DeepSource
Dashboard Resources Pricing Discover Directory Log in

Run your first analysis.

Find thousands of code security and quality issues in your codebase, before they end up in production.

Start now
Java

Java

Made by DeepSource
Use Analyzer

Audit: Setting bean properties with unsanitized input may be a security risk JAVA-A1027

Security
Critical
 a03 a08 cwe-20 cwe-915 sans top 25 owasp top 10

Be careful when setting bean properties using external data.

Java beans are classes that implement getters and setters for their fields in conformance with the JavaBeans specification. Libraries such as Apache's Commons BeanUtils use reflection to access fields and set or retrieve their values.

Managing data through beans is versatile, but can also reduce security. For example, a particular version of Apache's BeanUtils used within the Struts web framework was susceptible to certain class loader related attacks. This attack consisted of accessing the class property of a bean, through which the ClassLoader for that bean could be accessed. Obtaining a reference to a ClassLoader can allow loading an attacker-defined class into the application, achieving arbitrary code execution.

This issue is raised if methods such as BeanUtils.populate() or Spring's BeanWrapper.setPropertyValue() are called with possibly unsanitized input.

Bad Practice

class UserDataBean { /*...*/  }

@Override
void method() {

    HashMap map = new HashMap();
    Map<String, String[]> params = request.getParameterMap();
    UserDataBean bean = new UserDataBean();


    BeanUtils.populate(bean, params); // Insecure.
}

Recommended

Sanitize any data that will pass into a JavaBean instance. How you do so will be very specific to your own requirements, but here are a few suggestions:

  • Use a whitelist to verify that any data that has a distinct set of values cannot be tampered with.
Map<String, String[]> finalParams = new HashMap<>();
for (Map.Entry<String, String[]> entry : params.entrySet()) {
    if ( !allowedKeys.contains(entry.getKey())) continue; // Filter out unnecessary keys.

    finalParams.put(entry.getKey(), entry.getValue());
}

BeanUtils.populate(bean, finalParams);
  • Data such as request parameters, headers and cookies should be handled carefully, as they are the largest attack surfaces.
  • Use a data sanitization library like OWASP's ESAPI to reduce the amount of work you need to do.

If any of the data in the request is used in the response, care must be taken to avoid injecting malicious data from the request into the response, as this could lead to a server-side injection attack.

References