[
https://issues.apache.org/jira/browse/WW-5115?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17334590#comment-17334590
]
Greg Huber edited comment on WW-5115 at 4/28/21, 8:55 AM:
----------------------------------------------------------
action:myEdit!save will never match the pattern, so it logs it regardless.
In DefaultExcludedPatternsChecker :
'
@Inject(StrutsConstants.STRUTS_ENABLE_DYNAMIC_METHOD_INVOCATION)
protected void setDynamicMethodInvocation(String dmiValue) {
if (!BooleanUtils.toBoolean(dmiValue)) {
LOG.debug("DMI is disabled, adding DMI related excluded patterns");
setAdditionalExcludePatterns("^(action|method):.*");
}
}
'
It sets the additional excluded pattern for no DMI ie to ignore
"^(action|method):.*".
When DMI is on it does not add the pattern, so it starts logging it. This to
stop this we need to add the ignored pattern.
The PR #469 was to modify the DefaultExcludedPatternsChecker interceptor (to
reduce the duplication of logic) but there was no way of telling downstream
classes of what to do, so a log flag was added to ExcludedPatternsChecker the
inner class IsExcluded as a way of conveying what we want to do downstream.
if (ignoredPatterns != null) {
for (Pattern ignoredPattern : ignoredPatterns) {
if (ignoredPattern.matcher(value).matches()) {
LOG.trace("[{}] matches ignored pattern [{}]", value,
ignoredPattern);
return IsExcluded.yes(ignoredPattern, false); // no dev
warnings
}
}
}
The ParametersInterceptor was then modified to check whether to log,
result.isLog()
if (devMode && result.isLog()) { // warn only when in devMode and required.
But this was not the preferred way, so the ParametersInterceptor was modified
directly, duplicating the checks.
was (Author: gregh99):
action:myEdit!save will never match the pattern, so it logs it regardless.
In DefaultExcludedPatternsChecker :
@Inject(StrutsConstants.STRUTS_ENABLE_DYNAMIC_METHOD_INVOCATION)
protected void setDynamicMethodInvocation(String dmiValue) {
if (!BooleanUtils.toBoolean(dmiValue)) {
LOG.debug("DMI is disabled, adding DMI related excluded patterns");
setAdditionalExcludePatterns("^(action|method):.*");
}
}
It sets the additional excluded pattern for no DMI ie to ignore
"^(action|method):.*".
When DMI is on it does not add the pattern, so it starts logging it. This to
stop this we need to add the ignored pattern.
The PR #469 was to modify the DefaultExcludedPatternsChecker interceptor (to
reduce the duplication of logic) but there was no way of telling downstream
classes of what to do, so a log flag was added to ExcludedPatternsChecker the
inner class IsExcluded as a way of conveying what we want to do downstream.
if (ignoredPatterns != null) {
for (Pattern ignoredPattern : ignoredPatterns) {
if (ignoredPattern.matcher(value).matches()) {
LOG.trace("[{}] matches ignored pattern [{}]", value,
ignoredPattern);
return IsExcluded.yes(ignoredPattern, false); // no dev
warnings
}
}
}
The ParametersInterceptor was then modified to check whether to log,
result.isLog()
if (devMode && result.isLog()) { // warn only when in devMode and required.
But this was not the preferred way, so the ParametersInterceptor was modified
directly, duplicating the checks.
> Reduce logging for DMI excluded parameters
> -------------------------------------------
>
> Key: WW-5115
> URL: https://issues.apache.org/jira/browse/WW-5115
> Project: Struts 2
> Issue Type: Improvement
> Components: Core
> Affects Versions: 2.5.25
> Reporter: Greg Huber
> Priority: Minor
> Fix For: 2.5.27, 2.6
>
> Time Spent: 1h 20m
> Remaining Estimate: 0h
>
> There are unnecessary log warning when DMI is enabled, from the
> ParametersInterceptor.
> WARN com.opensymphony.xwork2.interceptor.ParametersInterceptor
> ParametersInterceptor:isAccepted - Parameter [action:myAction!save] didn't
> match accepted pattern
> [[\w+((\.\w+)|(\[\d+])|(\(\d+\))|(\['(\w|[\u4e00-\u9fa5])+'])|(\('(\w|[\u4e00-\u9fa5])+'\)))*]]!
> See Accepted / Excluded patterns at
> https://struts.apache.org/security/#accepted--excluded-patterns
> eg the property 'action:myAction!save' should not be considered as a
> bean/property parameter, as its used as part of DMI to submit the form.
> Any property which matches the DMI method invocation "^(action|method):.*"
> needs to be silently ignored and not logged in devMode=true.
> DMI_AWARE_ACCEPTED_PATTERNS can also be dropped from
> DefaultAcceptedPatternsChecker as the DMI action|method would never be a form
> property.
> public static final String[] DMI_AWARE_ACCEPTED_PATTERNS = {
>
> "\\w+([:]?\\w+)?((\\.\\w+)|(\\[\\d+])|(\\(\\d+\\))|(\\['(\\w|[\\u4e00-\\u9fa5])+'])|(\\('(\\w|[\\u4e00-\\u9fa5])+'\\)))*([!]?\\w+)?"
> };
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
