Re: [PR] WW-5501 Exclude malicious names [struts]

via GitHub Mon, 23 Dec 2024 02:11:34 -0800


github-advanced-security[bot] commented on code in PR #1156:
URL: https://github.com/apache/struts/pull/1156#discussion_r1895565528



##########
core/src/main/java/org/apache/struts2/dispatcher/multipart/JakartaMultiPartRequest.java:
##########
@@ -113,6 +113,16 @@
     protected void processFileField(FileItem item) {
         LOG.debug("Item is a file upload");
 
+        if (!isAccepted(item.getName())) {
+            LOG.warn("File name [{}] is not accepted", item.getName());
+            return;
+        }
+
+        if (!isAccepted(item.getFieldName())) {
+            LOG.warn("Field name [{}] is not accepted", item.getFieldName());

Review Comment:
   ## Logging should not be vulnerable to injection attacks
   
   <!--SONAR_ISSUE_KEY:AZPy_bBpEosXzZdCgNBv-->Change this code to not log 
user-controlled data. <p>See more on <a 
href="https://sonarcloud.io/project/issues?id=apache_struts&issues=AZPy_bBpEosXzZdCgNBv&open=AZPy_bBpEosXzZdCgNBv&pullRequest=1156";>SonarQube
 Cloud</a></p>
   
   [Show more 
details](https://github.com/apache/struts/security/code-scanning/729)



##########
core/src/main/java/org/apache/struts2/dispatcher/multipart/JakartaStreamMultiPartRequest.java:
##########
@@ -312,6 +312,10 @@
      */
     protected void processFileItemStreamAsFormField(FileItemStream itemStream) 
{
         String fieldName = itemStream.getFieldName();
+        if (!isAccepted(fieldName)) {
+            LOG.warn("Form field [{}] rejected!", fieldName);

Review Comment:
   ## Logging should not be vulnerable to injection attacks
   
   <!--SONAR_ISSUE_KEY:AZPy_bDOEosXzZdCgNCE-->Change this code to not log 
user-controlled data. <p>See more on <a 
href="https://sonarcloud.io/project/issues?id=apache_struts&issues=AZPy_bDOEosXzZdCgNCE&open=AZPy_bDOEosXzZdCgNCE&pullRequest=1156";>SonarQube
 Cloud</a></p>
   
   [Show more 
details](https://github.com/apache/struts/security/code-scanning/731)



##########
core/src/main/java/org/apache/struts2/dispatcher/multipart/JakartaStreamMultiPartRequest.java:
##########
@@ -340,6 +344,11 @@
             return;
         }
 
+        if (!isAccepted(itemStream.getName())) {
+            LOG.warn("File field [{}] rejected", itemStream.getName());

Review Comment:
   ## Logging should not be vulnerable to injection attacks
   
   <!--SONAR_ISSUE_KEY:AZPy_bDOEosXzZdCgNCG-->Change this code to not log 
user-controlled data. <p>See more on <a 
href="https://sonarcloud.io/project/issues?id=apache_struts&issues=AZPy_bDOEosXzZdCgNCG&open=AZPy_bDOEosXzZdCgNCG&pullRequest=1156";>SonarQube
 Cloud</a></p>
   
   [Show more 
details](https://github.com/apache/struts/security/code-scanning/733)



##########
core/src/main/java/org/apache/struts2/dispatcher/multipart/JakartaMultiPartRequest.java:
##########
@@ -113,6 +113,16 @@
     protected void processFileField(FileItem item) {
         LOG.debug("Item is a file upload");
 
+        if (!isAccepted(item.getName())) {
+            LOG.warn("File name [{}] is not accepted", item.getName());

Review Comment:
   ## Logging should not be vulnerable to injection attacks
   
   <!--SONAR_ISSUE_KEY:AZPy_bBpEosXzZdCgNBu-->Change this code to not log 
user-controlled data. <p>See more on <a 
href="https://sonarcloud.io/project/issues?id=apache_struts&issues=AZPy_bBpEosXzZdCgNBu&open=AZPy_bBpEosXzZdCgNBu&pullRequest=1156";>SonarQube
 Cloud</a></p>
   
   [Show more 
details](https://github.com/apache/struts/security/code-scanning/728)



##########
core/src/main/java/org/apache/struts2/dispatcher/multipart/JakartaMultiPartRequest.java:
##########
@@ -134,6 +144,11 @@
         try {
             LOG.debug("Item is a normal form field");
 
+            if (!isAccepted(item.getFieldName())) {
+                LOG.warn("Form field name [{}] is not accepted", 
item.getFieldName());

Review Comment:
   ## Logging should not be vulnerable to injection attacks
   
   <!--SONAR_ISSUE_KEY:AZPy_bBpEosXzZdCgNBw-->Change this code to not log 
user-controlled data. <p>See more on <a 
href="https://sonarcloud.io/project/issues?id=apache_struts&issues=AZPy_bBpEosXzZdCgNBw&open=AZPy_bBpEosXzZdCgNBw&pullRequest=1156";>SonarQube
 Cloud</a></p>
   
   [Show more 
details](https://github.com/apache/struts/security/code-scanning/730)



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Re: [PR] WW-5501 Exclude malicious names [struts]

Reply via email to