[jira] [Comment Edited] (WW-5115) Reduce logging for DMI excluded parameters

Mon, 25 Jan 2021 01:46:17 -0800 


    [ 
https://issues.apache.org/jira/browse/WW-5115?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17271198#comment-17271198
 ] 

Greg Huber edited comment on WW-5115 at 1/25/21, 9:45 AM:
----------------------------------------------------------

How then does the ParametersInterceptor ExcludedPatternsChecker.IsExcluded 
differentiate between logIgnoredParameters/logExcludedParameters parameter as 
there is no setting other than the *new* log field?  

Create and IgnoredPatternsChecker ?
{code:java}
private IgnoredPatternsChecker ignoredPatterns;
protected boolean isIgnored(String paramName) {
        IgnoredPatternsChecker.IsIgnored result = 
ignoredPatterns.isIgnored(paramName);
        if (result.isIgnnored()) {
            if (devMode && logIgnoredParameters) { // warn only when in devMode
                LOG.warn("Parameter [{}] matches excluded pattern [{}]! See 
Accepted / Excluded / Ignored patterns at\n" +
                                
"https://struts.apache.org/security/#accepted--excluded-patterns";,
                        paramName, result.getIgnoredPattern());
            } else {
                LOG.debug("Parameter [{}] matches excluded/ignored pattern 
[{}]!", paramName, result.getIgnoredPattern());
            }
            return true;
        }
        return false;
    }
protected boolean acceptableName(String name) {
        boolean accepted = isWithinLengthLimit(name) && !isIgnored(name) && 
!isExcluded(name) && isAccepted(name);
        if (devMode && accepted) { // notify only when in devMode
            LOG.debug("Parameter [{}] was accepted and will be appended to 
action!", name);
        }
        return accepted;
    }
{code}


was (Author: gregh99):
How then does the ParametersInterceptor ExcludedPatternsChecker.IsExcluded 
differentiate between logIgnoredParameters/logExcludedParameters parameter as 
there is no setting other than the *new* log field?  

Create and IgnoredPatternsChecker ?
{code:java}
private IgnoredPatternsChecker ignoredPatterns;
protected boolean isIgnored(String paramName) {
        IgnoredPatternsChecker.IsIgnored result = 
ignoredPatterns.isExcluded(paramName);
        if (result.isIgnnored()) {
            if (devMode && logIgnoredParameters) { // warn only when in devMode
                LOG.warn("Parameter [{}] matches excluded pattern [{}]! See 
Accepted / Excluded / Ignored patterns at\n" +
                                
"https://struts.apache.org/security/#accepted--excluded-patterns";,
                        paramName, result.getIgnoredPattern());
            } else {
                LOG.debug("Parameter [{}] matches excluded/ignored pattern 
[{}]!", paramName, result.getIgnoredPattern());
            }
            return true;
        }
        return false;
    }
protected boolean acceptableName(String name) {
        boolean accepted = isWithinLengthLimit(name) && !isIgnored(name) && 
!isExcluded(name) && isAccepted(name);
        if (devMode && accepted) { // notify only when in devMode
            LOG.debug("Parameter [{}] was accepted and will be appended to 
action!", name);
        }
        return accepted;
    }
{code}

> Reduce logging for DMI excluded parameters 
> -------------------------------------------
>
>                 Key: WW-5115
>                 URL: https://issues.apache.org/jira/browse/WW-5115
>             Project: Struts 2
>          Issue Type: Improvement
>          Components: Core
>    Affects Versions: 2.5.25
>            Reporter: Greg Huber
>            Assignee: Greg Huber
>            Priority: Minor
>             Fix For: 2.5.27
>
>          Time Spent: 0.5h
>  Remaining Estimate: 0h
>
> There are unnecessary log warning when DMI is enabled, from the 
> ParametersInterceptor.  
> WARN  com.opensymphony.xwork2.interceptor.ParametersInterceptor 
> ParametersInterceptor:isAccepted - Parameter [action:myAction!save] didn't 
> match accepted pattern 
> [[\w+((\.\w+)|(\[\d+])|(\(\d+\))|(\['(\w|[\u4e00-\u9fa5])+'])|(\('(\w|[\u4e00-\u9fa5])+'\)))*]]!
>  See Accepted / Excluded patterns at 
> https://struts.apache.org/security/#accepted--excluded-patterns
> eg the property 'action:myAction!save' should not be considered as a 
> bean/property parameter, as its used as part of DMI to submit the form.
> Any property which matches the DMI method invocation "^(action|method):.*" 
> needs to be silently ignored and not logged in devMode=true.
> DMI_AWARE_ACCEPTED_PATTERNS can also be dropped from 
> DefaultAcceptedPatternsChecker as the DMI action|method would never be a form 
> property.
> public static final String[] DMI_AWARE_ACCEPTED_PATTERNS = {
>             
> "\\w+([:]?\\w+)?((\\.\\w+)|(\\[\\d+])|(\\(\\d+\\))|(\\['(\\w|[\\u4e00-\\u9fa5])+'])|(\\('(\\w|[\\u4e00-\\u9fa5])+'\\)))*([!]?\\w+)?"
> };



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to