[ https://issues.apache.org/jira/browse/WW-5407?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Kusal Kithul-Godage resolved WW-5407. ------------------------------------- Resolution: Fixed > Extend SecurityMemberAccess proxy detection to Hibernate proxies > ---------------------------------------------------------------- > > Key: WW-5407 > URL: https://issues.apache.org/jira/browse/WW-5407 > Project: Struts 2 > Issue Type: Improvement > Components: Core > Reporter: Kusal Kithul-Godage > Priority: Minor > Fix For: 6.5.0 > > Time Spent: 2h 20m > Remaining Estimate: 0h > > The current option {{struts.disallowProxyMemberAccess}} does not have any > logic to detect Hibernate proxies which may also present a security risk. > Additionally, the current option only forbids access to members which > originate from a proxy. However, it makes more sense to forbid access to > proxy objects entirely. This is because proxying is often used for sensitive > instances, application beans or Hibernate objects. None of which is safe to > be accessed or manipulated via OGNL. Thus, let's introduce an additional > option {{struts.disallowProxyObjectAccess}} which will offer stronger > protection. > Finally, the caching mechanism in the ProxyUtil class uses an unbounded map, > this can potentially be attacked and lead to a memory leak or DoS. Let's > replace it with a Caffeine cache as we have done previously for the OGNL > expression cache. -- This message was sent by Atlassian Jira (v8.20.10#820010)