struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Yasser Zamani (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (WW-4939) Use securely generated constants
Date Wed, 30 May 2018 06:25:00 GMT

    [ https://issues.apache.org/jira/browse/WW-4939?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16494744#comment-16494744
] 

Yasser Zamani commented on WW-4939:
-----------------------------------

Do you also have any reference about when and why such practice (random constants) is good?

I think to make debugging Struts itself more easier, we can add that random as post-fix to
current constants which helps debugger when watch the variable about it's meaning:

 
{code:java}
    public static final SecureRandom RANDOM = new SecureRandom();

    public static final String ACTION_MAPPING = generateUUID("struts.actionMapping");

    public static String generateUUID(String prefix) {
        return prefix + new BigInteger(165, RANDOM).toString(36).toUpperCase();
    }
 {code}

> Use securely generated constants
> --------------------------------
>
>                 Key: WW-4939
>                 URL: https://issues.apache.org/jira/browse/WW-4939
>             Project: Struts 2
>          Issue Type: Improvement
>          Components: Core
>            Reporter: Lukasz Lenart
>            Priority: Critical
>             Fix For: 2.6
>
>
> Right now all the constants are well know and can be used in exploits, ie. {{public static
final String ACTION_MAPPING = "struts.actionMapping";}}
> Instead of using string literals we should generate random strings at runtime to avoid
using literals directly in exploits. Users can still use the constants in their code but not
in dynamic expressions.
> {code:java}
>     public static final String AUTH_TOKEN = generateUUID();
>     public static String generateUUID() {
>         return new BigInteger(165, RANDOM).toString(36).toUpperCase();
>     }
> {code}
> This will probably break backward compatibility but using string literals instead of
the constants by the users is a bad practice anyway.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message