[
https://issues.apache.org/jira/browse/WW-5352?focusedWorklogId=897838&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-897838
]
ASF GitHub Bot logged work on WW-5352:
--------------------------------------
Author: ASF GitHub Bot
Created on: 03/Jan/24 11:25
Start Date: 03/Jan/24 11:25
Worklog Time Spent: 10m
Work Description: kusalk opened a new pull request, #832:
URL: https://github.com/apache/struts/pull/832
WW-5352
--
WIP!
--
The final piece of the Struts 6.4 security overhaul. When this capability is
enabled alongside the OGNL allowlist, security is greatly heightened with no
additional complex configuration.
The only code change required by applications is to annotate all Action
class parameters with this new annotation. This can be scripted for large
codebases by scanning for public members on classes which implement the Action
interface.
In addition to assisting OGNL allowlist configuration, the primary benefit
of this new annotation is that it prevents inexperienced Struts developers from
inadvertently introducing parameter injection points as they often do not
realise any public members on an Action class are parameter injectable.
Issue Time Tracking
-------------------
Worklog Id: (was: 897838)
Time Spent: 2.5h (was: 2h 20m)
> Implement annotation mechanism for injectable fields via parameters
> -------------------------------------------------------------------
>
> Key: WW-5352
> URL: https://issues.apache.org/jira/browse/WW-5352
> Project: Struts 2
> Issue Type: Improvement
> Components: Core, Core Interceptors
> Reporter: Kusal Kithul-Godage
> Priority: Minor
> Fix For: 6.4.0
>
> Time Spent: 2.5h
> Remaining Estimate: 0h
>
> struts.parameters.requireAnnotations
>
> Require an explicit annotation '@StrutsParameter' on one of:
> Getter/Setter/Field/ReturnType for injecting parameters.
>
> This mechanism is intended to be a more usable replacement for
> 'ParameterNameAware'
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
