Re: ParametersInterceptor:isAccepted warning with DMI

Thu, 21 Jan 2021 01:14:55 -0800 

I can do a PR if this would be OK?  ....Seems not to complex.

 ie add a log to ExcludedPatternsChecker.isExcluded

ExcludedPatternsChecker

public final static class IsExcluded {

        private final boolean excluded;
        private final String excludedPattern;
*private final boolean log;*

        public static IsExcluded yes(Pattern excludedPattern) {
            return new IsExcluded(true, excludedPattern.pattern()*, true)*;
        }

*public static IsExcluded yes(Pattern excludedPattern, Boolean log) {**
**            return new IsExcluded(true, excludedPattern.pattern(), log);**
**        }*

        public static IsExcluded no(Set<Pattern> excludedPatterns) {
            return new IsExcluded(false, excludedPatterns.toString()*, true*); 
        }
        private IsExcluded(boolean excluded, String excludedPattern*, boolean log*) { 
            this.excluded = excluded;
            this.excludedPattern = excludedPattern;
*this.log = log;*
        }

        public boolean isExcluded() {
            return excluded;
        }

        public String getExcludedPattern() {
            return excludedPattern;
        }
*public boolean isLog() {**
**            return log;**
**        }*
        @Override
        public String toString() {
            return "IsExcluded { " +
                    "excluded=" + excluded +
                    ", excludedPattern=" + excludedPattern +
*", log=" + log + *" }";
        }

    }

ParametersInterceptor

protected boolean isExcluded(String paramName) {
        ExcludedPatternsChecker.IsExcluded result = excludedPatterns.isExcluded(paramName); 
        if (result.isExcluded()) {
            if (*result.isLog()* && devMode) { // warn only when in devMode
                LOG.warn("Parameter [{}] matches excluded pattern [{}]! See Accepted / Excluded patterns at\n" + 
"https://struts.apache.org/security/#accepted--excluded-patterns";,
                        paramName, result.getExcludedPattern());
            } else {
                LOG.debug("Parameter [{}] matches excluded*/ignored* pattern [{}]!", paramName, result.getExcludedPattern()); 
            }
            return true;
        }
        return false;
    }

DefaultExcludedPatternsChecker

private Set<Pattern> excludedPatterns;

*private Set<Pattern> ignoredPatterns;*

@Inject(StrutsConstants.STRUTS_ENABLE_DYNAMIC_METHOD_INVOCATION)
    protected void setDynamicMethodInvocation(String dmiValue) {
        if (!BooleanUtils.toBoolean(dmiValue)) {
            LOG.debug("DMI is disabled, adding DMI related excluded patterns"); 
            setAdditionalExcludePatterns("^(action|method):.*");
        }*else {
            LOG.debug("DMI is enabled, adding DMI related ignored patterns"); 
            ignoredPatterns = new HashSet<>();
            try {
ignoredPatterns.add(Pattern.compile("^(action|method):.*", Pattern.CASE_INSENSITIVE)); 
            } finally {
                ignoredPatterns = Collections.unmodifiableSet(ignoredPatterns); 
            }
        }***
    }


public IsExcluded isExcluded(String value) {
        for (Pattern excludedPattern : excludedPatterns) {
            if (excludedPattern.matcher(value).matches()) {
                LOG.trace("[{}] matches excluded pattern [{}]", value, excludedPattern); 
                return IsExcluded.yes(excludedPattern);
            }
        }
*if(ignoredPatterns != null) {**
**            for (Pattern ignoredPattern : ignoredPatterns) {**
**                if (ignoredPattern.matcher(value).matches()) {**
**                    LOG.trace("[{}] matches ignored pattern [{}]", value, ignoredPattern);** 
**                    return IsExcluded.yes(ignoredPattern, false);**
**                }**
**            }**
**        }*
        return IsExcluded.no(excludedPatterns);
    }

Reply via email to