2024-06-16 11:06:39,002 WARN
com.opensymphony.xwork2.ognl.SecurityMemberAccess
SecurityMemberAccess:isAccessible - Access to proxy is blocked! Target
The docs don't give any hints on what the list should be.
<constant name="struts.allowlist.enable" value="false" />
<constant name="struts.allowlist.packageNames" value="my.pojo.Pojo" />
my.pojo.Pojo$HibernateProxy$tEzkTVrG]
This is an inquiry screen.
On 16/06/2024 10:51, Kusal Kithul-Godage wrote:
> So you've got 2 separate issues here:
> * Pojos that are not allowlisted
> * OGNL executions against Spring/Hibernate proxied objects
>
> If you have genuine Pojos that need allowlisting, you can do so by
> following the documentation:
> https://struts.apache.org/security/#ognl-member-access
> Allowlisting Pojos is perfectly fine and will not reduce security.
>
> As for manipulating Spring/Hibernate objects via OGNL - this is a
> security risk as it means in the event of an SSTI vulnerability,
> attackers may also be able to manipulate Spring/Hibernate objects. I'd
> first review why your application is relying on this behaviour.
>
> On Sun, Jun 16, 2024 at 7:39 PM Greg Huber<gregh3...@gmail.com> wrote:
>> I use both spring and hibernate v6 testing, I would not want to make any
>> drastic changes to these as they are painful.
>>
>> Here is one (of many)
>>
>> 2024-06-16 09:26:21,419 WARN
>> com.opensymphony.xwork2.ognl.SecurityMemberAccess
>> SecurityMemberAccess:checkAllowlist - Declaring class [class
>> my.pojo.Pojo] of member type [public java.lang.String
>> my.pojo.Pojo.getUserName()] is not allowlisted!
>> 2024-06-16 09:26:21,419 WARN
>> com.opensymphony.xwork2.ognl.SecurityMemberAccess
>> SecurityMemberAccess:isAccessible - Access to non-public [private
>> java.lang.String my.pojo.Pojo.userName] is blocked!
>>
>> public class Pojo {
>>
>> private String userName;
>>
>> public String getUserName() {
>> return userName;
>> }
>>
>> }
>>
>> On 16/06/2024 10:33, Kusal Kithul-Godage wrote:
>>> That suggests the target is proxied by Spring or Hibernate, which
>>> Pojos should not be by definition. You'll need to attach a debugger to
>>> investigate why this is the case
>>>
>>> On Sun, Jun 16, 2024 at 7:19 PM Greg Huber<gregh3...@gmail.com> wrote:
>>>> The text looks ok, but I get this in the log also:
>>>>
>>>> 2024-06-16 10:15:12,587 WARN
>>>> com.opensymphony.xwork2.ognl.SecurityMemberAccess
>>>> SecurityMemberAccess:isAccessible - Access to proxy is blocked! Target [][
>>>>
>>>> Where the target is my pojo, which I have alot of.
>>>>
>>>> On 16/06/2024 10:15, Kusal Kithul-Godage wrote:
>>>>> I didn't do much testing with the Struts JSP integration beyond the
>>>>> examples in the showcase app so it's possible I've missed some
>>>>> packages/classes that should be allowed by default.
>>>>>
>>>>> Could you share the warnings you are receiving? Perhaps deduplicate
>>>>> the warnings first if there are many repetitive ones
>>>>>
>>>>> On Sun, Jun 16, 2024 at 7:10 PM Greg Huber<gregh3...@gmail.com> wrote:
>>>>>> Sorry checked the wrong log file, it was this one, needed to be false.
>>>>>>
>>>>>> <constant name="struts.allowlist.enable" value="false" />
>>>>>>
>>>>>> Is there any docs on this? ie and example of what would go in the list,
>>>>>> as its excluding struts default stuff.
>>>>>>
>>>>>> On 16/06/2024 10:01, Kusal Kithul-Godage wrote:
>>>>>>> All of the mentioned options should log issues at warn level or
>>>>>>> greater, except for 'struts.parameters.requireAnnotations' which will
>>>>>>> log at debug level.
