[jira] [Work started] (WW-5627) CookieInterceptor bypasses @StrutsParameter authorization

Sat, 09 May 2026 03:17:07 -0700 


     [ 
https://issues.apache.org/jira/browse/WW-5627?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Work on WW-5627 started by Lukasz Lenart.
-----------------------------------------
> CookieInterceptor bypasses @StrutsParameter authorization
> ---------------------------------------------------------
>
>                 Key: WW-5627
>                 URL: https://issues.apache.org/jira/browse/WW-5627
>             Project: Struts 2
>          Issue Type: Improvement
>          Components: Core Interceptors
>            Reporter: Lukasz Lenart
>            Assignee: Lukasz Lenart
>            Priority: Major
>             Fix For: 7.2.0
>
>
> h2. Problem
>   
> {{CookieInterceptor.populateCookieValueIntoStack}} calls 
> {{stack.setValue(cookieName, cookieValue)}} directly 
> ({{CookieInterceptor.java}} lines 339 and 348), which:
> - bypasses {{StrutsParameterAuthorizer}} / {{@StrutsParameter}} enforcement,
> - never primes {{ThreadAllowlist}}.
>   
> Cookie injection therefore does not participate in the 
> parameter-authorization machinery that {{ParametersInterceptor}}, the JSON 
> plugin, and (post-[WW-5626|https://issues.apache.org/jira/browse/WW-5626]) 
> the REST plugin all share.
>   
> h2. Impact
> When {{cookiesName=*}} is configured, every public setter on the action — and 
> (subject to allowlist) any setter reachable through getter chains from the 
> value-stack root — is writeable from cookie input without any 
> {{@StrutsParameter}} opt-in. The OGNL allowlist (default {{enable=true}} 
> since 7.0) blocks the nested-bean route via {{SecurityMemberAccess}}, but it 
> does not require setters to be annotated with {{@StrutsParameter}}, so 
> action-level setters remain reachable.
> h2. Proposed fix
>   
> Replace {{stack.setValue}} in {{populateCookieValueIntoStack}} with 
> {{stack.setParameter}} (or invoke {{StrutsParameterAuthorizer}} directly) so 
> cookie injection participates in {{@StrutsParameter}} enforcement and 
> {{ThreadAllowlist}} priming, aligning {{CookieInterceptor}} with 
> {{ParametersInterceptor}}, the JSON plugin, and the REST plugin.
> h2. Dependencies
>   
> Builds on [WW-5626|https://issues.apache.org/jira/browse/WW-5626] — reuses 
> {{ParameterAuthorizationContext}} and {{ParameterAuthorizer.resolveTarget}}.
>   
> h2. Backward compatibility
>   
> Behavior change: apps relying on cookies populating un-annotated setters will 
> stop working under strict authorization. Affected users must either add 
> {{@StrutsParameter}} to the relevant setters or drop {{cookiesName=*}}. 
> Migration-guide entry required.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to