struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rene Gielen (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (WW-4171) getText methods are not documented as evaluating OGNL
Date Wed, 07 Aug 2013 10:44:48 GMT

    [ https://issues.apache.org/jira/browse/WW-4171?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13731861#comment-13731861
] 

Rene Gielen commented on WW-4171:
---------------------------------

[~lukaszlenart] How would you track a value is sanitized beforehand? Since we encourage use
of simple Java types, it might be hard to add metadate to a property whether sanitizing is
required or done already.

IMO ParametersInterceptor's responsibility is to prevent evaluation of expressions while setting
parameter properties. But in the end, the now filled property may now contain an expression
which was not evaluated yet, but might get evaluated by some API calls in the Action code
(see getText(username)). What is the best way to prevent users from shooting their feet without
loosing flexibility?

Going one step further, how about that:
{code:java}
public enum SanitizingStrategy {
    WARN, CLEANUP, REJECT
}
{code}
{code:java}
@Documented
public @interface Sanitized {
    
    SanitizingStrategy value() default SanitizingStrategy.CLEANUP;
    SanitizingOptions[] options() default {SanitizingOptions.DETECT_EL};
}
{code}
{code:java}
public class HelloWorld extends ExampleSupport {

    public String execute() throws Exception {
        setMessage(getText(message));
        setOtherMessage(getText(sanitize(manuallySanitizedMessage)));
        return SUCCESS;
    }

    @Sanitized()
    private String message;
    
    private String manuallySanitizedMessage;
    
    //...
}
{code}
whereby a SanitizingInterceptor would be in the stack to apply sanitizing based on the given
@Sanitize annotations, using the Sanitizer-API described in my earlier comment?

                
> getText methods are not documented as evaluating OGNL
> -----------------------------------------------------
>
>                 Key: WW-4171
>                 URL: https://issues.apache.org/jira/browse/WW-4171
>             Project: Struts 2
>          Issue Type: Improvement
>          Components: Documentation
>    Affects Versions: 2.3.15.1
>            Reporter: Coverity Security Research Laboratory
>            Assignee: Lukasz Lenart
>            Priority: Minor
>              Labels: security
>             Fix For: 2.3.16
>
>
> The methods below evaluate OGNL as their first parameter. However they are not documented
as evaluating OGNL. We have observed this occurring in one project and are contacting the
affected vendors.
> com.opensymphony.xwork2.TextProviderSupport.getText(String, String[])
> com.opensymphony.xwork2.TextProviderSupport.getText(String, List<?>)
> com.opensymphony.xwork2.TextProviderSupport.getText(String)
> These methods are then used by ActionSupport (via its getText methods). None of these
methods are documented as evaluating OGNL either.
> This issue is recommending that all of these methods are documented as evaluating OGNL
since this may come as a surprise to some developers.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message