Re: [TEST] Apache Struts 7.0.0-M7 test build is ready

[Burton Rhodes]

I am having the same issue because many of our JSPs access Hibernate 
proxy objects. However, setting [struts.disallowProxyMemberAccess=false] 
is not working for me.  I am still receiving "Access to proxy is 
blocked!" errors. Correcting this issue properly (by changing our JSPs) 
will take significant time so I would prefer to initially take the 
security risk.

Below is an example of a log entry plus the "non-secure" struts.xml 
settings.

Log Entry Example
    com.opensymphony.xwork2.ognl.SecurityMemberAccess - Access to proxy 
is blocked! Target [--data here--], proxy class 
[com.afs.core.entity.Folder$HibernateProxy$OVniT9Ol]

struts.xml
    <constant name="struts.allowlist.enable" value="false"/>
    <constant name="struts.parameters.requireAnnotations" 
value="false"/>
    <constant name="struts.disallowProxyMemberAccess" value="false"/>


------ Original Message ------
From "Kusal Kithul-Godage" <kusal.kithulgod...@gmail.com>
To "Struts Developers List" <dev@struts.apache.org>
Date 6/16/2024 9:51:36 AM
Subject Re: [TEST] Apache Struts 7.0.0-M7 test build is ready

So the allowlist configuration is usually just informed by the
warnings logged during runtime. For most applications this will either
be nothing or some Pojo packages. So for the example log warning
you've provided that would be:
struts.allowlist.packageNames=my.pojo

However, the main issue you're having here is that your Pojos are
actually Hibernate entities, and you are then accessing them directly
using OGNL - which is not recommended. The allowlist capability is
also not compatible with any type of proxy object, Hibernate entities
included.

So you've 2 options here:

a) Disable both the proxy block and the allowlist using the following
options and accept the increased security risk.
struts.disallowProxyObjectAccess=false
struts.allowlist.enable=false

b) Invest some time introducing an intermediary layer which provides
proper separation between your database entities and view layer. This
will completely eliminate the risk of exploits targeting your view
layer being escalated to the persistence layer.

I obviously recommend the latter but we are not going to force this
upon anyone as I understand it can take some effort and resources you
may not have.

Thank you for reporting this though as I expect yours won't be the
only Struts application with this issue. I'll update the documentation
to better acknowledge this case as well as the options I outlined
above.

Lukasz if you could give me edit permission for the Struts 7.x
migration guide, I'll add a quick note there too.

On Sun, Jun 16, 2024 at 8:21 PM Greg Huber <gregh3...@gmail.com> wrote:

 2024-06-16 11:06:39,002 WARN
 com.opensymphony.xwork2.ognl.SecurityMemberAccess
 SecurityMemberAccess:isAccessible - Access to proxy is blocked! Target

 The docs don't give any hints on what the list should be.

 <constant name="struts.allowlist.enable" value="false" />

 <constant name="struts.allowlist.packageNames" value="my.pojo.Pojo" />

 my.pojo.Pojo$HibernateProxy$tEzkTVrG]

 This is an inquiry screen.

