2024-06-16 11:06:39,002 WARN
com.opensymphony.xwork2.ognl.SecurityMemberAccess
SecurityMemberAccess:isAccessible - Access to proxy is blocked! Target
The docs don't give any hints on what the list should be.
<constant name="struts.allowlist.enable" value="false" />
<constant name="struts.allowlist.packageNames" value="my.pojo.Pojo" />
my.pojo.Pojo$HibernateProxy$tEzkTVrG]
This is an inquiry screen.
On 16/06/2024 10:51, Kusal Kithul-Godage wrote:
So you've got 2 separate issues here:
* Pojos that are not allowlisted
* OGNL executions against Spring/Hibernate proxied objects
If you have genuine Pojos that need allowlisting, you can do so by
following the documentation:
https://struts.apache.org/security/#ognl-member-access
Allowlisting Pojos is perfectly fine and will not reduce security.
As for manipulating Spring/Hibernate objects via OGNL - this is a
security risk as it means in the event of an SSTI vulnerability,
attackers may also be able to manipulate Spring/Hibernate objects. I'd
first review why your application is relying on this behaviour.
On Sun, Jun 16, 2024 at 7:39 PM Greg Huber<gregh3...@gmail.com> wrote:
I use both spring and hibernate v6 testing, I would not want to make any
drastic changes to these as they are painful.
Here is one (of many)
2024-06-16 09:26:21,419 WARN
com.opensymphony.xwork2.ognl.SecurityMemberAccess
SecurityMemberAccess:checkAllowlist - Declaring class [class
my.pojo.Pojo] of member type [public java.lang.String
my.pojo.Pojo.getUserName()] is not allowlisted!
2024-06-16 09:26:21,419 WARN
com.opensymphony.xwork2.ognl.SecurityMemberAccess
SecurityMemberAccess:isAccessible - Access to non-public [private
java.lang.String my.pojo.Pojo.userName] is blocked!
public class Pojo {
private String userName;
public String getUserName() {
return userName;
}
}
On 16/06/2024 10:33, Kusal Kithul-Godage wrote:
That suggests the target is proxied by Spring or Hibernate, which
Pojos should not be by definition. You'll need to attach a debugger to
investigate why this is the case
On Sun, Jun 16, 2024 at 7:19 PM Greg Huber<gregh3...@gmail.com> wrote:
The text looks ok, but I get this in the log also:
2024-06-16 10:15:12,587 WARN
com.opensymphony.xwork2.ognl.SecurityMemberAccess
SecurityMemberAccess:isAccessible - Access to proxy is blocked! Target [][
Where the target is my pojo, which I have alot of.
On 16/06/2024 10:15, Kusal Kithul-Godage wrote:
I didn't do much testing with the Struts JSP integration beyond the
examples in the showcase app so it's possible I've missed some
packages/classes that should be allowed by default.
Could you share the warnings you are receiving? Perhaps deduplicate
the warnings first if there are many repetitive ones
On Sun, Jun 16, 2024 at 7:10 PM Greg Huber<gregh3...@gmail.com> wrote:
Sorry checked the wrong log file, it was this one, needed to be false.
<constant name="struts.allowlist.enable" value="false" />
Is there any docs on this? ie and example of what would go in the list,
as its excluding struts default stuff.
On 16/06/2024 10:01, Kusal Kithul-Godage wrote:
All of the mentioned options should log issues at warn level or
greater, except for 'struts.parameters.requireAnnotations' which will
log at debug level.
Using the following PR as a reference, you can revert settings to
their previous value one by one, to isolate which option may be
causing your application issues.
https://github.com/apache/struts/pull/919/files
Once you have isolated and corrected any issues, please re-enable the
options as they offer significant protection against vulnerabilities.
On Sun, Jun 16, 2024 at 6:39 PM Greg Huber<gregh3...@gmail.com> wrote:
I tried this and there is alot of text missing on my jsp pages
it mentions these:
|struts.ognl.allowStaticFieldAccess=||false|
|struts.ognl.expressionMaxLength=||150|
|struts.disallowDefaultPackageAccess=||true|
|struts.disallowProxyMemberAccess=||true|
|struts.parameters.requireAnnotations=||true|
|struts.ognl.disallowCustomOgnlMap=||true|
|struts.allowlist.enable=||true|
|
|
|I tried
|
|
|
|struts.ognl.allowStaticFieldAccess=true
|
|
|
|but it made no difference.|
|
|
|There are no warning in the logs.
|
On 12/06/2024 07:12, Lukasz Lenart wrote:
Hello,
This is another milestone of Struts 7.x series, which is based on
JakartaEE 6. Please take the time and test the bits - any help is
appreciated. Please report any problems you will spot.
Please read the Migration guide as this version includes stronger
security options
https://cwiki.apache.org/confluence/display/WW/Struts+6.x.x+to+7.x.x+migration
Here are the changes from the previous version:
https://github.com/apache/struts/releases/tag/STRUTS_7_0_0_M7
Staging Maven repo
https://repository.apache.org/content/groups/staging/
* please read our guideline how to setup your Maven build to include
the Staging repository
https://struts.apache.org/builds.html#test-builds
Standalone artifacts
https://dist.apache.org/repos/dist/dev/struts/7.0.0-M7/
Release notes
https://cwiki.apache.org/confluence/display/WW/Version+Notes+7.0.0-M7
Have fun!
Łukasz
---------------------------------------------------------------------
To unsubscribe,e-mail:dev-unsubscr...@struts.apache.org
For additional commands,e-mail:dev-h...@struts.apache.org
---------------------------------------------------------------------
To unsubscribe,e-mail:dev-unsubscr...@struts.apache.org
For additional commands,e-mail:dev-h...@struts.apache.org
---------------------------------------------------------------------
To unsubscribe,e-mail:dev-unsubscr...@struts.apache.org
For additional commands,e-mail:dev-h...@struts.apache.org
---------------------------------------------------------------------
To unsubscribe,e-mail:dev-unsubscr...@struts.apache.org
For additional commands,e-mail:dev-h...@struts.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail:dev-unsubscr...@struts.apache.org
For additional commands, e-mail:dev-h...@struts.apache.org
