[ https://issues.apache.org/jira/browse/WW-4171?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13731861#comment-13731861 ]
Rene Gielen commented on WW-4171: --------------------------------- [~lukaszlenart] How would you track a value is sanitized beforehand? Since we encourage use of simple Java types, it might be hard to add metadate to a property whether sanitizing is required or done already. IMO ParametersInterceptor's responsibility is to prevent evaluation of expressions while setting parameter properties. But in the end, the now filled property may now contain an expression which was not evaluated yet, but might get evaluated by some API calls in the Action code (see getText(username)). What is the best way to prevent users from shooting their feet without loosing flexibility? Going one step further, how about that: {code:java} public enum SanitizingStrategy { WARN, CLEANUP, REJECT } {code} {code:java} @Documented public @interface Sanitized { SanitizingStrategy value() default SanitizingStrategy.CLEANUP; SanitizingOptions[] options() default {SanitizingOptions.DETECT_EL}; } {code} {code:java} public class HelloWorld extends ExampleSupport { public String execute() throws Exception { setMessage(getText(message)); setOtherMessage(getText(sanitize(manuallySanitizedMessage))); return SUCCESS; } @Sanitized() private String message; private String manuallySanitizedMessage; //... } {code} whereby a SanitizingInterceptor would be in the stack to apply sanitizing based on the given @Sanitize annotations, using the Sanitizer-API described in my earlier comment? > getText methods are not documented as evaluating OGNL > ----------------------------------------------------- > > Key: WW-4171 > URL: https://issues.apache.org/jira/browse/WW-4171 > Project: Struts 2 > Issue Type: Improvement > Components: Documentation > Affects Versions: 2.3.15.1 > Reporter: Coverity Security Research Laboratory > Assignee: Lukasz Lenart > Priority: Minor > Labels: security > Fix For: 2.3.16 > > > The methods below evaluate OGNL as their first parameter. However they are > not documented as evaluating OGNL. We have observed this occurring in one > project and are contacting the affected vendors. > com.opensymphony.xwork2.TextProviderSupport.getText(String, String[]) > com.opensymphony.xwork2.TextProviderSupport.getText(String, List<?>) > com.opensymphony.xwork2.TextProviderSupport.getText(String) > These methods are then used by ActionSupport (via its getText methods). None > of these methods are documented as evaluating OGNL either. > This issue is recommending that all of these methods are documented as > evaluating OGNL since this may come as a surprise to some developers. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira