[
https://issues.apache.org/jira/browse/WW-4620?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15352268#comment-15352268
]
zhouyanming edited comment on WW-4620 at 6/28/16 3:26 AM:
----------------------------------------------------------
{code:java}
public class TestAction extends ActionSupport{
private List<String> list;
public List<String> getList() {
return list;
}
public void setList(List<String> list) {
this.list = list;
}
public String execute() {
System.out.println(list);
return SUCCESS;
}
}
{code}
DOS attack http://localhost:8080/test?list[1000000000]=test
{code:java}
java.lang.OutOfMemoryError: Java heap space
at java.util.Arrays.copyOf(Arrays.java:3181) ~[?:1.8.0_92]
at java.util.ArrayList.grow(ArrayList.java:261) ~[?:1.8.0_92]
at java.util.ArrayList.ensureExplicitCapacity(ArrayList.java:235)
~[?:1.8.0_92]
at java.util.ArrayList.ensureCapacityInternal(ArrayList.java:227)
~[?:1.8.0_92]
at java.util.ArrayList.add(ArrayList.java:458) ~[?:1.8.0_92]
at
com.opensymphony.xwork2.ognl.accessor.XWorkListPropertyAccessor.setProperty(XWorkListPropertyAccessor.java:168)
~[xwork-core-2.4.16.jar:?]
at ognl.OgnlRuntime.setProperty(OgnlRuntime.java:2432)
~[ognl-3.0.13.jar:?]
at ognl.ASTProperty.setValueBody(ASTProperty.java:127)
~[ognl-3.0.13.jar:?]
at ognl.SimpleNode.evaluateSetValueBody(SimpleNode.java:220)
~[ognl-3.0.13.jar:?]
at ognl.SimpleNode.setValue(SimpleNode.java:301) ~[ognl-3.0.13.jar:?]
at ognl.ASTChain.setValueBody(ASTChain.java:227) ~[ognl-3.0.13.jar:?]
at ognl.SimpleNode.evaluateSetValueBody(SimpleNode.java:220)
~[ognl-3.0.13.jar:?]
at ognl.SimpleNode.setValue(SimpleNode.java:301) ~[ognl-3.0.13.jar:?]
at ognl.Ognl.setValue(Ognl.java:737) ~[ognl-3.0.13.jar:?]
at com.opensymphony.xwork2.ognl.OgnlUtil$1.execute(OgnlUtil.java:252)
~[classes/:2.3.16.3]
at com.opensymphony.xwork2.ognl.OgnlUtil$1.execute(OgnlUtil.java:1)
~[classes/:2.3.16.3]
at
com.opensymphony.xwork2.ognl.OgnlUtil.compileAndExecute(OgnlUtil.java:305)
~[classes/:2.3.16.3]
at com.opensymphony.xwork2.ognl.OgnlUtil.setValue(OgnlUtil.java:247)
~[classes/:2.3.16.3]
at
com.opensymphony.xwork2.ognl.OgnlValueStack.trySetValue(OgnlValueStack.java:183)
~[xwork-core-2.4.16.jar:2.3.16.3]
at
com.opensymphony.xwork2.ognl.OgnlValueStack.setValue(OgnlValueStack.java:170)
~[xwork-core-2.4.16.jar:2.3.16.3]
at
com.opensymphony.xwork2.ognl.OgnlValueStack.setParameter(OgnlValueStack.java:148)
~[xwork-core-2.4.16.jar:2.3.16.3]
at
com.opensymphony.xwork2.interceptor.ParametersInterceptor.setParameters(ParametersInterceptor.java:334)
~[xwork-core-2.4.16.jar:2.3.16.3]
at
com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(ParametersInterceptor.java:246)
~[xwork-core-2.4.16.jar:2.3.16.3]
at
com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98)
~[xwork-core-2.4.16.jar:2.3.16.3]
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)
~[xwork-core-2.4.16.jar:2.3.16.3]
at
com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(ParametersInterceptor.java:254)
~[xwork-core-2.4.16.jar:2.3.16.3]
at
com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98)
~[xwork-core-2.4.16.jar:2.3.16.3]
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)
~[xwork-core-2.4.16.jar:2.3.16.3]
at
org.apache.struts2.interceptor.CheckboxInterceptor.intercept(CheckboxInterceptor.java:91)
~[struts2-core-2.4.16.jar:2.3.16.3]
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)
~[xwork-core-2.4.16.jar:2.3.16.3]
at
org.ironrhino.core.struts.ExceptionInterceptor.intercept(ExceptionInterceptor.java:34)
~[classes/:?]
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)
~[xwork-core-2.4.16.jar:2.3.16.3]
{code}
It created by ognl directly, neither CollectionConverter or ArrayConverter can
handle the this situation. the best way is improve XWorkListPropertyAccessor
line 165 add checking for variable "count".
was (Author: quaff):
{code:java}
public class TestAction extends ActionSupport{
private List<String> list;
public List<String> getList() {
return list;
}
public void setList(List<String> list) {
this.list = list;
}
public String execute() {
System.out.println(list);
return SUCCESS;
}
}
{code}
DOS attack http://localhost:8080/test?list[1000000000]=test
{code:java}
java.lang.OutOfMemoryError: Java heap space
at java.util.Arrays.copyOf(Arrays.java:3181) ~[?:1.8.0_92]
at java.util.ArrayList.grow(ArrayList.java:261) ~[?:1.8.0_92]
at java.util.ArrayList.ensureExplicitCapacity(ArrayList.java:235)
~[?:1.8.0_92]
at java.util.ArrayList.ensureCapacityInternal(ArrayList.java:227)
~[?:1.8.0_92]
at java.util.ArrayList.add(ArrayList.java:458) ~[?:1.8.0_92]
at
com.opensymphony.xwork2.ognl.accessor.XWorkListPropertyAccessor.setProperty(XWorkListPropertyAccessor.java:168)
~[xwork-core-2.4.16.jar:?]
