[jira] [Work logged] (WW-5407) Extend SecurityMemberAccess proxy detection to Hibernate proxies

[ASF GitHub Bot (Jira)]

     [ 
https://issues.apache.org/jira/browse/WW-5407?focusedWorklogId=913815&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-913815
 ]

ASF GitHub Bot logged work on WW-5407:
--------------------------------------

                Author: ASF GitHub Bot
            Created on: 10/Apr/24 05:02
            Start Date: 10/Apr/24 05:02
    Worklog Time Spent: 10m 
      Work Description: jefferyxhy commented on code in PR #911:
URL: https://github.com/apache/struts/pull/911#discussion_r1558846553


##########
core/src/main/java/com/opensymphony/xwork2/util/ProxyUtil.java:
##########
@@ -96,12 +105,41 @@ public static boolean isProxyMember(Member member, Object 
object) {
             return flag;
         }
 
-        boolean isProxyMember = isSpringProxyMember(member);
+        boolean isProxyMember = isSpringProxyMember(member) || 
isHibernateProxyMember(member);
 
         isProxyMemberCache.put(member, isProxyMember);
         return isProxyMember;
     }
 
+    /**
+     * Check whether the given object is a Hibernate proxy.
+     *
+     * @param object the object to check
+     */
+    public static boolean isHibernateProxy(Object object) {
+        try {
+            return HibernateProxy.class.isAssignableFrom(object.getClass());
+        } catch (NoClassDefFoundError ignored) {
+            return false;
+        }
+    }
+
+    /**
+     * Check whether the given member is a member of a Hibernate proxy.
+     *
+     * @param member the member to check
+     */
+    public static boolean isHibernateProxyMember(Member member) {
+        try {
+            Class<?> clazz = 
ClassLoaderUtil.loadClass(HIBERNATE_HIBERNATEPROXY_CLASS_NAME, ProxyUtil.class);
+            if (hasMember(clazz, member))
+                return true;

Review Comment:
   @lukaszlenart updated. Thanks





Issue Time Tracking
-------------------

    Worklog Id:     (was: 913815)
    Time Spent: 1h 40m  (was: 1.5h)

> Extend SecurityMemberAccess proxy detection to Hibernate proxies
> ----------------------------------------------------------------
>
>                 Key: WW-5407
>                 URL: https://issues.apache.org/jira/browse/WW-5407
>             Project: Struts 2
>          Issue Type: Improvement
>          Components: Core
>            Reporter: Kusal Kithul-Godage
>            Priority: Minor
>             Fix For: 6.5.0
>
>          Time Spent: 1h 40m
>  Remaining Estimate: 0h
>
> The current option {{struts.disallowProxyMemberAccess}} does not have any 
> logic to detect Hibernate proxies which may also present a security risk.
> Additionally, the current option only forbids access to members which 
> originate from a proxy. However, it makes more sense to forbid access to 
> proxy objects entirely. This is because proxying is often used for sensitive 
> instances, application beans or Hibernate objects. None of which is safe to 
> be accessed or manipulated via OGNL. Thus, let's introduce an additional 
> option {{struts.disallowProxyObjectAccess}} which will offer stronger 
> protection.
> Finally, the caching mechanism in the ProxyUtil class uses an unbounded map, 
> this can potentially be attacked and lead to a memory leak or DoS. Let's 
> replace it with a Caffeine cache as we have done previously for the OGNL 
> expression cache.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)