+		}
+	}
+
+	private boolean isInvalidReadOnlyPropertyType(Class<?> returnType) {
+		return (returnType != null && (AutoCloseable.class.isAssignableFrom(returnType) ||
+				ClassLoader.class.isAssignableFrom(returnType) ||
+				ProtectionDomain.class.isAssignableFrom(returnType)));
+	}
+
+
 	BeanInfo getBeanInfo() {
 		return this.beanInfo;
 	}
@@ -346,28 +371,22 @@ Class<?> getBeanClass() {
 		return this.beanInfo.getBeanDescriptor().getBeanClass();
 	}
 
+
 	PropertyDescriptor getPropertyDescriptor(String name) {
-		PropertyDescriptor pd = this.propertyDescriptorCache.get(name);
+		PropertyDescriptor pd = this.propertyDescriptors.get(name);
 		if (pd == null && StringUtils.hasLength(name)) {
 			// Same lenient fallback checking as in Property...
-			pd = this.propertyDescriptorCache.get(StringUtils.uncapitalize(name));
+			pd = this.propertyDescriptors.get(StringUtils.uncapitalize(name));
 			if (pd == null) {
-				pd = this.propertyDescriptorCache.get(StringUtils.capitalize(name));
+				pd = this.propertyDescriptors.get(StringUtils.capitalize(name));
 			}
 		}
 		return (pd == null || pd instanceof GenericTypeAwarePropertyDescriptor ? pd :
 				buildGenericTypeAwarePropertyDescriptor(getBeanClass(), pd));
 	}
 
 	PropertyDescriptor[] getPropertyDescriptors() {
-		PropertyDescriptor[] pds = new PropertyDescriptor[this.propertyDescriptorCache.size()];
-		int i = 0;
-		for (PropertyDescriptor pd : this.propertyDescriptorCache.values()) {
-			pds[i] = (pd instanceof GenericTypeAwarePropertyDescriptor ? pd :
-					buildGenericTypeAwarePropertyDescriptor(getBeanClass(), pd));
-			i++;
-		}
-		return pds;
+		return this.propertyDescriptors.values().toArray(EMPTY_PROPERTY_DESCRIPTOR_ARRAY);
 	}
 
 	private PropertyDescriptor buildGenericTypeAwarePropertyDescriptor(Class<?> beanClass, PropertyDescriptor pd) {
@@ -385,6 +404,7 @@ TypeDescriptor addTypeDescriptor(PropertyDescriptor pd, TypeDescriptor td) {
 		return (existing != null ? existing : td);
 	}
 
+
 	TypeDescriptor getTypeDescriptor(PropertyDescriptor pd) {
 		return this.typeDescriptorCache.get(pd);
 	}

spring-beans/src/test/java/org/springframework/beans/BeanWrapperTests.java

@@ -16,15 +16,20 @@
 
 package org.springframework.beans;
 
+import java.net.MalformedURLException;
 import java.util.Collections;
 import java.util.Map;
 import java.util.Optional;
 
 import org.junit.Test;
 
+import org.springframework.core.OverridingClassLoader;
+import org.springframework.core.io.DefaultResourceLoader;
+import org.springframework.core.io.UrlResource;
 import org.springframework.tests.sample.beans.TestBean;
 
 import static org.junit.Assert.*;
+import static org.junit.Assert.assertEquals;
 
 /**
  * Specific {@link BeanWrapperImpl} tests.
@@ -153,7 +158,7 @@ public void setPropertyTypeMismatch() {
 	}
 
