BeanUtils.setProperty may shouln't record trace log #276
Conversation
|
Would you like to use the new method from your code? If not, please make the method private. |
|
The method not only use for BeanUtilsBean.copyProperty and BeanUtilsBean.setProperty, but also for LocaleBeanUtilsBean.setProperty, they are same case and duplicate code. Protected id better |
| } | ||
| sb.append(')'); | ||
| LOG.trace(sb.toString()); | ||
| LOG.trace(traceLogRecord(bean, name, value, sb).toString());; |
| } | ||
| sb.append(')'); | ||
| LOG.trace(sb.toString()); | ||
| LOG.trace(traceLogRecord(bean, name, value, sb).toString());; |
| * @param name Property name (can be nested/indexed/mapped/combo) | ||
| * @param value Value to be set | ||
| */ | ||
| protected static StringBuilder traceLogRecord(Object bean, String name, Object value, StringBuilder sb) { |
There was a problem hiding this comment.
Missing @param tag.
Missing @return tag.
| } | ||
| sb.append(')'); | ||
| LOG.trace(sb.toString()); | ||
| LOG.trace(traceLogRecord(bean, name, value, sb).toString());; |
|
Thanks for the comments. |
If some has this kind of access to your application, you're already in very deep trouble. Note that some folks recommend to never store credentials in Let's see if anyone else has feedback. |
One remaining development task for 2.x is to pull up the "2" types
The last time I tried this, tests failed and I was semi-stuck as to See also:
Discussions and PRs on GitHub are welcome. |
| * @param sb the start of stringBuilder | ||
| * @return the value should log as trace | ||
| */ | ||
| protected static StringBuilder traceLogRecord(Object bean, String name, Object value, StringBuilder sb) { |
There was a problem hiding this comment.
- For me passing a StringBuilder seems a bit odd, just because there is an initial value in it. I would rather pass an Immutable String as initial value.
- Parameters could be final.
There was a problem hiding this comment.
Your suggestion may right, the futher code I wrote tried to keep as same as original possibly.
Your's are more sence
|
I think a couple of test cases would be nice, at least for the new logic. |
|
Test cases must by fine, but the changed code is use for logging. Beanutils only use commons-logging as logging adapter system, I cannot directly log without import any other implementations logging software (At least I have no idea). Anyone have idea? |
|
@F0otman About the test writing. You are right, it is a bit complicated because the code may not be in a testable format.
TUC - Test Unfriendly Construct
I'll think about it and will be back tomorrow. |
|
I created a PoC commit here.
For the spy Mockito would be great, because this hand-made spy feels wierd. But Mockito is not in the project and I'm not sure why. Anyway. What do you guys think? Is is a way to go or I just overengineering it? |
Added some cases and comments
|
It's a good idea to implement as a simplest SimpleLog But it add a new public constructor for BeanUtilsBean, is it worth for test? |
|
+1 on this change in general though as we have been burned by stuff like this in the past someone logging a password field in a toString. |
| @@ -1067,4 +1039,60 @@ public void setProperty(final Object bean, String name, final Object value) | |||
| (e, "Cannot set " + propName); | |||
| } | |||
| } | |||
|
|
|||
| /** | |||
| * <p>Build the stringBuilder by using set/copy bean property for log, only | |||
There was a problem hiding this comment.
This comment is not quite right IMO: It mentions logging but the method does not log or check log levels. Since it is a protected method, it can be called from a subclass so you have no idea how it will be used. All of this to say, I think the Javadoc should just say what it does.
| public BeanUtilsBean(final ConvertUtilsBean convertUtilsBean, final PropertyUtilsBean propertyUtilsBean, final Log log) { | ||
| this.convertUtilsBean = convertUtilsBean; | ||
| this.propertyUtilsBean = propertyUtilsBean; | ||
| LOG = log; |
There was a problem hiding this comment.
This looks very bad IMO: Every time an instance is created, a global variable is edited, which sounds to me like a recipe for bugs and libraries blaming each other.
There was a problem hiding this comment.
Not every time. The original constructors have not changed, they do not edit the global LOG. But you have to have some edit option if you want to inject dependency for mocking. It could be a constructor or a setter. For my PoC this was easyer, but as I said, not my best work. It could be much better if someone have time to really think about the solution. Unfortunately I can't work on it now, because I only have my phone for 2 weeks as technology.
|
Sorry for wrong git operate as closed, I synced fork master from here. I would pull a new pr these days :-( |
From BEANUTILS-568,
Sorry for lacked unit test, cause beanutils only use commons-logging, it cannot show the key point of log without settings or materialized log component.
The problem I want to warn is if I override bean method toString like
return "TestBean{" + "propertyPassword='" + "******" + "\" + '}'When try to use BeanUtils.setProperty & BeanUtils.copyProperty & LocaleBeanUtilsBean.setProperty, it would record trace log the value of propertyPassword. So if someone tamper log level or set the wrong level, the shaded property may record in log.
The safety way is when toString method is overrided, do not show the value in log.