Kusal Kithul-Godage created WW-5409:
---------------------------------------
Summary: Introduce final attribute to package elements which makes
them unextendable
Key: WW-5409
URL: https://issues.apache.org/jira/browse/WW-5409
Project: Struts 2
Issue Type: Improvement
Components: Core
Reporter: Kusal Kithul-Godage
Fix For: 6.5.0
Extending packages is a very useful capability of Struts but there are some
quirks, that if a developer is not aware of, can lead to critical
vulnerabilities.
One such misunderstood quirk is the {{default-interceptor-ref}} element.
Take the following package:
{code:xml}
<package name="package1">
<default-interceptor-ref name="adminOnly"/>
<action name="action1" class="Action1">
<result name="success" />
</action>
</package>{code}
If it is extended by another package like so:
{code:xml}
<package name="package2" extends="package1">
<default-interceptor-ref name="authenticatedOnly"/>
<action name="action2" class="Action2">
<result name="success" />
</action>
</package> {code}
The second package will inherit Action1, however it will behave very
differently in Package2, because it is no longer subject to the same
interceptors. The {{default-interceptor-ref}} value from the first package does
not apply to any action in the extending package, not even the ones defined in
the inherited one.
This is not immediately obvious to many developers, especially those not very
familiar with Struts. They could simply have extended the package to obtain
access to other elements such as results or result-types.
One potential mitigation against this developer error is to mark potentially
sensitive packages as 'final' to prevent certain Actions from being inherited
by other packages.
This would look like the following:
{code:xml}
<package name="package1" final="true">
<default-interceptor-ref name="adminOnly"/>
<action name="action1" class="Action1">
<result name="success" />
</action>
</package>{code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
