[GitHub] [struts] yasserzamani commented on a change in pull request #483: fix double evaluations...

Sat, 17 Apr 2021 02:40:56 -0700 


yasserzamani commented on a change in pull request #483:
URL: https://github.com/apache/struts/pull/483#discussion_r615233956



##########
File path: core/src/main/java/org/apache/struts2/components/Component.java
##########
@@ -571,4 +576,39 @@ public boolean isValidTagAttribute(String attrName) {
         return standardAttributes;
     }
 
+    protected boolean isAccepted(String paramName) {
+        AcceptedPatternsChecker.IsAccepted result = 
acceptedPatterns.isAccepted(paramName);
+        if (result.isAccepted()) {
+            return true;
+        }
+
+        LOG.warn("Parameter [{}] didn't match accepted pattern [{}]! See 
Accepted / Excluded patterns at\n" +
+                        
"https://struts.apache.org/security/#accepted--excluded-patterns";,
+                paramName, result.getAcceptedPattern());
+
+        return false;
+    }
+
+    protected boolean isExcluded(String paramName) {
+        ExcludedPatternsChecker.IsExcluded result = 
excludedPatterns.isExcluded(paramName);
+        if (!result.isExcluded()) {
+            return false;
+        }
+
+        LOG.warn("Parameter [{}] matches excluded pattern [{}]! See Accepted / 
Excluded patterns at\n" +
+                        
"https://struts.apache.org/security/#accepted--excluded-patterns";,
+                paramName, result.getExcludedPattern());
+
+        return true;
+    }

Review comment:
       Thanks for your review! Yes those interceptors probably already have 
validated them but here, I revalidate some of them them before reevaluating 
because some of them need to be reevaluated (e.g. name, alias etc) so I 
revalidate them before, if they're going really to be double evaluated. For 
example, if name is `getName()` expression then I don't validate it because our 
translateVariable actually doesn't evaluate it and return it as is, but when 
name is `array[%{fooIndex}]` then I validate its parsed result if it's going to 
go for second evaluation. For instance if its parsed result is `array[1]` then 
it passes my validation here but if it's `array[1-1]` Struts doesn't allow this 
anymore :)




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to