[jira] [Work logged] (WW-5340) Introduce optional AST node exclusion list

Thu, 05 Oct 2023 10:24:05 -0700 


     [ 
https://issues.apache.org/jira/browse/WW-5340?focusedWorklogId=883577&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-883577
 ]

ASF GitHub Bot logged work on WW-5340:
--------------------------------------

                Author: ASF GitHub Bot
            Created on: 05/Oct/23 17:23
            Start Date: 05/Oct/23 17:23
    Worklog Time Spent: 10m 
      Work Description: kusalk commented on code in PR #760:
URL: https://github.com/apache/struts/pull/760#discussion_r1347756216


##########
core/src/main/java/org/apache/struts2/ognl/StrutsOgnlGuard.java:
##########
@@ -71,28 +71,38 @@ public boolean isRawExpressionBlocked(String expr) {
 
     @Override
     public boolean isParsedTreeBlocked(Object tree) {
-        return containsExcludedNodeType(tree);
+        if (!(tree instanceof Node) || skipTreeCheck((Node) tree)) {
+            return false;
+        }
+        return recurseNodes((Node) tree);
     }
 
-    protected boolean containsExcludedNodeType(Object tree) {
-        if (!(tree instanceof Node) || excludedNodeTypes.isEmpty()) {
-            return false;
+    protected boolean skipTreeCheck(Node tree) {
+        return excludedNodeTypes.isEmpty();
+    }
+
+    protected boolean recurseNodes(Node node) {
+        if (checkNode(node)) {
+            return true;
+        }
+        for (int i = 0; i < node.jjtGetNumChildren(); i++) {
+            if (recurseNodes(node.jjtGetChild(i))) {
+                return true;
+            }
         }
-        return recurseExcludedNodeType((Node) tree);
+        return false;
+    }
+
+    protected boolean checkNode(Node node) {

Review Comment:
   I separated the recursion logic from the node checking logic so that 
subclasses don't need to unnecessarily duplicate that code when overriding.





Issue Time Tracking
-------------------

    Worklog Id:     (was: 883577)
    Time Spent: 4.5h  (was: 4h 20m)

> Introduce optional AST node exclusion list
> ------------------------------------------
>
>                 Key: WW-5340
>                 URL: https://issues.apache.org/jira/browse/WW-5340
>             Project: Struts 2
>          Issue Type: Improvement
>          Components: Core
>            Reporter: Kusal Kithul-Godage
>            Priority: Minor
>             Fix For: 6.4.0
>
>          Time Spent: 4.5h
>  Remaining Estimate: 0h
>
> Enhance security by implementing an optional exclusion list (in struts.xml) 
> where applications can specify AST nodes that are not required in their 
> applications or are known to carry higher security risk.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to