[jira] [Work logged] (WW-5635) TokenHelper.validToken() includes session token in WARN log output

[ASF GitHub Bot (Jira)]

     [ 
https://issues.apache.org/jira/browse/WW-5635?focusedWorklogId=1025121&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-1025121
 ]

ASF GitHub Bot logged work on WW-5635:
--------------------------------------

                Author: ASF GitHub Bot
            Created on: 14/Jun/26 16:43
            Start Date: 14/Jun/26 16:43
    Worklog Time Spent: 10m 
      Work Description: lukaszlenart commented on PR #1738:
URL: https://github.com/apache/struts/pull/1738#issuecomment-4702394173

   Thanks for the hardening — the production behavior (dropping the session 
token from the WARN) is the right call, and logging full detail only under 
devMode is consistent with how `ParametersInterceptor` already does it.
   
   One blocker though: `ActionContext.getContext().isDevMode()` won't compile — 
`ActionContext` has no `isDevMode()` method. That accessor lives on 
`Dispatcher`, and within a static utility like `TokenHelper` the way to reach 
it is `Dispatcher.getInstance()`:
   
   ```java
   Dispatcher dispatcher = Dispatcher.getInstance();
   if (dispatcher != null && dispatcher.isDevMode()) {
       LOG.warn("Token mismatch detail - token name [{}], form token [{}], 
session token [{}]",
               normalizeSpace(tokenName), normalizeSpace(token), sessionToken);
   }
   ```
   
   `Dispatcher.getInstance()` is thread-local-backed and populated during 
request processing, so it's available here — but keep the null guard since 
`TokenHelper` has no DI.
   
   Minor: the PR description says the extra line is DEBUG-level and logs only 
boolean presence, but the code logs full values at WARN under devMode. The code 
is fine given the devMode gate — just worth updating the description so it 
matches the intent.




Issue Time Tracking
-------------------

            Worklog Id:     (was: 1025121)
    Remaining Estimate: 0h
            Time Spent: 10m

> TokenHelper.validToken() includes session token in WARN log output
> ------------------------------------------------------------------
>
>                 Key: WW-5635
>                 URL: https://issues.apache.org/jira/browse/WW-5635
>             Project: Struts 2
>          Issue Type: Improvement
>            Reporter: Arun Manni
>            Priority: Major
>             Fix For: 7.2.0
>
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> When TokenHelper.validToken() detects a CSRF token mismatch, the WARN-level 
> log message includes the server-side session token in cleartext. Since the 
> session token is only removed on a successful match, the logged value remains 
> a live credential visible to anyone with log access.
> This change keeps the form token in the WARN message (with normalizeSpace 
> sanitization) and logs full token detail only when devMode is enabled, 
> consistent with how ParametersInterceptor handles user-supplied values 
> elsewhere in the codebase.
> PR: https://github.com/apache/struts/pull/1738



--
This message was sent by Atlassian Jira
(v8.20.10#820010)