[jira] [Work logged] (WW-5115) Reduce logging for DMI excluded parameters

ASF GitHub Bot (Jira) Sat, 23 Jan 2021 08:32:04 -0800


     [ 
https://issues.apache.org/jira/browse/WW-5115?focusedWorklogId=540559&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-540559
 ]


ASF GitHub Bot logged work on WW-5115:
--------------------------------------

                Author: ASF GitHub Bot
            Created on: 23/Jan/21 16:31
            Start Date: 23/Jan/21 16:31
    Worklog Time Spent: 10m 
      Work Description: lukaszlenart commented on a change in pull request #469:
URL: https://github.com/apache/struts/pull/469#discussion_r563171653



##########
File path: 
core/src/main/java/com/opensymphony/xwork2/interceptor/ParametersInterceptor.java
##########
@@ -324,12 +324,12 @@ protected boolean isAccepted(String paramName) {
     protected boolean isExcluded(String paramName) {
         ExcludedPatternsChecker.IsExcluded result = 
excludedPatterns.isExcluded(paramName);
         if (result.isExcluded()) {
-            if (devMode) { // warn only when in devMode
+            if (devMode && result.isLog()) { // warn only when in devMode and 
required

Review comment:
       What's the reason of ignoring some patterns and some not in logging?

##########
File path: 
core/src/main/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsChecker.java
##########
@@ -84,6 +85,14 @@ protected void setDynamicMethodInvocation(String dmiValue) {
         if (!BooleanUtils.toBoolean(dmiValue)) {
             LOG.debug("DMI is disabled, adding DMI related excluded patterns");
             setAdditionalExcludePatterns("^(action|method):.*");
+        } else {
+            LOG.debug("DMI is enabled, adding DMI related ignored patterns");
+            ignoredPatterns = new HashSet<>();
+            try {
+                ignoredPatterns.add(Pattern.compile("^(action|method):.*", 
Pattern.CASE_INSENSITIVE));
+            } finally {
+               ignoredPatterns = Collections.unmodifiableSet(ignoredPatterns);
+            }

Review comment:
       Basically right now it doesn't matter if DMI is enabled or not, 
`action|method` will be excluded. Wouldn't be better to just extend the base 
RegEx? Or setup this pattern in constructor?
   
   ```java
   public DefaultExcludedPatternsChecker() {
       setExcludedPatterns(EXCLUDED_PATTERNS);
       setAdditionalExcludePatterns("^(action|method):.*");
   }
   ```
   
   So then additional `ignoredPatterns` field is not needed.
   

##########
File path: 
core/src/main/java/com/opensymphony/xwork2/security/ExcludedPatternsChecker.java
##########
@@ -66,18 +66,24 @@
 
         private final boolean excluded;
         private final String excludedPattern;
+        private final boolean log;

Review comment:
       I'm not a fun of such flags as they are quite misleading and control 
something out of scope of this class.




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[email protected]


Issue Time Tracking
-------------------

    Worklog Id:     (was: 540559)
    Time Spent: 0.5h  (was: 20m)

> Reduce logging for DMI excluded parameters 
> -------------------------------------------
>
>                 Key: WW-5115
>                 URL: https://issues.apache.org/jira/browse/WW-5115
>             Project: Struts 2
>          Issue Type: Improvement
>          Components: Core
>    Affects Versions: 2.5.25
>            Reporter: Greg Huber
>            Assignee: Greg Huber
>            Priority: Minor
>             Fix For: 2.5.27
>
>          Time Spent: 0.5h
>  Remaining Estimate: 0h
>
> There are unnecessary log warning when DMI is enabled, from the 
> ParametersInterceptor.  
> WARN  com.opensymphony.xwork2.interceptor.ParametersInterceptor 
> ParametersInterceptor:isAccepted - Parameter [action:myAction!save] didn't 
> match accepted pattern 
> [[\w+((\.\w+)|(\[\d+])|(\(\d+\))|(\['(\w|[\u4e00-\u9fa5])+'])|(\('(\w|[\u4e00-\u9fa5])+'\)))*]]!
>  See Accepted / Excluded patterns at 
> https://struts.apache.org/security/#accepted--excluded-patterns
> eg the property 'action:myAction!save' should not be considered as a 
> bean/property parameter, as its used as part of DMI to submit the form.
> Any property which matches the DMI method invocation "^(action|method):.*" 
> needs to be silently ignored and not logged in devMode=true.
> DMI_AWARE_ACCEPTED_PATTERNS can also be dropped from 
> DefaultAcceptedPatternsChecker as the DMI action|method would never be a form 
> property.
> public static final String[] DMI_AWARE_ACCEPTED_PATTERNS = {
>             
> "\\w+([:]?\\w+)?((\\.\\w+)|(\\[\\d+])|(\\(\\d+\\))|(\\['(\\w|[\\u4e00-\\u9fa5])+'])|(\\('(\\w|[\\u4e00-\\u9fa5])+'\\)))*([!]?\\w+)?"
> };



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Work logged] (WW-5115) Reduce logging for DMI excluded parameters

Reply via email to