 On 16/06/2024 10:51, Kusal Kithul-Godage wrote:
 > So you've got 2 separate issues here:
 > * Pojos that are not allowlisted
 > * OGNL executions against Spring/Hibernate proxied objects
 >
 > If you have genuine Pojos that need allowlisting, you can do so by
 > following the documentation:
 > https://struts.apache.org/security/#ognl-member-access
 > Allowlisting Pojos is perfectly fine and will not reduce security.
 >
 > As for manipulating Spring/Hibernate objects via OGNL - this is a
 > security risk as it means in the event of an SSTI vulnerability,
 > attackers may also be able to manipulate Spring/Hibernate objects. I'd
 > first review why your application is relying on this behaviour.
 >
 > On Sun, Jun 16, 2024 at 7:39 PM Greg Huber<gregh3...@gmail.com>  wrote:
 >> I use both spring and hibernate v6 testing, I would not want to make any
 >> drastic changes to these as they are painful.
 >>
 >> Here is one (of many)
 >>
 >> 2024-06-16 09:26:21,419 WARN
 >> com.opensymphony.xwork2.ognl.SecurityMemberAccess
 >> SecurityMemberAccess:checkAllowlist - Declaring class [class
 >> my.pojo.Pojo] of member type [public java.lang.String
 >> my.pojo.Pojo.getUserName()] is not allowlisted!
 >> 2024-06-16 09:26:21,419 WARN
 >> com.opensymphony.xwork2.ognl.SecurityMemberAccess
 >> SecurityMemberAccess:isAccessible - Access to non-public [private
 >> java.lang.String my.pojo.Pojo.userName] is blocked!
 >>
 >> public class Pojo {
 >>
 >> private String userName;
 >>
 >> public String getUserName() {
 >>           return userName;
 >>       }
 >>
 >> }
 >>
 >> On 16/06/2024 10:33, Kusal Kithul-Godage wrote:
 >>> That suggests the target is proxied by Spring or Hibernate, which
 >>> Pojos should not be by definition. You'll need to attach a debugger to
 >>> investigate why this is the case
 >>>
 >>> On Sun, Jun 16, 2024 at 7:19 PM Greg Huber<gregh3...@gmail.com>   wrote:
 >>>> The text looks ok, but I get this in the log also:
 >>>>
 >>>> 2024-06-16 10:15:12,587 WARN
 >>>> com.opensymphony.xwork2.ognl.SecurityMemberAccess
 >>>> SecurityMemberAccess:isAccessible - Access to proxy is blocked! Target [][
 >>>>
 >>>> Where the target is my pojo, which I have alot of.
 >>>>
 >>>> On 16/06/2024 10:15, Kusal Kithul-Godage wrote:
 >>>>> I didn't do much testing with the Struts JSP integration beyond the
 >>>>> examples in the showcase app so it's possible I've missed some
 >>>>> packages/classes that should be allowed by default.
 >>>>>
 >>>>> Could you share the warnings you are receiving? Perhaps deduplicate
 >>>>> the warnings first if there are many repetitive ones
 >>>>>
 >>>>> On Sun, Jun 16, 2024 at 7:10 PM Greg Huber<gregh3...@gmail.com>    wrote:
 >>>>>> Sorry checked the wrong log file, it was this one, needed to be false.
 >>>>>>
 >>>>>> <constant name="struts.allowlist.enable" value="false" />
 >>>>>>
 >>>>>> Is there any docs on this?  ie and example of what would go in the list,
 >>>>>> as its excluding struts default stuff.
 >>>>>>
 >>>>>> On 16/06/2024 10:01, Kusal Kithul-Godage wrote:
 >>>>>>> All of the mentioned options should log issues at warn level or
 >>>>>>> greater, except for 'struts.parameters.requireAnnotations' which will
 >>>>>>> log at debug level.
 >>>>>>>
 >>>>>>> Using the following PR as a reference, you can revert settings to
 >>>>>>> their previous value one by one, to isolate which option may be
 >>>>>>> causing your application issues.
 >>>>>>> https://github.com/apache/struts/pull/919/files