at ognl.OgnlRuntime.setProperty(OgnlRuntime.java:2432)
~[ognl-3.0.13.jar:?]
at ognl.ASTProperty.setValueBody(ASTProperty.java:127)
~[ognl-3.0.13.jar:?]
at ognl.SimpleNode.evaluateSetValueBody(SimpleNode.java:220)
~[ognl-3.0.13.jar:?]
at ognl.SimpleNode.setValue(SimpleNode.java:301) ~[ognl-3.0.13.jar:?]
at ognl.ASTChain.setValueBody(ASTChain.java:227) ~[ognl-3.0.13.jar:?]
at ognl.SimpleNode.evaluateSetValueBody(SimpleNode.java:220)
~[ognl-3.0.13.jar:?]
at ognl.SimpleNode.setValue(SimpleNode.java:301) ~[ognl-3.0.13.jar:?]
at ognl.Ognl.setValue(Ognl.java:737) ~[ognl-3.0.13.jar:?]
at com.opensymphony.xwork2.ognl.OgnlUtil$1.execute(OgnlUtil.java:252)
~[classes/:2.3.16.3]
at com.opensymphony.xwork2.ognl.OgnlUtil$1.execute(OgnlUtil.java:1)
~[classes/:2.3.16.3]
at
com.opensymphony.xwork2.ognl.OgnlUtil.compileAndExecute(OgnlUtil.java:305)
~[classes/:2.3.16.3]
at com.opensymphony.xwork2.ognl.OgnlUtil.setValue(OgnlUtil.java:247)
~[classes/:2.3.16.3]
at
com.opensymphony.xwork2.ognl.OgnlValueStack.trySetValue(OgnlValueStack.java:183)
~[xwork-core-2.4.16.jar:2.3.16.3]
at
com.opensymphony.xwork2.ognl.OgnlValueStack.setValue(OgnlValueStack.java:170)
~[xwork-core-2.4.16.jar:2.3.16.3]
at
com.opensymphony.xwork2.ognl.OgnlValueStack.setParameter(OgnlValueStack.java:148)
~[xwork-core-2.4.16.jar:2.3.16.3]
at
com.opensymphony.xwork2.interceptor.ParametersInterceptor.setParameters(ParametersInterceptor.java:334)
~[xwork-core-2.4.16.jar:2.3.16.3]
at
com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(ParametersInterceptor.java:246)
~[xwork-core-2.4.16.jar:2.3.16.3]
at
com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98)
~[xwork-core-2.4.16.jar:2.3.16.3]
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)
~[xwork-core-2.4.16.jar:2.3.16.3]
at
com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(ParametersInterceptor.java:254)
~[xwork-core-2.4.16.jar:2.3.16.3]
at
com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98)
~[xwork-core-2.4.16.jar:2.3.16.3]
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)
~[xwork-core-2.4.16.jar:2.3.16.3]
at
org.apache.struts2.interceptor.CheckboxInterceptor.intercept(CheckboxInterceptor.java:91)
~[struts2-core-2.4.16.jar:2.3.16.3]
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)
~[xwork-core-2.4.16.jar:2.3.16.3]
at
org.ironrhino.core.struts.ExceptionInterceptor.intercept(ExceptionInterceptor.java:34)
~[classes/:?]
at
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246)
~[xwork-core-2.4.16.jar:2.3.16.3]
{code}
It created by ognl directly, neither CollectionConverter or ArrayConverter can
handle the this situation. the best way is dive into ongl.
> ParametersInterceptor should check collection index to against DOS
> ------------------------------------------------------------------
>
> Key: WW-4620
> URL: https://issues.apache.org/jira/browse/WW-4620
> Project: Struts 2
> Issue Type: Improvement
> Components: Core Interceptors
> Reporter: zhouyanming
> Priority: Critical
> Fix For: 2.3.30, 2.5.2
>
>
> https://dzone.com/articles/spring-initbinder-for-handling-large-list-of-java
> This is my workaround:
> {code:java}
> import org.apache.commons.lang3.StringUtils;
> import com.opensymphony.xwork2.interceptor.ParametersInterceptor;
> import com.opensymphony.xwork2.util.logging.Logger;
> import com.opensymphony.xwork2.util.logging.LoggerFactory;
> public class ParamsInterceptor extends ParametersInterceptor {
> private static final Logger LOG =
> LoggerFactory.getLogger(ParametersInterceptor.class);
> protected int autoGrowCollectionLimit = 255;
> public void setAutoGrowCollectionLimit(int autoGrowCollectionLimit) {
> this.autoGrowCollectionLimit = autoGrowCollectionLimit;
> }
> @Override
> protected boolean acceptableName(String name) {
> boolean b = super.acceptableName(name);
> if (b) {
> int start = name.indexOf('[');
> while (start > 0) {
> int end = name.indexOf(']', start);
> if (end < 0)
> break;
> String s = name.substring(start + 1, end);
> if (StringUtils.isNumeric(s)) {
> int index = Integer.valueOf(s);
> if (index > autoGrowCollectionLimit) {
> LOG.warn("Parameter \"#0\"
> exceed max index: [#1]", name, autoGrowCollectionLimit);
> return false;
> }
> }
> start = name.indexOf('[', end);
> }
> }
> return b;
> }
> }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
