[GitHub] [struts] yasserzamani commented on a change in pull request #483: fix double evaluations...

Sat, 17 Apr 2021 02:41:26 -0700 


yasserzamani commented on a change in pull request #483:
URL: https://github.com/apache/struts/pull/483#discussion_r615233956



##########
File path: core/src/main/java/org/apache/struts2/components/Component.java
##########
@@ -571,4 +576,39 @@ public boolean isValidTagAttribute(String attrName) {
         return standardAttributes;
     }
 
+    protected boolean isAccepted(String paramName) {
+        AcceptedPatternsChecker.IsAccepted result = 
acceptedPatterns.isAccepted(paramName);
+        if (result.isAccepted()) {
+            return true;
+        }
+
+        LOG.warn("Parameter [{}] didn't match accepted pattern [{}]! See 
Accepted / Excluded patterns at\n" +
+                        
"https://struts.apache.org/security/#accepted--excluded-patterns";,
+                paramName, result.getAcceptedPattern());
+
+        return false;
+    }
+
+    protected boolean isExcluded(String paramName) {
+        ExcludedPatternsChecker.IsExcluded result = 
excludedPatterns.isExcluded(paramName);
+        if (!result.isExcluded()) {
+            return false;
+        }
+
+        LOG.warn("Parameter [{}] matches excluded pattern [{}]! See Accepted / 
Excluded patterns at\n" +
+                        
"https://struts.apache.org/security/#accepted--excluded-patterns";,
+                paramName, result.getExcludedPattern());
+
+        return true;
+    }

Review comment:
       Thanks for your review! Yes those interceptors probably already have 
validated them but here, I revalidate some of them before reevaluating because 
some of them need to be reevaluated (e.g. name, alias etc) so I revalidate them 
before, if they're going really to be double evaluated. For example, if name is 
`getName()` expression then I don't validate it because our translateVariable 
actually doesn't evaluate it and return it as is, but when name is 
`array[%{fooIndex}]` then I validate its parsed result if it's going to go for 
second evaluation. For instance if its parsed result is `array[1]` then it 
passes my validation here but if it's `array[1-1]` Struts doesn't allow this 
anymore :)




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to