Hi Burton The migration guide incorrectly stated struts.disallowProxyMemberAccess - I've corrected this now (thanks Lukasz for the permission).
The options you need to set are: struts.disallowProxyObjectAccess=false struts.allowlist.enable=false As for struts.parameters.requireAnnotations, this has no relation to proxy objects. You will of course need to add the necessary annotations throughout your codebase but much of it can be scripted. I'd recommend starting here to understand how the annotation works: https://struts.apache.org/security/#defining-and-annotating-your-action-parameters The transition mode option is also available which should make keeping this option enabled even less laborious. On Mon, Jun 17, 2024 at 2:16 AM Burton Rhodes <burtonrho...@gmail.com> wrote: > > I am having the same issue because many of our JSPs access Hibernate > proxy objects. However, setting [struts.disallowProxyMemberAccess=false] > is not working for me. I am still receiving "Access to proxy is > blocked!" errors. Correcting this issue properly (by changing our JSPs) > will take significant time so I would prefer to initially take the > security risk. > > Below is an example of a log entry plus the "non-secure" struts.xml > settings. > > Log Entry Example > com.opensymphony.xwork2.ognl.SecurityMemberAccess - Access to proxy > is blocked! Target [--data here--], proxy class > [com.afs.core.entity.Folder$HibernateProxy$OVniT9Ol] > > struts.xml > <constant name="struts.allowlist.enable" value="false"/> > <constant name="struts.parameters.requireAnnotations" > value="false"/> > <constant name="struts.disallowProxyMemberAccess" value="false"/> > > > ------ Original Message ------ > From "Kusal Kithul-Godage" <kusal.kithulgod...@gmail.com> > To "Struts Developers List" <dev@struts.apache.org> > Date 6/16/2024 9:51:36 AM > Subject Re: [TEST] Apache Struts 7.0.0-M7 test build is ready > > >So the allowlist configuration is usually just informed by the > >warnings logged during runtime. For most applications this will either > >be nothing or some Pojo packages. So for the example log warning > >you've provided that would be: > >struts.allowlist.packageNames=my.pojo > > > >However, the main issue you're having here is that your Pojos are > >actually Hibernate entities, and you are then accessing them directly > >using OGNL - which is not recommended. The allowlist capability is > >also not compatible with any type of proxy object, Hibernate entities > >included. > > > >So you've 2 options here: > > > >a) Disable both the proxy block and the allowlist using the following > >options and accept the increased security risk. > >struts.disallowProxyObjectAccess=false > >struts.allowlist.enable=false > > > >b) Invest some time introducing an intermediary layer which provides > >proper separation between your database entities and view layer. This > >will completely eliminate the risk of exploits targeting your view > >layer being escalated to the persistence layer. > > > >I obviously recommend the latter but we are not going to force this > >upon anyone as I understand it can take some effort and resources you > >may not have. > > > >Thank you for reporting this though as I expect yours won't be the > >only Struts application with this issue. I'll update the documentation > >to better acknowledge this case as well as the options I outlined > >above. > > > >Lukasz if you could give me edit permission for the Struts 7.x > >migration guide, I'll add a quick note there too. > > > >On Sun, Jun 16, 2024 at 8:21 PM Greg Huber <gregh3...