[jira] [Commented] (WW-5184) Add optional parameter value check to ParametersInterceptor
[ https://issues.apache.org/jira/browse/WW-5184?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17611461#comment-17611461 ] ASF subversion and git services commented on WW-5184: - Commit 5338b44c233dbc7a26a5b0c6b0993d770fa5340e in struts's branch refs/heads/master from Lukasz Lenart [ https://gitbox.apache.org/repos/asf?p=struts.git;h=5338b44c2 ] WW-5184 Reduces code complexity when handling excluded/accepted values patterns > Add optional parameter value check to ParametersInterceptor > --- > > Key: WW-5184 > URL: https://issues.apache.org/jira/browse/WW-5184 > Project: Struts 2 > Issue Type: Improvement >Affects Versions: 6.0.0 >Reporter: Brian Andle >Priority: Major > Fix For: 6.1.0 > > Time Spent: 6h 50m > Remaining Estimate: 0h > > It is known that developers utilizing Struts/Freemarker should always ensure > proper sanitization to prevent OGNL/Freemarker evaluation on untrusted user > input when %{/$\{ in FTL being passed into Struts tags. > These patterns aren't always practical to resolve/find especially in legacy > code. This isn't a solely a legacy code issue of course, it's just as easy to > make a mistake in newer code as well. > The following would end up rendering 81 > Payload: > {code:java} > untrustedInput=%25%7B9%2A9%7D {code} > FTL: > > {code:java} > <@s.form theme="simple" action="${untrustedInput}" id="myForm4"> > {code} > > Java: > {code:java} > private String untrustedInput; > public String getUntrustedInput() { > return untrustedInput; > } > public void setUntrustedInput(String untrustedInput) { > this.untrustedInput = untrustedInput; > } {code} > > This ticket is to add an optional `params.excludeValuePatterns` so that > ParametersInterceptor can drop incoming parameter itself if the value matches > a pattern to be excluded. > > {code:java} > name="params.excludeValuePatterns">.*\$\{.*?\}.*,.*%\{.*?\}.*{code} > > Since this is a pattern and would be executed against the values themselves > there is the potential of a performance impact however I since it's optional > we shouldn't see any measurable impact when not enabled. > > *NOTE:* I did add a `params.acceptValuePatterns` pattern that is > null/disabled by default. This might not ever be used but mimic'd the Pattern > matcher the ParametersInterceptor/CookieInterceptor. > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (WW-5184) Add optional parameter value check to ParametersInterceptor
[ https://issues.apache.org/jira/browse/WW-5184?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17611460#comment-17611460 ] ASF subversion and git services commented on WW-5184: - Commit cbfd3a7ab94b1fda96536a88eee56a1e9e63fc64 in struts's branch refs/heads/master from Lukasz Lenart [ https://gitbox.apache.org/repos/asf?p=struts.git;h=cbfd3a7ab ] WW-5184 Improves logging around excluding/accepting values of incoming parameters > Add optional parameter value check to ParametersInterceptor > --- > > Key: WW-5184 > URL: https://issues.apache.org/jira/browse/WW-5184 > Project: Struts 2 > Issue Type: Improvement >Affects Versions: 6.0.0 >Reporter: Brian Andle >Priority: Major > Fix For: 6.1.0 > > Time Spent: 6h 50m > Remaining Estimate: 0h > > It is known that developers utilizing Struts/Freemarker should always ensure > proper sanitization to prevent OGNL/Freemarker evaluation on untrusted user > input when %{/$\{ in FTL being passed into Struts tags. > These patterns aren't always practical to resolve/find especially in legacy > code. This isn't a solely a legacy code issue of course, it's just as easy to > make a mistake in newer code as well. > The following would end up rendering 81 > Payload: > {code:java} > untrustedInput=%25%7B9%2A9%7D {code} > FTL: > > {code:java} > <@s.form theme="simple" action="${untrustedInput}" id="myForm4"> > {code} > > Java: > {code:java} > private String untrustedInput; > public String getUntrustedInput() { > return untrustedInput; > } > public void setUntrustedInput(String untrustedInput) { > this.untrustedInput = untrustedInput; > } {code} > > This ticket is to add an optional `params.excludeValuePatterns` so that > ParametersInterceptor can drop incoming parameter itself if the value matches > a pattern to be excluded. > > {code:java} > name="params.excludeValuePatterns">.*\$\{.*?\}.*,.*%\{.*?\}.*{code} > > Since this is a pattern and would be executed against the values themselves > there is the potential of a performance impact however I since it's optional > we shouldn't see any measurable impact when not enabled. > > *NOTE:* I did add a `params.acceptValuePatterns` pattern that is > null/disabled by default. This might not ever be used but mimic'd the Pattern > matcher the ParametersInterceptor/CookieInterceptor. > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (WW-5184) Add optional parameter value check to ParametersInterceptor
