[jira] [Resolved] (WW-5409) Introduce final attribute to package elements which makes them unextendable

Sat, 20 Apr 2024 03:34:09 -0700 


     [ 
https://issues.apache.org/jira/browse/WW-5409?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Kusal Kithul-Godage resolved WW-5409.
-------------------------------------
    Resolution: Fixed

> Introduce final attribute to package elements which makes them unextendable
> ---------------------------------------------------------------------------
>
>                 Key: WW-5409
>                 URL: https://issues.apache.org/jira/browse/WW-5409
>             Project: Struts 2
>          Issue Type: Improvement
>          Components: Core
>            Reporter: Kusal Kithul-Godage
>            Priority: Minor
>             Fix For: 6.5.0
>
>          Time Spent: 1h 10m
>  Remaining Estimate: 0h
>
> Extending packages is a very useful capability of Struts but there are some 
> quirks, that if a developer is not aware of, can lead to critical 
> vulnerabilities.
> One such misunderstood quirk is the {{default-interceptor-ref}} element.
> Take the following package:
> {code:xml}
> <package name="package1">
>   <default-interceptor-ref name="adminOnly"/>
>   <action name="action1" class="Action1">
>     <result name="success" />
>   </action>
> </package>{code}
> If it is extended by another package like so:
> {code:xml}
> <package name="package2" extends="package1">
>   <default-interceptor-ref name="authenticatedOnly"/>
>   <action name="action2" class="Action2">
>     <result name="success" />
>   </action>
> </package> {code}
> The second package will inherit Action1, however it will behave very 
> differently in Package2, because it is no longer subject to the same 
> interceptors. The {{default-interceptor-ref}} value from the first package 
> does not apply to any action in the extending package, not even the ones 
> defined in the inherited one.
> This is not immediately obvious to many developers, especially those not very 
> familiar with Struts. They could simply have extended the package to obtain 
> access to other elements such as results or result-types.
> One potential mitigation against this developer error is to mark potentially 
> sensitive packages as 'final' to prevent certain Actions from being inherited 
> by other packages.
> This would look like the following:
> {code:xml}
> <package name="package1" final="true">
>   <default-interceptor-ref name="adminOnly"/>
>   <action name="action1" class="Action1">
>     <result name="success" />
>   </action>
> </package>{code}
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to