Bean Property Injection
Description
An attacker can set arbitrary bean properties that can compromise system integrity. An attacker can leverage this functionality to access special bean properties like class.classLoader that will allow them to override system properties and potentially execute arbitrary code.
Examples
Insecure Code
scala
def example(req: HttpServletRequest): Unit = {
val map = new HashMap[String, String]
map.put("property", req.getParameter("property"))
BeanUtils.populate(bean, map)
}Secure Code
scala
def example(req: HttpServletRequest): Unit = {
val map = new HashMap[String, String]
val expectedProperties = List("expectedProperty1", "expectedProperty2")
expectedProperties.foreach { property =>
map.put(property, req.getParameter(property))
}
BeanUtils.populate(bean, map)
}Remediation
Validate and sanitize user input before using it to set bean properties. Use a whitelist approach to only allow specific, expected properties to be set.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0040 |
| Category | Injection |
| Severity | HIGH |
| CWE | CWE-15 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | beanutils, injection |
| OWASP | N/A |