Feel free, just target 2.5.x branch and then will will cherry-pick
changes into 2.6
czw., 21 sty 2021 o 10:14 Greg Huber <gregh3...@gmail.com> napisaĆ(a):
>
> I can do a PR if this would be OK? ....Seems not to complex.
>
> ie add a log to ExcludedPatternsChecker.isExcluded
>
> ExcludedPatternsChecker
>
> public final static class IsExcluded {
>
> private final boolean excluded;
> private final String excludedPattern;
> *private final boolean log;*
>
> public static IsExcluded yes(Pattern excludedPattern) {
> return new IsExcluded(true, excludedPattern.pattern()*, true)*;
> }
>
> *public static IsExcluded yes(Pattern excludedPattern, Boolean log) {**
> ** return new IsExcluded(true, excludedPattern.pattern(), log);**
> ** }*
>
> public static IsExcluded no(Set<Pattern> excludedPatterns) {
> return new IsExcluded(false, excludedPatterns.toString()*,
> true*);
> }
>
> private IsExcluded(boolean excluded, String excludedPattern*,
> boolean log*) {
> this.excluded = excluded;
> this.excludedPattern = excludedPattern;
> *this.log = log;*
> }
>
> public boolean isExcluded() {
> return excluded;
> }
>
> public String getExcludedPattern() {
> return excludedPattern;
> }
> *public boolean isLog() {**
> ** return log;**
> ** }*
> @Override
> public String toString() {
> return "IsExcluded { " +
> "excluded=" + excluded +
> ", excludedPattern=" + excludedPattern +
> *", log=" + log + *" }";
> }
>
> }
>
> ParametersInterceptor
>
> protected boolean isExcluded(String paramName) {
> ExcludedPatternsChecker.IsExcluded result =
> excludedPatterns.isExcluded(paramName);
> if (result.isExcluded()) {
> if (*result.isLog()* && devMode) { // warn only when in devMode
> LOG.warn("Parameter [{}] matches excluded pattern [{}]!
> See Accepted / Excluded patterns at\n" +
> "https://struts.apache.org/security/#accepted--excluded-patterns";,
> paramName, result.getExcludedPattern());
> } else {
> LOG.debug("Parameter [{}] matches excluded*/ignored*
> pattern [{}]!", paramName, result.getExcludedPattern());
> }
> return true;
> }
> return false;
> }
>
> DefaultExcludedPatternsChecker
>
> private Set<Pattern> excludedPatterns;
>
> *private Set<Pattern> ignoredPatterns;*
>
> @Inject(StrutsConstants.STRUTS_ENABLE_DYNAMIC_METHOD_INVOCATION)
> protected void setDynamicMethodInvocation(String dmiValue) {
> if (!BooleanUtils.toBoolean(dmiValue)) {
> LOG.debug("DMI is disabled, adding DMI related excluded
> patterns");
> setAdditionalExcludePatterns("^(action|method):.*");
> }*else {
> LOG.debug("DMI is enabled, adding DMI related ignored
> patterns");
> ignoredPatterns = new HashSet<>();
> try {
> ignoredPatterns.add(Pattern.compile("^(action|method):.*",
> Pattern.CASE_INSENSITIVE));
> } finally {
> ignoredPatterns =
> Collections.unmodifiableSet(ignoredPatterns);
> }
> }***
> }
>
>
> public IsExcluded isExcluded(String value) {
> for (Pattern excludedPattern : excludedPatterns) {
> if (excludedPattern.matcher(value).matches()) {
> LOG.trace("[{}] matches excluded pattern [{}]", value,
> excludedPattern);
> return IsExcluded.yes(excludedPattern);
> }
> }
> *if(ignoredPatterns != null) {**
> ** for (Pattern ignoredPattern : ignoredPatterns) {**
> ** if (ignoredPattern.matcher(value).matches()) {**
> ** LOG.trace("[{}] matches ignored pattern [{}]",
> value, ignoredPattern);**
> ** return IsExcluded.yes(ignoredPattern, false);**
> ** }**
> ** }**
> ** }*
> return IsExcluded.no(excludedPatterns);
> }
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org
