Feel free, just target 2.5.x branch and then will will cherry-pick
changes into 2.6

czw., 21 sty 2021 o 10:14 Greg Huber <gregh3...@gmail.com> napisaƂ(a):
>
> I can do a PR if this would be OK?  ....Seems not to complex.
>
>   ie add a log to ExcludedPatternsChecker.isExcluded
>
> ExcludedPatternsChecker
>
> public final static class IsExcluded {
>
>          private final boolean excluded;
>          private final String excludedPattern;
> *private final boolean log;*
>
>          public static IsExcluded yes(Pattern excludedPattern) {
>              return new IsExcluded(true, excludedPattern.pattern()*, true)*;
>          }
>
> *public static IsExcluded yes(Pattern excludedPattern, Boolean log) {**
> **            return new IsExcluded(true, excludedPattern.pattern(), log);**
> **        }*
>
>          public static IsExcluded no(Set<Pattern> excludedPatterns) {
>              return new IsExcluded(false, excludedPatterns.toString()*,
> true*);
>          }
>
>          private IsExcluded(boolean excluded, String excludedPattern*,
> boolean log*) {
>              this.excluded = excluded;
>              this.excludedPattern = excludedPattern;
> *this.log = log;*
>          }
>
>          public boolean isExcluded() {
>              return excluded;
>          }
>
>          public String getExcludedPattern() {
>              return excludedPattern;
>          }
> *public boolean isLog() {**
> **            return log;**
> **        }*
>          @Override
>          public String toString() {
>              return "IsExcluded { " +
>                      "excluded=" + excluded +
>                      ", excludedPattern=" + excludedPattern +
> *", log=" + log + *" }";
>          }
>
>      }
>
> ParametersInterceptor
>
> protected boolean isExcluded(String paramName) {
>          ExcludedPatternsChecker.IsExcluded result =
> excludedPatterns.isExcluded(paramName);
>          if (result.isExcluded()) {
>              if (*result.isLog()* && devMode) { // warn only when in devMode
>                  LOG.warn("Parameter [{}] matches excluded pattern [{}]!
> See Accepted / Excluded patterns at\n" +
> "https://struts.apache.org/security/#accepted--excluded-patterns";,
>                          paramName, result.getExcludedPattern());
>              } else {
>                  LOG.debug("Parameter [{}] matches excluded*/ignored*
> pattern [{}]!", paramName, result.getExcludedPattern());
>              }
>              return true;
>          }
>          return false;
>      }
>
> DefaultExcludedPatternsChecker
>
> private Set<Pattern> excludedPatterns;
>
> *private Set<Pattern> ignoredPatterns;*
>
> @Inject(StrutsConstants.STRUTS_ENABLE_DYNAMIC_METHOD_INVOCATION)
>      protected void setDynamicMethodInvocation(String dmiValue) {
>          if (!BooleanUtils.toBoolean(dmiValue)) {
>              LOG.debug("DMI is disabled, adding DMI related excluded
> patterns");
>              setAdditionalExcludePatterns("^(action|method):.*");
>          }*else {
>              LOG.debug("DMI is enabled, adding DMI related ignored
> patterns");
>              ignoredPatterns = new HashSet<>();
>              try {
> ignoredPatterns.add(Pattern.compile("^(action|method):.*",
> Pattern.CASE_INSENSITIVE));
>              } finally {
>                  ignoredPatterns =
> Collections.unmodifiableSet(ignoredPatterns);
>              }
>          }***
>      }
>
>
> public IsExcluded isExcluded(String value) {
>          for (Pattern excludedPattern : excludedPatterns) {
>              if (excludedPattern.matcher(value).matches()) {
>                  LOG.trace("[{}] matches excluded pattern [{}]", value,
> excludedPattern);
>                  return IsExcluded.yes(excludedPattern);
>              }
>          }
> *if(ignoredPatterns != null) {**
> **            for (Pattern ignoredPattern : ignoredPatterns) {**
> **                if (ignoredPattern.matcher(value).matches()) {**
> **                    LOG.trace("[{}] matches ignored pattern [{}]",
> value, ignoredPattern);**
> **                    return IsExcluded.yes(ignoredPattern, false);**
> **                }**
> **            }**
> **        }*
>          return IsExcluded.no(excludedPatterns);
>      }
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org

Reply via email to