Skip to content

Commit

Permalink
Refine PropertyDescriptor filtering
Browse files Browse the repository at this point in the history
Restrict property paths under `Class` and properties of types
`ClassLoader` or `ProtectionDomain`.
  • Loading branch information
bclozel authored and Benjamin Reed committed Apr 19, 2022
1 parent 9543b9c commit 6201893
Showing 1 changed file with 14 additions and 4 deletions.
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright 2002-2014 the original author or authors.
* Copyright 2002-2022 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
Expand All @@ -20,6 +20,7 @@
import java.beans.IntrospectionException;
import java.beans.Introspector;
import java.beans.PropertyDescriptor;
import java.security.ProtectionDomain;
import java.util.Collections;
import java.util.Iterator;
import java.util.LinkedHashMap;
Expand Down Expand Up @@ -288,9 +289,13 @@ private CachedIntrospectionResults(Class<?> beanClass) throws BeansException {
// This call is slow so we do it once.
PropertyDescriptor[] pds = this.beanInfo.getPropertyDescriptors();
for (PropertyDescriptor pd : pds) {
if (Class.class == beanClass &&
("classLoader".equals(pd.getName()) || "protectionDomain".equals(pd.getName()))) {
// Ignore Class.getClassLoader() and getProtectionDomain() methods - nobody needs to bind to those
if (Class.class == beanClass && (!"name".equals(pd.getName()) && !pd.getName().endsWith("Name"))) {
// Only allow all name variants of Class properties
continue;
}
if (pd.getPropertyType() != null && (ClassLoader.class.isAssignableFrom(pd.getPropertyType())
|| ProtectionDomain.class.isAssignableFrom(pd.getPropertyType()))) {
// Ignore ClassLoader and ProtectionDomain types - nobody needs to bind to those
continue;
}
if (logger.isTraceEnabled()) {
Expand All @@ -300,6 +305,11 @@ private CachedIntrospectionResults(Class<?> beanClass) throws BeansException {
"; editor [" + pd.getPropertyEditorClass().getName() + "]" : ""));
}
pd = buildGenericTypeAwarePropertyDescriptor(beanClass, pd);
if (pd.getPropertyType() != null && (ClassLoader.class.isAssignableFrom(pd.getPropertyType())
|| ProtectionDomain.class.isAssignableFrom(pd.getPropertyType()))) {
// Ignore ClassLoader and ProtectionDomain types - nobody needs to bind to those
continue;
}
this.propertyDescriptorCache.put(pd.getName(), pd);
}

Expand Down

0 comments on commit 6201893

Please sign in to comment.