[jira] [Commented] (WW-4171) getText methods are not documented as evaluating OGNL

Tue, 06 Aug 2013 09:58:06 -0700 

    [ 
https://issues.apache.org/jira/browse/WW-4171?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13730951#comment-13730951
 ] 

Rene Gielen commented on WW-4171:
---------------------------------

[[email protected]] No, parameter processing should be safe here - message 
property will contain "${2*3}" after ParametersInterceptor; but passing the so 
far unevaluated expression string to getText() will force an OGNL evaluation in 
Jon's example.

So far I see a "passing unsanitized user input to an API" issue, which is 
generally a questionable idea. I agree with Jon that the API JavaDocs should 
state clearly that expression evaluation will take place, such that users are 
warned. Nevertheless, I don't see we need further actions like active 
prevention and such.

Just an idea: even more valuable than simple JavaDoc could be an annotation for 
parameters, like @SanitizingRequired or @ExpressionAware... 
                
> getText methods are not documented as evaluating OGNL
> -----------------------------------------------------
>
>                 Key: WW-4171
>                 URL: https://issues.apache.org/jira/browse/WW-4171
>             Project: Struts 2
>          Issue Type: Improvement
>          Components: Documentation
>    Affects Versions: 2.3.15.1
>            Reporter: Coverity Security Research Laboratory
>            Assignee: Lukasz Lenart
>            Priority: Minor
>              Labels: security
>             Fix For: 2.3.16
>
>
> The methods below evaluate OGNL as their first parameter. However they are 
> not documented as evaluating OGNL. We have observed this occurring in one 
> project and are contacting the affected vendors.
> com.opensymphony.xwork2.TextProviderSupport.getText(String, String[])
> com.opensymphony.xwork2.TextProviderSupport.getText(String, List<?>)
> com.opensymphony.xwork2.TextProviderSupport.getText(String)
> These methods are then used by ActionSupport (via its getText methods). None 
> of these methods are documented as evaluating OGNL either.
> This issue is recommending that all of these methods are documented as 
> evaluating OGNL since this may come as a surprise to some developers.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to