ykare/1. SafeBeanUtils.java Secret

## 1. SafeBeanUtils.java
package example;

import java.io.IOException;
import java.lang.reflect.InvocationTargetException;
import java.util.Map;
import java.util.regex.Pattern;

import javax.servlet.GenericServlet;
import javax.servlet.ServletConfig;
import javax.servlet.ServletContextEvent;
import javax.servlet.ServletContextListener;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;

import org.apache.commons.beanutils.BeanUtilsBean;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;

/**
 * commons-beanutils 1.7以降が必要。それ以前のバージョンを使っている場合は、置き換えること
 * Struts1.X バージョンごとの同梱しているcommons-beanutilsバージョン
 *  Struts1.3.10: 1.8.0
 *  Struts1.2.9 : 1.6
 *  Struts1.1   : 1.6
 *  Struts1.0.2 : 無し。 org.apache.struts.util.BeanUtils.java にパッチをあてる
 *
 * Servlet2.3以降: <listener> に example.SafeBeanUtils$InitializeListener を登録
 * Servlet2.2以前: <servlet> に example.SafeBeanUtils$InitializeServlet を登録
 *
 * ※正規表現が使えるのはJDK1.4以降、それ以前のJDKだと正規表現をOROなどで書き換える必要がある
 */
public class SafeBeanUtils extends BeanUtilsBean {
	private static final Log LOG = LogFactory.getLog(BeanUtilsBean.class);
	private static final Pattern CLASS_ACCESS_PATTERN = Pattern.compile(
			"(.*\\.|^|.*|\\[('|\"))class(\\.|('|\")]|\\[).*",
			Pattern.CASE_INSENSITIVE);

	@SuppressWarnings("rawtypes")
	@Override
	public void populate(Object bean, Map properties)
			throws IllegalAccessException, InvocationTargetException {
		for (Object obj : properties.keySet()) {
			if (obj instanceof String) {
				String key = (String) obj;
				if (CLASS_ACCESS_PATTERN.matcher(key).matches()) {
					LOG.fatal("Attack detected: " + key);
					throw new IllegalArgumentException("Attack detected: "
							+ key);
				}
			}
		}
		super.populate(bean, properties);
	}

	/**
	 * for Servlet2.3 API以降 <listener>
	 * <listener-class>example.SafeBeanUtils$InitializeListener</listener-class>
	 * </listener>
	 */
	public static class InitializeListener implements ServletContextListener {

		@Override
		public void contextInitialized(ServletContextEvent event) {
			BeanUtilsBean.setInstance(new SafeBeanUtils());
		}

		@Override
		public void contextDestroyed(ServletContextEvent event) {
		}

	}

	/**
	 * for Servlet2.2 API以前 <servlet>
	 * <servlet-name>InitializeServlet</servlet-name>
	 * <servlet-class>example.SafeBeanUtils$InitializeServlet</servlet-class>
	 * <load-on-startup>1</load-on-startup> </servlet>
	 */
	public static class InitializeServlet extends GenericServlet {

		private static final long serialVersionUID = -198262514592399731L;

		@Override
		public void init() throws ServletException {
			BeanUtilsBean.setInstance(new SafeBeanUtils());
		}

		@Override
		public void init(ServletConfig config) throws ServletException {
			BeanUtilsBean.setInstance(new SafeBeanUtils());
		}

		@Override
		public void service(ServletRequest request, ServletResponse response)
				throws ServletException, IOException {
			throw new UnsupportedOperationException(
					"this Servlet initialize use only");
		}

	}
}

## 2. BeanUtils.patch(Struts1.0.2用)
$ diff -u jakarta-struts-1.0.2-src/src/share/org/apache/struts/util/BeanUtils.java src/org/apache/struts/util/BeanUtils.java
--- jakarta-struts-1.0.2-src/src/share/org/apache/struts/util/BeanUtils.java    2002-02-09 23:38:56.000000000 +0900
+++ src/org/apache/struts/util/BeanUtils.java   2014-04-28 23:34:31.430035300 +0900
@@ -77,6 +77,7 @@
 import java.util.HashMap;
 import java.util.Iterator;
 import java.util.Map;
+import java.util.regex.Pattern;


 /**
@@ -92,6 +93,9 @@
  */

 public class BeanUtils {
+       private static final Pattern CLASS_ACCESS_PATTERN = Pattern.compile(
+                       "(.*\\.|^|.*|\\[('|\"))class(\\.|('|\")]|\\[).*",
+                       Pattern.CASE_INSENSITIVE);


     // ------------------------------------------------------ Private Variables
@@ -411,6 +415,12 @@
             String name = (String) names.next();
             if (name == null)
                 continue;
+
+            if (CLASS_ACCESS_PATTERN.matcher(name).matches()) {
+                               throw new IllegalArgumentException("Attack detected: "
+                                               + name);
+                       }
+
             Object value = properties.get(name);       // String or String[]

