struts-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From git-site-r...@apache.org
Subject [struts-site] branch asf-site updated: Updates production by Jenkins
Date Tue, 12 Nov 2019 13:15:40 GMT
This is an automated email from the ASF dual-hosted git repository.

git-site-role pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/struts-site.git


The following commit(s) were added to refs/heads/asf-site by this push:
     new a950902  Updates production by Jenkins
a950902 is described below

commit a950902653fdc2a9d93fd5001ec4cc9e2279c831
Author: jenkins <builds@apache.org>
AuthorDate: Tue Nov 12 13:15:37 2019 +0000

    Updates production by Jenkins
---
 content/security/index.html | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)

diff --git a/content/security/index.html b/content/security/index.html
index 25ebc36..9935f79 100644
--- a/content/security/index.html
+++ b/content/security/index.html
@@ -142,6 +142,11 @@
       <li><a href="#do-not-use-incoming-values-as-an-input-for-localisation-logic"
id="markdown-toc-do-not-use-incoming-values-as-an-input-for-localisation-logic">Do not
use incoming values as an input for localisation logic</a></li>
       <li><a href="#use-struts-tags-instead-of-raw-el-expressions" id="markdown-toc-use-struts-tags-instead-of-raw-el-expressions">Use
Struts tags instead of raw EL expressions</a></li>
       <li><a href="#define-custom-error-pages" id="markdown-toc-define-custom-error-pages">Define
custom error pages</a></li>
+      <li><a href="#proactively-protect-from-ognl-expression-injections-attacks-if-easily-applicable"
id="markdown-toc-proactively-protect-from-ognl-expression-injections-attacks-if-easily-applicable">Proactively
protect from OGNL Expression Injections attacks if easily applicable</a>        <ul>
+          <li><a href="#run-ognl-expressions-inside-sandbox" id="markdown-toc-run-ognl-expressions-inside-sandbox">Run
OGNL expressions inside sandbox</a></li>
+          <li><a href="#apply-a-maximum-allowed-length-on-ognl-expressions" id="markdown-toc-apply-a-maximum-allowed-length-on-ognl-expressions">Apply
a maximum allowed length on OGNL expressions</a></li>
+        </ul>
+      </li>
     </ul>
   </li>
   <li><a href="#internal-security-mechanism" id="markdown-toc-internal-security-mechanism">Internal
security mechanism</a>    <ul>
@@ -306,6 +311,33 @@ generated error pages.</p>
 <span class="nt">&lt;/global-exception-mappings&gt;</span>
 </code></pre></div></div>
 
+<h3 id="proactively-protect-from-ognl-expression-injections-attacks-if-easily-applicable">Proactively
protect from OGNL Expression Injections attacks if easily applicable</h3>
+
+<p>The framework has a history of critical security bugs, many tied to its use of OGNL
technology; Due to its ability to 
+create or change executable code, OGNL is capable of introducing critical security flaws
to any framework that uses it. 
+Multiple Struts 2 versions have been vulnerable to OGNL security flaws. Consequently, we’ve
equipped OGNL and the 
+framework with following proactive optional possibilities since OGNL 3.1.24 and Struts 2.5.22.
They’re disabled by 
+default but via enabling them, you can proactively protect from potential still unknown OGNL
Expression Injections flaws:</p>
+
+<blockquote>
+  <p><strong>NOTE</strong>: These might break your current app functionality.
Before using in production environment, you’re recommended to 
+comprehensively test your app UI and functionalities with these enabled.</p>
+</blockquote>
+
+<h4 id="run-ognl-expressions-inside-sandbox">Run OGNL expressions inside sandbox</h4>
+
+<p>You can do this simply via adding <code class="highlighter-rouge">-Dognl.security.manager</code>
to JVM arguments. OGNL thereupon utilizes Java Security
+Manager to run OGNL expressions (which includes your actions either!) inside a sandbox with
no permission. It is worth 
+noting that it affects only OGNL expression execution and thereafter OGNL reverts Java Security
Manager to its previous 
+state.</p>
+
+<h4 id="apply-a-maximum-allowed-length-on-ognl-expressions">Apply a maximum allowed
length on OGNL expressions</h4>
+
+<p>You can enable this via Struts configuration key <code class="highlighter-rouge">struts.ognl.expressionMaxLength</code>.
OGNL thereupon doesn’t evaluate any 
+expression longer than specified value. You would choose a value large enough to permit ALL
valid OGNL expressions used 
+within the application. Values larger than the 200-400 range have diminishing security value
(at which point it is 
+really only a “style guard” for long OGNL expressions in an application).</p>
+
 <h2 id="internal-security-mechanism">Internal security mechanism</h2>
 
 <p>The Apache Struts 2 contains internal security manager which blocks access to particular
classes and Java packages - 


Mime
View raw message