@gmail.com> wrote: > >> > >> 2024-06-16 11:06:39,002 WARN > >> com.opensymphony.xwork2.ognl.SecurityMemberAccess > >> SecurityMemberAccess:isAccessible - Access to proxy is blocked! Target > >> > >> The docs don't give any hints on what the list should be. > >> > >> <constant name="struts.allowlist.enable" value="false" /> > >> > >> <constant name="struts.allowlist.packageNames" value="my.pojo.Pojo" /> > >> > >> my.pojo.Pojo$HibernateProxy$tEzkTVrG] > >> > >> This is an inquiry screen. > >> > >> On 16/06/2024 10:51, Kusal Kithul-Godage wrote: > >> > So you've got 2 separate issues here: > >> > * Pojos that are not allowlisted > >> > * OGNL executions against Spring/Hibernate proxied objects > >> > > >> > If you have genuine Pojos that need allowlisting, you can do so by > >> > following the documentation: > >> > https://struts.apache.org/security/#ognl-member-access > >> > Allowlisting Pojos is perfectly fine and will not reduce security. > >> > > >> > As for manipulating Spring/Hibernate objects via OGNL - this is a > >> > security risk as it means in the event of an SSTI vulnerability, > >> > attackers may also be able to manipulate Spring/Hibernate objects. I'd > >> > first review why your application is relying on this behaviour. > >> > > >> > On Sun, Jun 16, 2024 at 7:39 PM Greg Huber<gregh3...@gmail.com> wrote: > >> >> I use both spring and hibernate v6 testing, I would not want to make > >> any > >> >> drastic changes to these as they are painful. > >> >> > >> >> Here is one (of many) > >> >> > >> >> 2024-06-16 09:26:21,419 WARN > >> >> com.opensymphony.xwork2.ognl.SecurityMemberAccess > >> >> SecurityMemberAccess:checkAllowlist - Declaring class [class > >> >> my.pojo.Pojo] of member type [public java.lang.String > >> >> my.pojo.Pojo.getUserName()] is not allowlisted! > >> >> 2024-06-16 09:26:21,419 WARN > >> >> com.opensymphony.xwork2.ognl.SecurityMemberAccess > >> >> SecurityMemberAccess:isAccessible - Access to non-public [private > >> >> java.lang.String my.pojo.Pojo.userName] is blocked! > >> >> > >> >> public class Pojo { > >> >> > >> >> private String userName; > >> >> > >> >> public String getUserName() { > >> >> return userName; > >> >> } > >> >> > >> >> } > >> >> > >> >> On 16/06/2024 10:33, Kusal Kithul-Godage wrote: > >> >>> That suggests the target is proxied by Spring or Hibernate, which > >> >>> Pojos should not be by definition. You'll need to attach a debugger to > >> >>> investigate why this is the case > >> >>> > >> >>> On Sun, Jun 16, 2024 at 7:19 PM Greg Huber<gregh3...@gmail.com> > >> wrote: > >> >>>> The text looks ok, but I get this in the log also: > >> >>>> > >> >>>> 2024-06-16 10:15:12,587 WARN > >> >>>> com.opensymphony.xwork2.ognl.SecurityMemberAccess > >> >>>> SecurityMemberAccess:isAccessible - Access to proxy is blocked! > >> Target [][ > >> >>>> > >> >>>> Where the target is my pojo, which I have alot of. > >> >>>> > >> >>>> On 16/06/2024 10:15, Kusal Kithul-Godage wrote: > >> >>>>> I didn't do much testing with the Struts JSP integration beyond the > >> >>>>> examples in the showcase app so it's possible I've missed some > >> >>>>> packages/classes that should be allowed by default. > >> >>>>> > >> >>>>> Could you share the warnings you are receiving? Perhaps deduplicate > >> >>>>> the warnings first if there are many repetitive ones > >> >>>>> > >> >>>>> On Sun, Jun 16, 2024 at 7:10 PM Greg Huber<gregh3...@gmail.com> > >> wrote: > >> >>>>>> Sorry checked the wrong log file, it was this one, needed to be > >> false. > >> >>>>>> > >> >>>>>> <constant name="struts.allowlist.enable" value="false" /> > >> >>>>>> > >> >>>>>> Is there any docs on this? ie and example of what would go in the > >> list, > >> >>>>>> as its excluding struts default stuff. > >> >>>>>> > >> >>>>>> On 16/06/2024 10:01, Kusal Kithul-Godage wrote: > >> >>>>>>> All of the mentioned options should log issues at warn level or > >> >>>>>>> greater, except for 'struts.parameters.requireAnnotations' which > >> will > >> >>>>>>> log at debug level. > >> >>>>>>> > >> >>>>>>> Using the following PR as a reference, you can revert settings to > >> >>>>>>> their previous value one by one, to isolate which option may be > >> >>>>>>> causing your application issues. > >> >>>>>>> https://github.com/apache/struts/pull/919/files > >> >>>>>>> > >> >>>>>>> Once you have isolated and corrected any issues, please re-enable > >> the > >> >>>>>>> options as they offer significant protection against > >> vulnerabilities. > >> >>>>>>> > >> >>>>>>> On Sun, Jun 16, 2024 at 6:39 PM Greg Huber<gregh3...