[
https://issues.apache.org/jira/browse/WW-5627?focusedWorklogId=1020280&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-1020280
]
ASF GitHub Bot logged work on WW-5627:
--------------------------------------
Author: ASF GitHub Bot
Created on: 14/May/26 15:28
Start Date: 14/May/26 15:28
Worklog Time Spent: 10m
Work Description: sonarqubecloud[bot] commented on PR #1681:
URL: https://github.com/apache/struts/pull/1681#issuecomment-4452121806
## [](https://sonarcloud.io/dashboard?id=apache_struts&pullRequest=1681)
**Quality Gate passed**
Issues
 [1 New
issue](https://sonarcloud.io/project/issues?id=apache_struts&pullRequest=1681&issueStatuses=OPEN,CONFIRMED&sinceLeakPeriod=true)
 [0 Accepted
issues](https://sonarcloud.io/project/issues?id=apache_struts&pullRequest=1681&issueStatuses=ACCEPTED)
Measures
 [0 Security
Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_struts&pullRequest=1681&issueStatuses=OPEN,CONFIRMED&sinceLeakPeriod=true)
 [88.7% Coverage on New
Code](https://sonarcloud.io/component_measures?id=apache_struts&pullRequest=1681&metric=new_coverage&view=list)
 [0.0% Duplication on New
Code](https://sonarcloud.io/component_measures?id=apache_struts&pullRequest=1681&metric=new_duplicated_lines_density&view=list)
<!
Issue Time Tracking
-------------------
Worklog Id: (was: 1020280)
Time Spent: 50m (was: 40m)
> CookieInterceptor bypasses @StrutsParameter authorization
> ---------------------------------------------------------
>
> Key: WW-5627
> URL: https://issues.apache.org/jira/browse/WW-5627
> Project: Struts 2
> Issue Type: Improvement
> Components: Core Interceptors
> Reporter: Lukasz Lenart
> Assignee: Lukasz Lenart
> Priority: Major
> Fix For: 7.2.0
>
> Time Spent: 50m
> Remaining Estimate: 0h
>
> h2. Problem
>
> {{CookieInterceptor.populateCookieValueIntoStack}} calls
> {{stack.setValue(cookieName, cookieValue)}} directly
> ({{CookieInterceptor.java}} lines 339 and 348), which:
> - bypasses {{StrutsParameterAuthorizer}} / {{@StrutsParameter}} enforcement,
> - never primes {{ThreadAllowlist}}.
>
> Cookie injection therefore does not participate in the
> parameter-authorization machinery that {{ParametersInterceptor}}, the JSON
> plugin, and (post-[WW-5626|https://issues.apache.org/jira/browse/WW-5626])
> the REST plugin all share.
>
> h2. Impact
> When {{cookiesName=*}} is configured, every public setter on the action — and
> (subject to allowlist) any setter reachable through getter chains from the
> value-stack root — is writeable from cookie input without any
> {{@StrutsParameter}} opt-in. The OGNL allowlist (default {{enable=true}}
> since 7.0) blocks the nested-bean route via {{SecurityMemberAccess}}, but it
> does not require setters to be annotated with {{@StrutsParameter}}, so
> action-level setters remain reachable.
> h2. Proposed fix
>
> Replace {{stack.setValue}} in {{populateCookieValueIntoStack}} with
> {{stack.setParameter}} (or invoke {{StrutsParameterAuthorizer}} directly) so
> cookie injection participates in {{@StrutsParameter}} enforcement and
> {{ThreadAllowlist}} priming, aligning {{CookieInterceptor}} with
> {{ParametersInterceptor}}, the JSON plugin, and the REST plugin.
> h2. Dependencies
>
> Builds on [WW-5626|https://issues.apache.org/jira/browse/WW-5626] — reuses
> {{ParameterAuthorizationContext}} and {{ParameterAuthorizer.resolveTarget}}.
>
> h2. Backward compatibility
>
> Behavior change: apps relying on cookies populating un-annotated setters will
> stop working under strict authorization. Affected users must either add
> {{@StrutsParameter}} to the relevant setters or drop {{cookiesName=*}}.
> Migration-guide entry required.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
