[jira] [Work logged] (WW-5428) Allowlist capability should resolve Hibernate proxies when disableProxyObjects is not set

Mon, 08 Jul 2024 01:40:05 -0700 


     [ 
https://issues.apache.org/jira/browse/WW-5428?focusedWorklogId=924758&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-924758
 ]

ASF GitHub Bot logged work on WW-5428:
--------------------------------------

                Author: ASF GitHub Bot
            Created on: 08/Jul/24 08:39
            Start Date: 08/Jul/24 08:39
    Worklog Time Spent: 10m 
      Work Description: lukaszlenart commented on code in PR #967:
URL: https://github.com/apache/struts/pull/967#discussion_r1668221565


##########
core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java:
##########
@@ -209,10 +209,23 @@ public boolean isAccessible(Map context, Object target, 
Member member, String pr
      * @return {@code true} if member access is allowed
      */
     protected boolean checkAllowlist(Object target, Member member) {
-        Class<?> memberClass = member.getDeclaringClass();
         if (!enforceAllowlistEnabled) {
             return true;
         }
+
+        if (!disallowProxyObjectAccess && target != null && 
ProxyUtil.isProxy(target)) {
+            // If `disallowProxyObjectAccess` is not set, allow resolving 
Hibernate entities to their underlying
+            // classes/members. This allows the allowlist capability to 
continue working and offer some level of
+            // protection in applications where the developer has accepted the 
risk of allowing OGNL access to Hibernate
+            // entities. This is preferred to having to disable the allowlist 
capability entirely.

Review Comment:
   Wouldn't be good to log this info? Maybe even in WARN level if 
`struts.devMode` is enabled, wdyt?





Issue Time Tracking
-------------------

    Worklog Id:     (was: 924758)
    Time Spent: 1h 20m  (was: 1h 10m)

> Allowlist capability should resolve Hibernate proxies when 
> disableProxyObjects is not set
> -----------------------------------------------------------------------------------------
>
>                 Key: WW-5428
>                 URL: https://issues.apache.org/jira/browse/WW-5428
>             Project: Struts 2
>          Issue Type: Improvement
>          Components: Core
>            Reporter: Kusal Kithul-Godage
>            Priority: Minor
>             Fix For: 6.5.0, 7.0.0
>
>          Time Spent: 1h 20m
>  Remaining Estimate: 0h
>
> Refer to PR description for further details



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to