[ https://issues.apache.org/jira/browse/WW-5184?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17611462#comment-17611462 ] ASF subversion and git services commented on WW-5184: - Commit 58f287bf4a89ca87f8c13d4ba96e38f803d86e60 in struts's branch refs/heads/master from Lukasz Lenart [ https://gitbox.apache.org/repos/asf?p=struts.git;h=58f287bf4 ] Merge pull request #607 from apache/WW-5184-log [WW-5184] Uses debug log level when parameter value was not accepted > Add optional parameter value check to ParametersInterceptor > --- > > Key: WW-5184 > URL: https://issues.apache.org/jira/browse/WW-5184 > Project: Struts 2 > Issue Type: Improvement >Affects Versions: 6.0.0 >Reporter: Brian Andle >Priority: Major > Fix For: 6.1.0 > > Time Spent: 6h 50m > Remaining Estimate: 0h > > It is known that developers utilizing Struts/Freemarker should always ensure > proper sanitization to prevent OGNL/Freemarker evaluation on untrusted user > input when %{/$\{ in FTL being passed into Struts tags. > These patterns aren't always practical to resolve/find especially in legacy > code. This isn't a solely a legacy code issue of course, it's just as easy to > make a mistake in newer code as well. > The following would end up rendering 81 > Payload: > {code:java} > untrustedInput=%25%7B9%2A9%7D {code} > FTL: > > {code:java} > <@s.form theme="simple" action="${untrustedInput}" id="myForm4"> > {code} > > Java: > {code:java} > private String untrustedInput; > public String getUntrustedInput() { > return untrustedInput; > } > public void setUntrustedInput(String untrustedInput) { > this.untrustedInput = untrustedInput; > } {code} > > This ticket is to add an optional `params.excludeValuePatterns` so that > ParametersInterceptor can drop incoming parameter itself if the value matches > a pattern to be excluded. > > {code:java} > name="params.excludeValuePatterns">.*\$\{.*?\}.*,.*%\{.*?\}.*{code} > > Since this is a pattern and would be executed against the values themselves > there is the potential of a performance impact however I since it's optional > we shouldn't see any measurable impact when not enabled. > > *NOTE:* I did add a `params.acceptValuePatterns` pattern that is > null/disabled by default. This might not ever be used but mimic'd the Pattern > matcher the ParametersInterceptor/CookieInterceptor. > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (WW-5184) Add optional parameter value check to ParametersInterceptor
[ https://issues.apache.org/jira/browse/WW-5184?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17611459#comment-17611459 ] ASF subversion and git services commented on WW-5184: - Commit ddbd02e6bb4c00b647e1a8f89610d5ff3165aeb6 in struts's branch refs/heads/master from Lukasz Lenart [ https://gitbox.apache.org/repos/asf?p=struts.git;h=ddbd02e6b ] WW-5184 Uses debug log level when parameter value was not accepted > Add optional parameter value check to ParametersInterceptor > --- > > Key: WW-5184 > URL: https://issues.apache.org/jira/browse/WW-5184 > Project: Struts 2 > Issue Type: Improvement >Affects Versions: 6.0.0 >Reporter: Brian Andle >Priority: Major > Fix For: 6.1.0 > > Time Spent: 6h 50m > Remaining Estimate: 0h > > It is known that developers utilizing Struts/Freemarker should always ensure > proper sanitization to prevent OGNL/Freemarker evaluation on untrusted user > input when %{/$\{ in FTL being passed into Struts tags. > These patterns aren't always practical to resolve/find especially in legacy > code. This isn't a solely a legacy code issue of course, it's just as easy to > make a mistake in newer code as well. > The following would end up rendering 81 > Payload: > {code:java} > untrustedInput=%25%7B9%2A9%7D {code} > FTL: > > {code:java} > <@s.form theme="simple" action="${untrustedInput}" id="myForm4"> > {code} > > Java: > {code:java} > private String untrustedInput; > public String getUntrustedInput() { > return untrustedInput; > } > public void setUntrustedInput(String untrustedInput) { > this.untrustedInput = untrustedInput; > } {code} > > This ticket is to add an optional `params.excludeValuePatterns` so that > ParametersInterceptor can drop incoming parameter itself if the value matches > a pattern to be excluded. > > {code:java} > name="params.excludeValuePatterns">.*\$\{.*?\}.*,.*%\{.*?\}.*{code} > > Since this is a pattern and would be executed against the values themselves > there is the potential of a performance impact however I since it's optional > we shouldn't see any measurable impact when not enabled. > > *NOTE:* I did add a `params.acceptValuePatterns` pattern that is > null/disabled by default. This might not ever be used but mimic'd the Pattern > matcher the ParametersInterceptor/CookieInterceptor. > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (WW-5184) Add optional parameter value check to ParametersInterceptor