>>>>>>>
>>>>>>> Using the following PR as a reference, you can revert settings to
>>>>>>> their previous value one by one, to isolate which option may be
>>>>>>> causing your application issues.
>>>>>>> https://github.com/apache/struts/pull/919/files
>>>>>>>
>>>>>>> Once you have isolated and corrected any issues, please re-enable the
>>>>>>> options as they offer significant protection against vulnerabilities.
>>>>>>>
>>>>>>> On Sun, Jun 16, 2024 at 6:39 PM Greg Huber<gregh3...@gmail.com>
wrote:
>>>>>>>> I tried this and there is alot of text missing on my jsp pages
>>>>>>>>
>>>>>>>> it mentions these:
>>>>>>>>
>>>>>>>> |struts.ognl.allowStaticFieldAccess=||false|
>>>>>>>> |struts.ognl.expressionMaxLength=||150|
>>>>>>>> |struts.disallowDefaultPackageAccess=||true|
>>>>>>>> |struts.disallowProxyMemberAccess=||true|
>>>>>>>> |struts.parameters.requireAnnotations=||true|
>>>>>>>> |struts.ognl.disallowCustomOgnlMap=||true|
>>>>>>>> |struts.allowlist.enable=||true|
>>>>>>>> |
>>>>>>>> |
>>>>>>>> |I tried
>>>>>>>> |
>>>>>>>> |
>>>>>>>> |
>>>>>>>> |struts.ognl.allowStaticFieldAccess=true
>>>>>>>> |
>>>>>>>> |
>>>>>>>> |
>>>>>>>> |but it made no difference.|
>>>>>>>> |
>>>>>>>> |
>>>>>>>> |There are no warning in the logs.
>>>>>>>> |
>>>>>>>>
>>>>>>>> On 12/06/2024 07:12, Lukasz Lenart wrote:
>>>>>>>>> Hello,
>>>>>>>>>
>>>>>>>>> This is another milestone of Struts 7.x series, which is based on
>>>>>>>>> JakartaEE 6. Please take the time and test the bits - any help is
>>>>>>>>> appreciated. Please report any problems you will spot.
>>>>>>>>>
>>>>>>>>> Please read the Migration guide as this version includes stronger
>>>>>>>>> security options
>>>>>>>>>
https://cwiki.apache.org/confluence/display/WW/Struts+6.x.x+to+7.x.x+migration
>>>>>>>>>
>>>>>>>>> Here are the changes from the previous version:
>>>>>>>>> https://github.com/apache/struts/releases/tag/STRUTS_7_0_0_M7
>>>>>>>>>
>>>>>>>>> Staging Maven repo
>>>>>>>>> https://repository.apache.org/content/groups/staging/
>>>>>>>>>
>>>>>>>>> * please read our guideline how to setup your Maven build to include
>>>>>>>>> the Staging repository
>>>>>>>>> https://struts.apache.org/builds.html#test-builds
>>>>>>>>>
>>>>>>>>> Standalone artifacts
>>>>>>>>> https://dist.apache.org/repos/dist/dev/struts/7.0.0-M7/
>>>>>>>>>
>>>>>>>>> Release notes
>>>>>>>>> https://cwiki.apache.org/confluence/display/WW/Version+Notes+7.0.0-M7
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Have fun!
>>>>>>>>> Łukasz
>>>>>>>>>
>>>>>>>>> ---------------------------------------------------------------------
>>>>>>>>> To unsubscribe,e-mail:dev-unsubscr...@struts.apache.org
>>>>>>>>> For additional commands,e-mail:dev-h...@struts.apache.org
>>>>>>>>>
>>>>>>> ---------------------------------------------------------------------
>>>>>>> To unsubscribe,e-mail:dev-unsubscr...@struts.apache.org
>>>>>>> For additional commands,e-mail:dev-h...@struts.apache.org
>>>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe,e-mail:dev-unsubscr...@struts.apache.org
>>>>> For additional commands,e-mail:dev-h...@struts.apache.org
>>>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe,e-mail:dev-unsubscr...@struts.apache.org
>>> For additional commands,e-mail:dev-h...@struts.apache.org
>>>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:dev-unsubscr...@struts.apache.org
> For additional commands, e-mail:dev-h...@struts.apache.org
>