 	@Test
-	public void propertyDescriptors() {
+	public void propertyDescriptors() throws MalformedURLException {
 		TestBean target = new TestBean();
 		target.setSpouse(new TestBean());
 		BeanWrapper accessor = createAccessor(target);
@@ -165,6 +170,46 @@ public void propertyDescriptors() {
 		assertEquals("b", accessor.getPropertyValue("spouse.name"));
 		assertEquals(String.class, accessor.getPropertyDescriptor("name").getPropertyType());
 		assertEquals(String.class, accessor.getPropertyDescriptor("spouse.name").getPropertyType());
+
+		assertFalse(accessor.isReadableProperty("class.package"));
+		assertFalse(accessor.isReadableProperty("class.module"));
+		assertFalse(accessor.isReadableProperty("class.classLoader"));
+		assertTrue(accessor.isReadableProperty("class.name"));
+		assertTrue(accessor.isReadableProperty("class.simpleName"));
+		assertEquals(TestBean.class.getName(), accessor.getPropertyValue("class.name"));
+		assertEquals(TestBean.class.getSimpleName(), accessor.getPropertyValue("class.simpleName"));
+		assertEquals(String.class, accessor.getPropertyDescriptor("class.name").getPropertyType());
+		assertEquals(String.class, accessor.getPropertyDescriptor("class.simpleName").getPropertyType());
+
+		accessor = createAccessor(new DefaultResourceLoader());
+
+		assertFalse(accessor.isReadableProperty("class.package"));
+		assertFalse(accessor.isReadableProperty("class.module"));
+		assertFalse(accessor.isReadableProperty("class.classLoader"));
+		assertTrue(accessor.isReadableProperty("class.name"));
+		assertTrue(accessor.isReadableProperty("class.simpleName"));
+		assertTrue(accessor.isReadableProperty("classLoader"));
+		assertTrue(accessor.isWritableProperty("classLoader"));
+		OverridingClassLoader ocl = new OverridingClassLoader(getClass().getClassLoader());
+		accessor.setPropertyValue("classLoader", ocl);
+
+		assertEquals(ocl,accessor.getPropertyValue("classLoader"));
+
+		accessor = createAccessor(new UrlResource("https://spring.io"));
+
+		assertFalse(accessor.isReadableProperty("class.package"));
+		assertFalse(accessor.isReadableProperty("class.module"));
+		assertFalse(accessor.isReadableProperty("class.classLoader"));
+		assertTrue(accessor.isReadableProperty("class.name"));
+		assertTrue(accessor.isReadableProperty("class.simpleName"));
+		assertTrue(accessor.isReadableProperty("URL.protocol"));
+		assertTrue(accessor.isReadableProperty("URL.host"));
+		assertTrue(accessor.isReadableProperty("URL.port"));
+		assertTrue(accessor.isReadableProperty("URL.file"));
+		assertFalse(accessor.isReadableProperty("URL.content"));
+		assertFalse(accessor.isReadableProperty("inputStream"));
+		assertTrue(accessor.isReadableProperty("filename"));
+		assertTrue(accessor.isReadableProperty("description"));
 	}
 
 	@Test

spring-core/src/main/java/org/springframework/util/ClassUtils.java

@@ -17,6 +17,9 @@
 package org.springframework.util;
 
 import java.beans.Introspector;
+import java.io.Closeable;
+import java.io.Externalizable;
+import java.io.Serializable;
 import java.lang.reflect.Array;
 import java.lang.reflect.Constructor;
 import java.lang.reflect.Method;
@@ -96,6 +99,11 @@ public abstract class ClassUtils {
 	 */
 	private static final Map<String, Class<?>> commonClassCache = new HashMap<String, Class<?>>(32);
 
+	/**
+	 * Common Java language interfaces which are supposed to be ignored
+	 * when searching for 'primary' user-level interfaces.
+	 */
+	private static final Set<Class<?>> javaLanguageInterfaces;
 
 	static {
 		primitiveWrapperTypeMap.put(Boolean.class, boolean.class);
@@ -129,6 +137,10 @@ public abstract class ClassUtils {
 		registerCommonClasses(Throwable.class, Exception.class, RuntimeException.class,
 				Error.class, StackTraceElement.class, StackTraceElement[].class);
 		registerCommonClasses(Enum.class, Iterable.class, Cloneable.class, Comparable.class);
+		Class<?>[] javaLanguageInterfaceArray = {Serializable.class, Externalizable.class,
+				Closeable.class, AutoCloseable.class, Cloneable.class, Comparable.class};
+		registerCommonClasses(javaLanguageInterfaceArray);
+		javaLanguageInterfaces = new HashSet<Class<?>>(Arrays.asList(javaLanguageInterfaceArray));
 	}
 
 
@@ -746,6 +758,19 @@ public static Class<?> determineCommonAncestor(Class<?> clazz1, Class<?> clazz2)
 		return ancestor;
 	}
 
+	/**
+	 * Determine whether the given interface is a common Java language interface:
+	 * {@link Serializable}, {@link Externalizable}, {@link Closeable}, {@link AutoCloseable},
+	 * {@link Cloneable}, {@link Comparable} - all of which can be ignored when looking
+	 * for 'primary' user-level interfaces. Common characteristics: no service-level
+	 * operations, no bean property methods, no default methods.
+	 * @param ifc the interface to check
+	 * @since 5.0.3
+	 */
+	public static boolean isJavaLanguageInterface(Class<?> ifc) {
+		return javaLanguageInterfaces.contains(ifc);
+	}
+
 	/**
 	 * Check whether the given object is a CGLIB proxy.
 	 * @param object the object to check