Gouri Sankar A created WW-5642:
----------------------------------
Summary: @StrutsParameter authorization bypassed for
record/creator-bound REST body properties
Key: WW-5642
URL: https://issues.apache.org/jira/browse/WW-5642
Project: Struts 2
Issue Type: Bug
Components: Plugin - REST
Affects Versions: 7.2.1
Environment: Reproducible with struts2-rest-plugin,
struts.parameters.requireAnnotations
enabled, and any REST action whose request body binds a Java record
(or @JsonCreator/@ConstructorProperties type) either at the top level
or nested. JDK 17, Jackson 2.22.0.
Reporter: Gouri Sankar A
ParameterAuthorizingModule enforces @StrutsParameter on REST/JSON body
deserialization by wrapping each Jackson property's deserializeAndSet /
deserializeSetAndReturn (AuthorizingSettableBeanProperty). Jackson never
calls either method for creator-bound properties — Java records,
@JsonCreator constructors, @ConstructorProperties — it calls the final
SettableBeanProperty#deserialize directly, which the existing wrapper
cannot intercept.
With struts.parameters.requireAnnotations enabled, any record-typed
field in a REST action's request body is populated with no
@StrutsParameter check at all, silently defeating the protection for
that entire subtree.
Fix: wrap the property's value deserializer (the only non-final
interception point for the creator-bound path), scoped to
CreatorProperty so existing setter/field/builder paths are unaffected.
Fixed by: https://github.com/apache/struts/pull/1774
--
This message was sent by Atlassian Jira
(v8.20.10#820010)