             /*
	package example;

	import java.io.IOException;
	import java.lang.reflect.InvocationTargetException;
	import java.util.Map;
	import java.util.regex.Pattern;

	import javax.servlet.GenericServlet;
	import javax.servlet.ServletConfig;
	import javax.servlet.ServletContextEvent;
	import javax.servlet.ServletContextListener;
	import javax.servlet.ServletException;
	import javax.servlet.ServletRequest;
	import javax.servlet.ServletResponse;

	import org.apache.commons.beanutils.BeanUtilsBean;
	import org.apache.commons.logging.Log;
	import org.apache.commons.logging.LogFactory;

	/**
	* commons-beanutils 1.7以降が必要。それ以前のバージョンを使っている場合は、置き換えること
	* Struts1.X バージョンごとの同梱しているcommons-beanutilsバージョン
	* Struts1.3.10: 1.8.0
	* Struts1.2.9 : 1.6
	* Struts1.1 : 1.6
	* Struts1.0.2 : 無し。 org.apache.struts.util.BeanUtils.java にパッチをあてる
	*
	* Servlet2.3以降: <listener> に example.SafeBeanUtils$InitializeListener を登録
	* Servlet2.2以前: <servlet> に example.SafeBeanUtils$InitializeServlet を登録
	*
	* ※正規表現が使えるのはJDK1.4以降、それ以前のJDKだと正規表現をOROなどで書き換える必要がある
	*/
	public class SafeBeanUtils extends BeanUtilsBean {
	private static final Log LOG = LogFactory.getLog(BeanUtilsBean.class);
	private static final Pattern CLASS_ACCESS_PATTERN = Pattern.compile(
	"(.\\.\|^\|.\|\\[('\|\"))class(\\.\|('\|\")]\|\\[).*",
	Pattern.CASE_INSENSITIVE);

	@SuppressWarnings("rawtypes")
	@Override
	public void populate(Object bean, Map properties)
	throws IllegalAccessException, InvocationTargetException {
	for (Object obj : properties.keySet()) {
	if (obj instanceof String) {
	String key = (String) obj;
	if (CLASS_ACCESS_PATTERN.matcher(key).matches()) {
	LOG.fatal("Attack detected: " + key);
	throw new IllegalArgumentException("Attack detected: "
	+ key);
	}
	}
	}
	super.populate(bean, properties);
	}

	/**
	* for Servlet2.3 API以降 <listener>
	* <listener-class>example.SafeBeanUtils$InitializeListener</listener-class>
	* </listener>
	*/
	public static class InitializeListener implements ServletContextListener {

	@Override
	public void contextInitialized(ServletContextEvent event) {
	BeanUtilsBean.setInstance(new SafeBeanUtils());
	}

	@Override
	public void contextDestroyed(ServletContextEvent event) {
	}

	}

	/**
	* for Servlet2.2 API以前 <servlet>
	* <servlet-name>InitializeServlet</servlet-name>
	* <servlet-class>example.SafeBeanUtils$InitializeServlet</servlet-class>
	* <load-on-startup>1</load-on-startup> </servlet>
	*/
	public static class InitializeServlet extends GenericServlet {

	private static final long serialVersionUID = -198262514592399731L;

	@Override
	public void init() throws ServletException {
	BeanUtilsBean.setInstance(new SafeBeanUtils());
	}

	@Override
	public void init(ServletConfig config) throws ServletException {
	BeanUtilsBean.setInstance(new SafeBeanUtils());
	}

	@Override
	public void service(ServletRequest request, ServletResponse response)
	throws ServletException, IOException {
	throw new UnsupportedOperationException(
	"this Servlet initialize use only");
	}

	}
	}
	$ diff -u jakarta-struts-1.0.2-src/src/share/org/apache/struts/util/BeanUtils.java src/org/apache/struts/util/BeanUtils.java
	--- jakarta-struts-1.0.2-src/src/share/org/apache/struts/util/BeanUtils.java 2002-02-09 23:38:56.000000000 +0900
	+++ src/org/apache/struts/util/BeanUtils.java 2014-04-28 23:34:31.430035300 +0900
	@@ -77,6 +77,7 @@
	import java.util.HashMap;
	import java.util.Iterator;
	import java.util.Map;
	+import java.util.regex.Pattern;


	/**
	@@ -92,6 +93,9 @@
	*/

	public class BeanUtils {
	+ private static final Pattern CLASS_ACCESS_PATTERN = Pattern.compile(
	+ "(.\\.\|^\|.\|\\[('\|\"))class(\\.\|('\|\")]\|\\[).*",
	+ Pattern.CASE_INSENSITIVE);


	// ------------------------------------------------------ Private Variables
	@@ -411,6 +415,12 @@
	String name = (String) names.next();
	if (name == null)
	continue;
	+
	+ if (CLASS_ACCESS_PATTERN.matcher(name).matches()) {
	+ throw new IllegalArgumentException("Attack detected: "
	+ + name);
	+ }
	+
	Object value = properties.get(name); // String or String[]

	/*