[jira] [Commented] (WW-4939) Use securely generated constants

Sat, 02 Jun 2018 13:59:09 -0700 


    [ 
https://issues.apache.org/jira/browse/WW-4939?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16499184#comment-16499184
 ] 

Stefaan Dutry commented on WW-4939:
-----------------------------------

{quote}Just one thing, my example generates random strings without dashes, does 
{{java.util.UUID.randomUUID()}} do the same?
{quote}
No, it follows {{RFC-4122}} and therefore always has 4 dashes in it.
{quote}Basically I would hide implementation behind a static method, something 
like public static String StrutsConstants#generateUUID() to easily switch to 
different logic if needed.
{quote}
If switching the implementation needs to be easily possible for security 
issues, would it be an option to provide the implementation class as a constant 
definition in the struts config, so that, if there is a security risk with the 
given implementation, people can just add a new class and change the constant 
value, instead of having to upgrade the struts version entirely?

{quote}
I think to make debugging Struts itself more easier, we can add that random as 
post-fix to current constants which helps debugger when watch the variable 
about it's meaning:
{quote}

If my previous statement would be an option, this could also solve the 
debugging issues by possible adding a debugging oriented implementation.

 

> Use securely generated constants
> --------------------------------
>
>                 Key: WW-4939
>                 URL: https://issues.apache.org/jira/browse/WW-4939
>             Project: Struts 2
>          Issue Type: Improvement
>          Components: Core
>            Reporter: Lukasz Lenart
>            Priority: Critical
>             Fix For: 2.6
>
>
> Right now all the constants are well know and can be used in exploits, ie. 
> {{public static final String ACTION_MAPPING = "struts.actionMapping";}}
> Instead of using string literals we should generate random strings at runtime 
> to avoid using literals directly in exploits. Users can still use the 
> constants in their code but not in dynamic expressions.
> {code:java}
>     public static final String AUTH_TOKEN = generateUUID();
>     public static String generateUUID() {
>         return new BigInteger(165, RANDOM).toString(36).toUpperCase();
>     }
> {code}
> This will probably break backward compatibility but using string literals 
> instead of the constants by the users is a bad practice anyway.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to