[ https://issues.apache.org/jira/browse/WW-5407?focusedWorklogId=913559&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-913559 ]
ASF GitHub Bot logged work on WW-5407: -------------------------------------- Author: ASF GitHub Bot Created on: 09/Apr/24 04:46 Start Date: 09/Apr/24 04:46 Worklog Time Spent: 10m Work Description: kusalk commented on code in PR #911: URL: https://github.com/apache/struts/pull/911#discussion_r1556884093 ########## core/src/main/java/com/opensymphony/xwork2/util/ProxyUtil.java: ########## @@ -18,13 +18,20 @@ */ package com.opensymphony.xwork2.util; +import com.opensymphony.xwork2.ognl.DefaultOgnlCacheFactory; +import com.opensymphony.xwork2.ognl.OgnlCache; +import com.opensymphony.xwork2.ognl.OgnlCacheFactory; import org.apache.commons.lang3.reflect.ConstructorUtils; import org.apache.commons.lang3.reflect.FieldUtils; import org.apache.commons.lang3.reflect.MethodUtils; +import org.hibernate.proxy.HibernateProxy; Review Comment: The dependency is optional and the check silently skipped :) Issue Time Tracking ------------------- Worklog Id: (was: 913559) Time Spent: 0.5h (was: 20m) > Extend SecurityMemberAccess proxy detection to Hibernate proxies > ---------------------------------------------------------------- > > Key: WW-5407 > URL: https://issues.apache.org/jira/browse/WW-5407 > Project: Struts 2 > Issue Type: Improvement > Components: Core > Reporter: Kusal Kithul-Godage > Priority: Minor > Fix For: 6.5.0 > > Time Spent: 0.5h > Remaining Estimate: 0h > > The current option {{struts.disallowProxyMemberAccess}} does not have any > logic to detect Hibernate proxies which may also present a security risk. > Additionally, the current option only forbids access to members which > originate from a proxy. However, it makes more sense to forbid access to > proxy objects entirely. This is because proxying is often used for sensitive > instances, application beans or Hibernate objects. None of which is safe to > be accessed or manipulated via OGNL. Thus, let's introduce an additional > option {{struts.disallowProxyObjectAccess}} which will offer stronger > protection. > Finally, the caching mechanism in the ProxyUtil class uses an unbounded map, > this can potentially be attacked and lead to a memory leak or DoS. Let's > replace it with a Caffeine cache as we have done previously for the OGNL > expression cache. -- This message was sent by Atlassian Jira (v8.20.10#820010)