struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Stefaan Dutry (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (WW-4939) Use securely generated constants
Date Sat, 02 Jun 2018 20:59:00 GMT

    [ https://issues.apache.org/jira/browse/WW-4939?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16499184#comment-16499184
] 

Stefaan Dutry commented on WW-4939:
-----------------------------------

{quote}Just one thing, my example generates random strings without dashes, does {{java.util.UUID.randomUUID()}} do
the same?
{quote}
No, it follows {{RFC-4122}} and therefore always has 4 dashes in it.
{quote}Basically I would hide implementation behind a static method, something like public
static String StrutsConstants#generateUUID() to easily switch to different logic if needed.
{quote}
If switching the implementation needs to be easily possible for security issues, would it
be an option to provide the implementation class as a constant definition in the struts config,
so that, if there is a security risk with the given implementation, people can just add a
new class and change the constant value, instead of having to upgrade the struts version entirely?

{quote}
I think to make debugging Struts itself more easier, we can add that random as post-fix to
current constants which helps debugger when watch the variable about it's meaning:
{quote}

If my previous statement would be an option, this could also solve the debugging issues by
possible adding a debugging oriented implementation.

 

> Use securely generated constants
> --------------------------------
>
>                 Key: WW-4939
>                 URL: https://issues.apache.org/jira/browse/WW-4939
>             Project: Struts 2
>          Issue Type: Improvement
>          Components: Core
>            Reporter: Lukasz Lenart
>            Priority: Critical
>             Fix For: 2.6
>
>
> Right now all the constants are well know and can be used in exploits, ie. {{public static
final String ACTION_MAPPING = "struts.actionMapping";}}
> Instead of using string literals we should generate random strings at runtime to avoid
using literals directly in exploits. Users can still use the constants in their code but not
in dynamic expressions.
> {code:java}
>     public static final String AUTH_TOKEN = generateUUID();
>     public static String generateUUID() {
>         return new BigInteger(165, RANDOM).toString(36).toUpperCase();
>     }
> {code}
> This will probably break backward compatibility but using string literals instead of
the constants by the users is a bad practice anyway.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message