[
https://issues.apache.org/jira/browse/WW-5409?focusedWorklogId=914061&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-914061
]
ASF GitHub Bot logged work on WW-5409:
--------------------------------------
Author: ASF GitHub Bot
Created on: 11/Apr/24 02:47
Start Date: 11/Apr/24 02:47
Worklog Time Spent: 10m
Work Description: jefferyxhy opened a new pull request, #914:
URL: https://github.com/apache/struts/pull/914
WW-5409
**Reason**
Extending packages is a very useful capability of Struts but there are some
quirks, that if a developer is not aware of, can lead to critical
vulnerabilities. One such misunderstood quirk is the default-interceptor-ref
element.
e.g. a parent package add permission interceptor for its action (say
**Action A**), while child package extends parent package will inherit its
actions but not interceptor. So if the develop is not aware of this, then
Action A is now exposed with permission vuln through child package's namespace.
**Changes/ Solution**
introduce new `final` attribute on `package` element which will make it is
unextendable
**Result & Impact**
* By default, package `final` attribute is implied as `false`, so no
difference.
* Set package `final` attribute explicitly as `true`, will make this package
unextendable, so any extends to this package will cause a
ConfigurationException to be thrown during application struts config xml load
step.
Issue Time Tracking
-------------------
Worklog Id: (was: 914061)
Remaining Estimate: 0h
Time Spent: 10m
> Introduce final attribute to package elements which makes them unextendable
> ---------------------------------------------------------------------------
>
> Key: WW-5409
> URL: https://issues.apache.org/jira/browse/WW-5409
> Project: Struts 2
> Issue Type: Improvement
> Components: Core
> Reporter: Kusal Kithul-Godage
> Priority: Minor
> Fix For: 6.5.0
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Extending packages is a very useful capability of Struts but there are some
> quirks, that if a developer is not aware of, can lead to critical
> vulnerabilities.
> One such misunderstood quirk is the {{default-interceptor-ref}} element.
> Take the following package:
> {code:xml}
> <package name="package1">
> <default-interceptor-ref name="adminOnly"/>
> <action name="action1" class="Action1">
> <result name="success" />
> </action>
> </package>{code}
> If it is extended by another package like so:
> {code:xml}
> <package name="package2" extends="package1">
> <default-interceptor-ref name="authenticatedOnly"/>
> <action name="action2" class="Action2">
> <result name="success" />
> </action>
> </package> {code}
> The second package will inherit Action1, however it will behave very
> differently in Package2, because it is no longer subject to the same
> interceptors. The {{default-interceptor-ref}} value from the first package
> does not apply to any action in the extending package, not even the ones
> defined in the inherited one.
> This is not immediately obvious to many developers, especially those not very
> familiar with Struts. They could simply have extended the package to obtain
> access to other elements such as results or result-types.
> One potential mitigation against this developer error is to mark potentially
> sensitive packages as 'final' to prevent certain Actions from being inherited
> by other packages.
> This would look like the following:
> {code:xml}
> <package name="package1" final="true">
> <default-interceptor-ref name="adminOnly"/>
> <action name="action1" class="Action1">
> <result name="success" />
> </action>
> </package>{code}
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
