[jira] [Created] (WW-5627) CookieInterceptor bypasses @StrutsParameter authorization

Sat, 09 May 2026 03:07:09 -0700 

Lukasz Lenart created WW-5627:
---------------------------------

             Summary: CookieInterceptor bypasses @StrutsParameter authorization
                 Key: WW-5627
                 URL: https://issues.apache.org/jira/browse/WW-5627
             Project: Struts 2
          Issue Type: Improvement
          Components: Core Interceptors
            Reporter: Lukasz Lenart
             Fix For: 7.2.0


  h2. Problem
  
  {{CookieInterceptor.populateCookieValueIntoStack}} calls 
{{stack.setValue(cookieName, cookieValue)}} directly 
({{CookieInterceptor.java}} lines 339 and 348), which:
  
  - bypasses {{StrutsParameterAuthorizer}} / {{@StrutsParameter}} enforcement,
  - never primes {{ThreadAllowlist}}.
  
  Cookie injection therefore does not participate in the 
parameter-authorization machinery that {{ParametersInterceptor}}, the JSON 
plugin, and (post-[WW-5626|https://issues.apache.org/jira/browse/WW-5626]) the 
REST plugin all share.
  
  h2. Impact

  When {{cookiesName=*}} is configured, every public setter on the action — and 
(subject to allowlist) any setter reachable through getter chains from the 
value-stack root — is writeable from cookie input without any 
{{@StrutsParameter}} opt-in. The OGNL allowlist (default {{enable=true}} since 
7.0) blocks
  the nested-bean route via {{SecurityMemberAccess}}, but it does not require 
setters to be annotated with {{@StrutsParameter}}, so action-level setters 
remain reachable.

  h2. Proposed fix
  
  Replace {{stack.setValue}} in {{populateCookieValueIntoStack}} with 
{{stack.setParameter}} (or invoke {{StrutsParameterAuthorizer}} directly) so 
cookie injection participates in {{@StrutsParameter}} enforcement and 
{{ThreadAllowlist}} priming, aligning {{CookieInterceptor}} with 
{{ParametersInterceptor}},
   the JSON plugin, and the REST plugin.

  h2. Dependencies
  
  Builds on [WW-5626|https://issues.apache.org/jira/browse/WW-5626] — reuses 
{{ParameterAuthorizationContext}} and {{ParameterAuthorizer.resolveTarget}}.
  
  h2. Backward compatibility
  
  Behavior change: apps relying on cookies populating un-annotated setters will 
stop working under strict authorization. Affected users must either add 
{{@StrutsParameter}} to the relevant setters or drop {{cookiesName=*}}. 
Migration-guide entry required.




--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to