So you've got 2 separate issues here: * Pojos that are not allowlisted * OGNL executions against Spring/Hibernate proxied objects
If you have genuine Pojos that need allowlisting, you can do so by following the documentation: https://struts.apache.org/security/#ognl-member-access Allowlisting Pojos is perfectly fine and will not reduce security. As for manipulating Spring/Hibernate objects via OGNL - this is a security risk as it means in the event of an SSTI vulnerability, attackers may also be able to manipulate Spring/Hibernate objects. I'd first review why your application is relying on this behaviour. On Sun, Jun 16, 2024 at 7:39 PM Greg Huber <gregh3...@gmail.com> wrote: > > I use both spring and hibernate v6 testing, I would not want to make any > drastic changes to these as they are painful. > > Here is one (of many) > > 2024-06-16 09:26:21,419 WARN > com.opensymphony.xwork2.ognl.SecurityMemberAccess > SecurityMemberAccess:checkAllowlist - Declaring class [class > my.pojo.Pojo] of member type [public java.lang.String > my.pojo.Pojo.getUserName()] is not allowlisted! > 2024-06-16 09:26:21,419 WARN > com.opensymphony.xwork2.ognl.SecurityMemberAccess > SecurityMemberAccess:isAccessible - Access to non-public [private > java.lang.String my.pojo.Pojo.userName] is blocked! > > public class Pojo { > > private String userName; > > public String getUserName() { > return userName; > } > > } > > On 16/06/2024 10:33, Kusal Kithul-Godage wrote: > > That suggests the target is proxied by Spring or Hibernate, which > > Pojos should not be by definition. You'll need to attach a debugger to > > investigate why this is the case > > > > On Sun, Jun 16, 2024 at 7:19 PM Greg Huber<gregh3...@gmail.com> wrote: > >> The text looks ok, but I get this in the log also: > >> > >> 2024-06-16 10:15:12,587 WARN > >> com.opensymphony.xwork2.ognl.SecurityMemberAccess > >> SecurityMemberAccess:isAccessible - Access to proxy is blocked! Target [][ > >> > >> Where the target is my pojo, which I have alot of. > >> > >> On 16/06/2024 10:15, Kusal Kithul-Godage wrote: > >>> I didn't do much testing with the Struts JSP integration beyond the > >>> examples in the showcase app so it's possible I've missed some > >>> packages/classes that should be allowed by default. > >>> > >>> Could you share the warnings you are receiving? Perhaps deduplicate > >>> the warnings first if there are many repetitive ones > >>> > >>> On Sun, Jun 16, 2024 at 7:10 PM Greg Huber<gregh3...@gmail.com> wrote: > >>>> Sorry checked the wrong log file, it was this one, needed to be false. > >>>> > >>>> <constant name="struts.allowlist.enable" value="false" /> > >>>> > >>>> Is there any docs on this? ie and example of what would go in the list, > >>>> as its excluding struts default stuff. > >>>> > >>>> On 16/06/2024 10:01, Kusal Kithul-Godage wrote: > >>>>> All of the mentioned options should log issues at warn level or > >>>>> greater, except for 'struts.parameters.requireAnnotations' which will > >>>>> log at debug level. > >>>>> > >>>>> Using the following PR as a reference, you can revert settings to > >>>>> their previous value one by one, to isolate which option may be > >>>>> causing your application issues. > >>>>> https://github.com/apache/struts/pull/919/files > >>>>> > >>>>> Once you have isolated and corrected any issues, please re-enable the > >>>>> options as they offer significant protection against vulnerabilities. > >>>>> > >>>>> On Sun, Jun 16, 2024 at 6:39 PM Greg Huber<gregh3...@gmail.com> > >>>>> wrote: > >>>>>> I tried this and there is alot of text missing on my jsp pages > >>>>>> > >>>>>> it mentions these: > >>>>>> > >>>>>> |struts.ognl.allowStaticFieldAccess=||false| > >>>>>> |struts.ognl.expressionMaxLength=||150| > >>>>>> |struts.disallowDefaultPackageAccess=||true| > >>>>>> |struts.disallowProxyMemberAccess=||true| > >>>>>> |struts.parameters.requireAnnotations=||true| > >>>>>> |struts.ognl.disallowCustomOgnlMap=||true| > >>>>>> |struts.allowlist.enable=||true| > >>>>>> | > >>>>>> | > >>>>>> |I tried > >>>>>> | > >>>>>> | > >>>>>> | > >>>>>> |struts.ognl.allowStaticFieldAccess=true > >>>>>> | > >>>>>> | > >>>>>> | > >>>>>> |but it made no difference.| > >>>>>> | > >>>>>> | > >>>>>> |There are no warning in the logs. > >>>>>> | > >>>>>> > >>>>>> On 12/06/2024 07:12, Lukasz Lenart wrote: > >>>>>>> Hello, > >>>>>>> > >>>>>>> This is another milestone of Struts 7.x series, which is based on > >>>>>>> JakartaEE 6. Please take the time and test the bits - any help is > >>>>>>> appreciated. Please report any problems you will spot. > >>>>>>> > >>>>>>> Please read the Migration guide as this version includes stronger > >>>>>>> security options > >>>>>>> https://cwiki.apache.org/confluence/display/WW/Struts+6.x.x+to+7.x.x+migration > >>>>>>> > >>>>>>> Here are the changes from the previous version: > >>>>>>> https://github.com/apache/struts/releases/tag/STRUTS_7_0_0_M7 > >>>>>>> > >>>>>>> Staging Maven repo > >>>>>>> https://repository.apache.org/content/groups/staging/ > >>>>>>> > >>>>>>> * please read our guideline how to setup your Maven build to include > >>>>>>> the Staging repository > >>>>>>> https://struts.apache.org/builds.html#test-builds > >>>>>>> > >>>>>>> Standalone artifacts > >>>>>>> https://dist.apache.org/repos/dist/dev/struts/7.0.0-M7/ > >>>>>>> > >>>>>>> Release notes > >>>>>>> https://cwiki.apache.org/confluence/display/WW/Version+Notes+7.0.0-M7 > >>>>>>> > >>>>>>> > >>>>>>> Have fun! > >>>>>>> Łukasz > >>>>>>> > >>>>>>> --------------------------------------------------------------------- > >>>>>>> To unsubscribe,e-mail:dev-unsubscr...@struts.apache.org > >>>>>>> For additional commands,e-mail:dev-h...@struts.apache.org > >>>>>>> > >>>>> --------------------------------------------------------------------- > >>>>> To unsubscribe,e-mail:dev-unsubscr...@struts.apache.org > >>>>> For additional commands,e-mail:dev-h...@struts.apache.org > >>>>> > >>> --------------------------------------------------------------------- > >>> To unsubscribe,e-mail:dev-unsubscr...@struts.apache.org > >>> For additional commands,e-mail:dev-h...@struts.apache.org > >>> > > --------------------------------------------------------------------- > > To unsubscribe, e-mail:dev-unsubscr...@struts.apache.org > > For additional commands, e-mail:dev-h...@struts.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org
