[
https://issues.apache.org/jira/browse/WW-4171?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13731861#comment-13731861
]
Rene Gielen edited comment on WW-4171 at 8/7/13 10:44 AM:
----------------------------------------------------------
[~lukaszlenart] How would you track a value is sanitized beforehand? Since we
encourage use of simple Java types, it might be hard to add metadata to a
property to describe whether sanitizing is required or done already.
IMO ParametersInterceptor's responsibility is to prevent evaluation of
expressions while setting parameter properties. But in the end, the now filled
property may now contain an expression which was not evaluated yet, but might
get evaluated by some API calls in the Action code (see getText(username)).
What is the best way to prevent users from shooting their feet without loosing
flexibility?
Going one step further, how about that:
{code:java}
public enum SanitizingStrategy {
WARN, CLEANUP, REJECT
}
{code}
{code:java}
@Documented
public @interface Sanitized {
SanitizingStrategy value() default SanitizingStrategy.CLEANUP;
SanitizingOptions[] options() default {SanitizingOptions.DETECT_EL};
}
{code}
{code:java}
public class HelloWorld extends ExampleSupport {
public String execute() throws Exception {
setMessage(getText(message));
setOtherMessage(getText(sanitize(manuallySanitizedMessage)));
return SUCCESS;
}
@Sanitized()
private String message;
private String manuallySanitizedMessage;
//...
}
{code}
whereby a SanitizingInterceptor would be in the stack to apply sanitizing based
on the given @Sanitize annotations, using the Sanitizer-API described in my
earlier comment?
was (Author: rgielen):
[~lukaszlenart] How would you track a value is sanitized beforehand? Since
we encourage use of simple Java types, it might be hard to add metadate to a
property whether sanitizing is required or done already.
IMO ParametersInterceptor's responsibility is to prevent evaluation of
expressions while setting parameter properties. But in the end, the now filled
property may now contain an expression which was not evaluated yet, but might
get evaluated by some API calls in the Action code (see getText(username)).
What is the best way to prevent users from shooting their feet without loosing
flexibility?
Going one step further, how about that:
{code:java}
public enum SanitizingStrategy {
WARN, CLEANUP, REJECT
}
{code}
{code:java}
@Documented
public @interface Sanitized {
SanitizingStrategy value() default SanitizingStrategy.CLEANUP;
SanitizingOptions[] options() default {SanitizingOptions.DETECT_EL};
}
{code}
{code:java}
public class HelloWorld extends ExampleSupport {
public String execute() throws Exception {
setMessage(getText(message));
setOtherMessage(getText(sanitize(manuallySanitizedMessage)));
return SUCCESS;
}
@Sanitized()
private String message;
private String manuallySanitizedMessage;
//...
}
{code}
whereby a SanitizingInterceptor would be in the stack to apply sanitizing based
on the given @Sanitize annotations, using the Sanitizer-API described in my
earlier comment?
> getText methods are not documented as evaluating OGNL
> -----------------------------------------------------
>
> Key: WW-4171
> URL: https://issues.apache.org/jira/browse/WW-4171
> Project: Struts 2
> Issue Type: Improvement
> Components: Documentation
> Affects Versions: 2.3.15.1
> Reporter: Coverity Security Research Laboratory
> Assignee: Lukasz Lenart
> Priority: Minor
> Labels: security
> Fix For: 2.3.16
>
>
> The methods below evaluate OGNL as their first parameter. However they are
> not documented as evaluating OGNL. We have observed this occurring in one
> project and are contacting the affected vendors.
> com.opensymphony.xwork2.TextProviderSupport.getText(String, String[])
> com.opensymphony.xwork2.TextProviderSupport.getText(String, List<?>)
> com.opensymphony.xwork2.TextProviderSupport.getText(String)
> These methods are then used by ActionSupport (via its getText methods). None
> of these methods are documented as evaluating OGNL either.
> This issue is recommending that all of these methods are documented as
> evaluating OGNL since this may come as a surprise to some developers.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
