[
https://issues.apache.org/jira/browse/WW-5407?focusedWorklogId=913557&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-913557
]
ASF GitHub Bot logged work on WW-5407:
--------------------------------------
Author: ASF GitHub Bot
Created on: 09/Apr/24 04:41
Start Date: 09/Apr/24 04:41
Worklog Time Spent: 10m
Work Description: jefferyxhy opened a new pull request, #911:
URL: https://github.com/apache/struts/pull/911
WW-5407
**Reason**
Currently `SecurityMemberAccess#isAccessible` return true for a method of a
proxy object, which expose the beans at risk of been changed. We need to have
the ability to detect proxy object and reject the access if required.
**Changes/ Solution**
currently in `isAccessible -> checkProxyMemberAccess` , it use
`disallowProxyMemberAccess && ProxyUtil.isProxyMember(member, target)` which
is not enough, as `isProxyMember` only matches the member **directly** from
proxy class, and does not match those ones **original** from the target class.
So we update the `isAccessible`:
* add one extra checking `checkProxyAccess` before `checkProxyMemberAccess`
which is controlled by:
* `struts.disallowProxyObjectAccess` : an new struts constant to enable
or disable this checking (default as `false`)
* if disallow, then we do the proxy checking against the target object.
**Result & Impact**
* By default `struts.disallowProxyObjectAccess` as `default`, no difference.
* Set `struts.disallowProxyObjectAccess` as `true`, access to any member of
a proxy object will be rejected, including both proxy member and original
member of class. Which means whenever chained parameter `a.b.c.d.x` has one
part that is a proxy, we reject the set to the last `x`
Issue Time Tracking
-------------------
Worklog Id: (was: 913557)
Remaining Estimate: 0h
Time Spent: 10m
> Extend SecurityMemberAccess proxy detection to Hibernate proxies
> ----------------------------------------------------------------
>
> Key: WW-5407
> URL: https://issues.apache.org/jira/browse/WW-5407
> Project: Struts 2
> Issue Type: Improvement
> Components: Core
> Reporter: Kusal Kithul-Godage
> Priority: Minor
> Fix For: 6.5.0
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> The current option {{struts.disallowProxyMemberAccess}} does not have any
> logic to detect Hibernate proxies which may also present a security risk.
> Additionally, the current option only forbids access to members which
> originate from a proxy. However, it makes more sense to forbid access to
> proxy objects entirely. This is because proxying is often used for sensitive
> instances, application beans or Hibernate objects. None of which is safe to
> be accessed or manipulated via OGNL. Thus, let's introduce an additional
> option {{struts.disallowProxyObjectAccess}} which will offer stronger
> protection.
> Finally, the caching mechanism in the ProxyUtil class uses an unbounded map,
> this can potentially be attacked and lead to a memory leak or DoS. Let's
> replace it with a Caffeine cache as we have done previously for the OGNL
> expression cache.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