 >>>>>>>
 >>>>>>> Once you have isolated and corrected any issues, please re-enable the
 >>>>>>> options as they offer significant protection against vulnerabilities.
 >>>>>>>
 >>>>>>> On Sun, Jun 16, 2024 at 6:39 PM Greg Huber<gregh3...@gmail.com>     
wrote:
 >>>>>>>> I tried this and there is alot of text missing on my jsp pages
 >>>>>>>>
 >>>>>>>> it mentions these:
 >>>>>>>>
 >>>>>>>> |struts.ognl.allowStaticFieldAccess=||false|
 >>>>>>>> |struts.ognl.expressionMaxLength=||150|
 >>>>>>>> |struts.disallowDefaultPackageAccess=||true|
 >>>>>>>> |struts.disallowProxyMemberAccess=||true|
 >>>>>>>> |struts.parameters.requireAnnotations=||true|
 >>>>>>>> |struts.ognl.disallowCustomOgnlMap=||true|
 >>>>>>>> |struts.allowlist.enable=||true|
 >>>>>>>> |
 >>>>>>>> |
 >>>>>>>> |I tried
 >>>>>>>> |
 >>>>>>>> |
 >>>>>>>> |
 >>>>>>>> |struts.ognl.allowStaticFieldAccess=true
 >>>>>>>> |
 >>>>>>>> |
 >>>>>>>> |
 >>>>>>>> |but it made no difference.|
 >>>>>>>> |
 >>>>>>>> |
 >>>>>>>> |There are no warning in the logs.
 >>>>>>>> |
 >>>>>>>>
 >>>>>>>> On 12/06/2024 07:12, Lukasz Lenart wrote:
 >>>>>>>>> Hello,
 >>>>>>>>>
 >>>>>>>>> This is another milestone of Struts 7.x series, which is based on
 >>>>>>>>> JakartaEE 6. Please take the time and test the bits - any help is
 >>>>>>>>> appreciated. Please report any problems you will spot.
 >>>>>>>>>
 >>>>>>>>> Please read the Migration guide as this version includes stronger
 >>>>>>>>> security options
 >>>>>>>>> 
https://cwiki.apache.org/confluence/display/WW/Struts+6.x.x+to+7.x.x+migration
 >>>>>>>>>
 >>>>>>>>> Here are the changes from the previous version:
 >>>>>>>>> https://github.com/apache/struts/releases/tag/STRUTS_7_0_0_M7
 >>>>>>>>>
 >>>>>>>>> Staging Maven repo
 >>>>>>>>> https://repository.apache.org/content/groups/staging/
 >>>>>>>>>
 >>>>>>>>> * please read our guideline how to setup your Maven build to include
 >>>>>>>>> the Staging repository
 >>>>>>>>>        https://struts.apache.org/builds.html#test-builds
 >>>>>>>>>
 >>>>>>>>> Standalone artifacts
 >>>>>>>>> https://dist.apache.org/repos/dist/dev/struts/7.0.0-M7/
 >>>>>>>>>
 >>>>>>>>> Release notes
 >>>>>>>>> https://cwiki.apache.org/confluence/display/WW/Version+Notes+7.0.0-M7
 >>>>>>>>>
 >>>>>>>>>
 >>>>>>>>> Have fun!
 >>>>>>>>> Łukasz
 >>>>>>>>>
 >>>>>>>>> ---------------------------------------------------------------------
 >>>>>>>>> To unsubscribe,e-mail:dev-unsubscr...@struts.apache.org
 >>>>>>>>> For additional commands,e-mail:dev-h...@struts.apache.org
 >>>>>>>>>
 >>>>>>> ---------------------------------------------------------------------
 >>>>>>> To unsubscribe,e-mail:dev-unsubscr...@struts.apache.org
 >>>>>>> For additional commands,e-mail:dev-h...@struts.apache.org
 >>>>>>>
 >>>>> ---------------------------------------------------------------------
 >>>>> To unsubscribe,e-mail:dev-unsubscr...@struts.apache.org
 >>>>> For additional commands,e-mail:dev-h...@struts.apache.org
 >>>>>
 >>> ---------------------------------------------------------------------
 >>> To unsubscribe,e-mail:dev-unsubscr...@struts.apache.org
 >>> For additional commands,e-mail:dev-h...@struts.apache.org
 >>>
 > ---------------------------------------------------------------------
 > To unsubscribe, e-mail:dev-unsubscr...@struts.apache.org
 > For additional commands, e-mail:dev-h...@struts.apache.org
 >

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org
For additional commands, e-mail: dev-h...@struts.apache.org