[jira] [Commented] (WW-4171) getText methods are not documented as evaluating OGNL

[Rene Gielen (JIRA)]

    [ 
https://issues.apache.org/jira/browse/WW-4171?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13731815#comment-13731815
 ] 

Rene Gielen commented on WW-4171:
---------------------------------

[~lukaszlenart] Yeah, the problem is that calls to getText with expressions may 
make sense. So you would only want to sanitize user input, but not any API call.

That said, introducing such annotations would make even more sense if we'd 
finally introduce a central sanitization API! Say a central sanitizer class 
with static methods like sanitize(String), sanitize(String, SanitizingOptions 
... options)

Combined with static imports, a safe call to getText(@SanitizingRequired String 
message) would look like getText(sanitize(userModifieableProperty)).

The actual sanitizer implementation should be Interface-based, with the 
Sanitizer class being a static facade using static injection / a factory for a 
singleton sanitizer implementation. Thus we could provide different sanitizers 
for different ELs used now and in future.

WDYT?
                
> getText methods are not documented as evaluating OGNL
> -----------------------------------------------------
>
>                 Key: WW-4171
>                 URL: https://issues.apache.org/jira/browse/WW-4171
>             Project: Struts 2
>          Issue Type: Improvement
>          Components: Documentation
>    Affects Versions: 2.3.15.1
>            Reporter: Coverity Security Research Laboratory
>            Assignee: Lukasz Lenart
>            Priority: Minor
>              Labels: security
>             Fix For: 2.3.16
>
>
> The methods below evaluate OGNL as their first parameter. However they are 
> not documented as evaluating OGNL. We have observed this occurring in one 
> project and are contacting the affected vendors.
> com.opensymphony.xwork2.TextProviderSupport.getText(String, String[])
> com.opensymphony.xwork2.TextProviderSupport.getText(String, List<?>)
> com.opensymphony.xwork2.TextProviderSupport.getText(String)
> These methods are then used by ActionSupport (via its getText methods). None 
> of these methods are documented as evaluating OGNL either.
> This issue is recommending that all of these methods are documented as 
> evaluating OGNL since this may come as a surprise to some developers.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira