CVE-2022-22970 - Refine CachedIntrospectionResults property introspection

jhoeller · kkolman · commit 02ea4772f8b7 · 2022-11-01T12:23:12.000+01:00
Closes spring-projectsgh-28445 (cherry picked from commit 50177b1)
diff --git a/spring-beans/src/main/java/org/springframework/beans/CachedIntrospectionResults.java b/spring-beans/src/main/java/org/springframework/beans/CachedIntrospectionResults.java
@@ -20,6 +20,7 @@
 import java.beans.IntrospectionException;
 import java.beans.Introspector;
 import java.beans.PropertyDescriptor;
+import java.net.URL;
 import java.security.ProtectionDomain;
 import java.util.Collections;
 import java.util.Iterator;
@@ -294,10 +295,12 @@ private CachedIntrospectionResults(Class<?> beanClass) throws BeansException {
 					// Only allow all name variants of Class properties
 					continue;
 				}
-				if (pd.getWriteMethod() == null && pd.getPropertyType() != null &&
-						(ClassLoader.class.isAssignableFrom(pd.getPropertyType()) ||
-								ProtectionDomain.class.isAssignableFrom(pd.getPropertyType()))) {
-					// Ignore ClassLoader and ProtectionDomain read-only properties - no need to bind to those
+				if (URL.class == beanClass && "content".equals(pd.getName())) {
+					// Only allow URL attribute introspection, not content resolution
+					continue;
+				}
+				if (pd.getWriteMethod() == null && isInvalidReadOnlyPropertyType(pd.getPropertyType())) {
+					// Ignore read-only properties such as ClassLoader - no need to bind to those
 					continue;
 				}
 				if (logger.isTraceEnabled()) {
@@ -335,6 +338,12 @@ private CachedIntrospectionResults(Class<?> beanClass) throws BeansException {
 		}
 	}
 
+	private boolean isInvalidReadOnlyPropertyType(Class<?> returnType) {
+		return (returnType != null && (AutoCloseable.class.isAssignableFrom(returnType) ||
+				ClassLoader.class.isAssignableFrom(returnType) ||
+				ProtectionDomain.class.isAssignableFrom(returnType)));
+	}
+
 	BeanInfo getBeanInfo() {
 		return this.beanInfo;
 	}
diff --git a/spring-beans/src/test/java/org/springframework/beans/BeanWrapperTests.java b/spring-beans/src/test/java/org/springframework/beans/BeanWrapperTests.java
@@ -25,6 +25,7 @@
 import org.springframework.tests.sample.beans.TestBean;
 import org.springframework.core.OverridingClassLoader;
 import org.springframework.core.io.DefaultResourceLoader;
+import org.springframework.core.io.UrlResource;
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.junit.Assert.*;
@@ -156,7 +157,7 @@ public void setPropertyTypeMismatch() {
 	}
 
 	@Test
-	public void propertyDescriptors() {
+	public void propertyDescriptors() throws Exception {
 		TestBean target = new TestBean();
 		target.setSpouse(new TestBean());
 		BeanWrapper accessor = createAccessor(target);
@@ -191,11 +192,29 @@ public void propertyDescriptors() {
 		assertThat(accessor.isReadableProperty("class.package")).isFalse();
 		assertThat(accessor.isReadableProperty("class.module")).isFalse();
 		assertThat(accessor.isReadableProperty("class.classLoader")).isFalse();
+		assertThat(accessor.isReadableProperty("class.name")).isTrue();
+		assertThat(accessor.isReadableProperty("class.simpleName")).isTrue();
 		assertThat(accessor.isReadableProperty("classLoader")).isTrue();
 		assertThat(accessor.isWritableProperty("classLoader")).isTrue();
 		OverridingClassLoader ocl = new OverridingClassLoader(getClass().getClassLoader());
 		accessor.setPropertyValue("classLoader", ocl);
 		assertThat(accessor.getPropertyValue("classLoader")).isSameAs(ocl);
+
+		accessor = createAccessor(new UrlResource("https://spring.io"));
+
+		assertThat(accessor.isReadableProperty("class.package")).isFalse();
+		assertThat(accessor.isReadableProperty("class.module")).isFalse();
+		assertThat(accessor.isReadableProperty("class.classLoader")).isFalse();
+		assertThat(accessor.isReadableProperty("class.name")).isTrue();
+		assertThat(accessor.isReadableProperty("class.simpleName")).isTrue();
+		assertThat(accessor.isReadableProperty("URL.protocol")).isTrue();
+		assertThat(accessor.isReadableProperty("URL.host")).isTrue();
+		assertThat(accessor.isReadableProperty("URL.port")).isTrue();
+		assertThat(accessor.isReadableProperty("URL.file")).isTrue();
+		assertThat(accessor.isReadableProperty("URL.content")).isFalse();
+		assertThat(accessor.isReadableProperty("inputStream")).isFalse();
+		assertThat(accessor.isReadableProperty("filename")).isTrue();
+		assertThat(accessor.isReadableProperty("description")).isTrue();
 	}
 
 	@Test