@gmail.com> > >> wrote: > >> >>>>>>>> I tried this and there is alot of text missing on my jsp pages > >> >>>>>>>> > >> >>>>>>>> it mentions these: > >> >>>>>>>> > >> >>>>>>>> |struts.ognl.allowStaticFieldAccess=||false| > >> >>>>>>>> |struts.ognl.expressionMaxLength=||150| > >> >>>>>>>> |struts.disallowDefaultPackageAccess=||true| > >> >>>>>>>> |struts.disallowProxyMemberAccess=||true| > >> >>>>>>>> |struts.parameters.requireAnnotations=||true| > >> >>>>>>>> |struts.ognl.disallowCustomOgnlMap=||true| > >> >>>>>>>> |struts.allowlist.enable=||true| > >> >>>>>>>> | > >> >>>>>>>> | > >> >>>>>>>> |I tried > >> >>>>>>>> | > >> >>>>>>>> | > >> >>>>>>>> | > >> >>>>>>>> |struts.ognl.allowStaticFieldAccess=true > >> >>>>>>>> | > >> >>>>>>>> | > >> >>>>>>>> | > >> >>>>>>>> |but it made no difference.| > >> >>>>>>>> | > >> >>>>>>>> | > >> >>>>>>>> |There are no warning in the logs. > >> >>>>>>>> | > >> >>>>>>>> > >> >>>>>>>> On 12/06/2024 07:12, Lukasz Lenart wrote: > >> >>>>>>>>> Hello, > >> >>>>>>>>> > >> >>>>>>>>> This is another milestone of Struts 7.x series, which is based > >> on > >> >>>>>>>>> JakartaEE 6. Please take the time and test the bits - any help > >> is > >> >>>>>>>>> appreciated. Please report any problems you will spot. > >> >>>>>>>>> > >> >>>>>>>>> Please read the Migration guide as this version includes > >> stronger > >> >>>>>>>>> security options > >> >>>>>>>>> > >> https://cwiki.apache.org/confluence/display/WW/Struts+6.x.x+to+7.x.x+migration > >> >>>>>>>>> > >> >>>>>>>>> Here are the changes from the previous version: > >> >>>>>>>>> https://github.com/apache/struts/releases/tag/STRUTS_7_0_0_M7 > >> >>>>>>>>> > >> >>>>>>>>> Staging Maven repo > >> >>>>>>>>> https://repository.apache.org/content/groups/staging/ > >> >>>>>>>>> > >> >>>>>>>>> * please read our guideline how to setup your Maven build to > >> include > >> >>>>>>>>> the Staging repository > >> >>>>>>>>> https://struts.apache.org/builds.html#test-builds > >> >>>>>>>>> > >> >>>>>>>>> Standalone artifacts > >> >>>>>>>>> https://dist.apache.org/repos/dist/dev/struts/7.0.0-M7/ > >> >>>>>>>>> > >> >>>>>>>>> Release notes > >> >>>>>>>>> > >> https://cwiki.apache.org/confluence/display/WW/Version+Notes+7.0.0-M7 > >> >>>>>>>>> > >> >>>>>>>>> > >> >>>>>>>>> Have fun! > >> >>>>>>>>> Łukasz > >> >>>>>>>>> > >> >>>>>>>>> > >> --------------------------------------------------------------------- > >> >>>>>>>>> To unsubscribe,e-mail:dev-unsubscr...@struts.apache.org > >> >>>>>>>>> For additional commands,e-mail:dev-h...@struts.apache.org > >> >>>>>>>>> > >> >>>>>>> > >> --------------------------------------------------------------------- > >> >>>>>>> To unsubscribe,e-mail:dev-unsubscr...@struts.apache.org > >> >>>>>>> For additional commands,e-mail:dev-h...@struts.apache.org > >> >>>>>>> > >> >>>>> > >> --------------------------------------------------------------------- > >> >>>>> To unsubscribe,e-mail:dev-unsubscr...@struts.apache.org > >> >>>>> For additional commands,e-mail:dev-h...@struts.apache.org > >> >>>>> > >> >>> --------------------------------------------------------------------- > >> >>> To unsubscribe,e-mail:dev-unsubscr...@struts.apache.org > >> >>> For additional commands,e-mail:dev-h...@struts.apache.org > >> >>> > >> > --------------------------------------------------------------------- > >> > To unsubscribe, e-mail:dev-unsubscr...@struts.apache.org > >> > For additional commands, e-mail:dev-h...@struts.apache.org > >> > > > > >--------------------------------------------------------------------- > >To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org > >For additional commands, e-mail: dev-h...@struts.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org