[ https://issues.apache.org/jira/browse/WW-5184?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17611380#comment-17611380 ] ASF subversion and git services commented on WW-5184: - Commit 5338b44c233dbc7a26a5b0c6b0993d770fa5340e in struts's branch refs/heads/WW-5184-log from Lukasz Lenart [ https://gitbox.apache.org/repos/asf?p=struts.git;h=5338b44c2 ] WW-5184 Reduces code complexity when handling excluded/accepted values patterns > Add optional parameter value check to ParametersInterceptor > --- > > Key: WW-5184 > URL: https://issues.apache.org/jira/browse/WW-5184 > Project: Struts 2 > Issue Type: Improvement >Affects Versions: 6.0.0 >Reporter: Brian Andle >Priority: Major > Fix For: 6.1.0 > > Time Spent: 6h > Remaining Estimate: 0h > > It is known that developers utilizing Struts/Freemarker should always ensure > proper sanitization to prevent OGNL/Freemarker evaluation on untrusted user > input when %{/$\{ in FTL being passed into Struts tags. > These patterns aren't always practical to resolve/find especially in legacy > code. This isn't a solely a legacy code issue of course, it's just as easy to > make a mistake in newer code as well. > The following would end up rendering 81 > Payload: > {code:java} > untrustedInput=%25%7B9%2A9%7D {code} > FTL: > > {code:java} > <@s.form theme="simple" action="${untrustedInput}" id="myForm4"> > {code} > > Java: > {code:java} > private String untrustedInput; > public String getUntrustedInput() { > return untrustedInput; > } > public void setUntrustedInput(String untrustedInput) { > this.untrustedInput = untrustedInput; > } {code} > > This ticket is to add an optional `params.excludeValuePatterns` so that > ParametersInterceptor can drop incoming parameter itself if the value matches > a pattern to be excluded. > > {code:java} > name="params.excludeValuePatterns">.*\$\{.*?\}.*,.*%\{.*?\}.*{code} > > Since this is a pattern and would be executed against the values themselves > there is the potential of a performance impact however I since it's optional > we shouldn't see any measurable impact when not enabled. > > *NOTE:* I did add a `params.acceptValuePatterns` pattern that is > null/disabled by default. This might not ever be used but mimic'd the Pattern > matcher the ParametersInterceptor/CookieInterceptor. > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (WW-5184) Add optional parameter value check to ParametersInterceptor
[ https://issues.apache.org/jira/browse/WW-5184?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17611378#comment-17611378 ] ASF subversion and git services commented on WW-5184: - Commit cbfd3a7ab94b1fda96536a88eee56a1e9e63fc64 in struts's branch refs/heads/WW-5184-log from Lukasz Lenart [ https://gitbox.apache.org/repos/asf?p=struts.git;h=cbfd3a7ab ] WW-5184 Improves logging around excluding/accepting values of incoming parameters > Add optional parameter value check to ParametersInterceptor > --- > > Key: WW-5184 > URL: https://issues.apache.org/jira/browse/WW-5184 > Project: Struts 2 > Issue Type: Improvement >Affects Versions: 6.0.0 >Reporter: Brian Andle >Priority: Major > Fix For: 6.1.0 > > Time Spent: 5h 50m > Remaining Estimate: 0h > > It is known that developers utilizing Struts/Freemarker should always ensure > proper sanitization to prevent OGNL/Freemarker evaluation on untrusted user > input when %{/$\{ in FTL being passed into Struts tags. > These patterns aren't always practical to resolve/find especially in legacy > code. This isn't a solely a legacy code issue of course, it's just as easy to > make a mistake in newer code as well. > The following would end up rendering 81 > Payload: > {code:java} > untrustedInput=%25%7B9%2A9%7D {code} > FTL: > > {code:java} > <@s.form theme="simple" action="${untrustedInput}" id="myForm4"> > {code} > > Java: > {code:java} > private String untrustedInput; > public String getUntrustedInput() { > return untrustedInput; > } > public void setUntrustedInput(String untrustedInput) { > this.untrustedInput = untrustedInput; > } {code} > > This ticket is to add an optional `params.excludeValuePatterns` so that > ParametersInterceptor can drop incoming parameter itself if the value matches > a pattern to be excluded. > > {code:java} > name="params.excludeValuePatterns">.*\$\{.*?\}.*,.*%\{.*?\}.*{code} > > Since this is a pattern and would be executed against the values themselves > there is the potential of a performance impact however I since it's optional > we shouldn't see any measurable impact when not enabled. > > *NOTE:* I did add a `params.acceptValuePatterns` pattern that is > null/disabled by default. This might not ever be used but mimic'd the Pattern > matcher the ParametersInterceptor/CookieInterceptor. > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (WW-5184) Add optional parameter value check to ParametersInterceptor
[ https://issues.apache.org/jira/browse/WW-5184?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17611373#comment-17611373 ] ASF subversion and git services commented on WW-5184: - Commit 8bd91b36048eab8c13dbe3e2eb12303f9b18388e in struts's branch refs/heads/WW-5184-log from Lukasz Lenart [ https://gitbox.apache.org/repos/asf?p=struts.git;h=8bd91b360 ] WW-5184 Uses the same pattern with devMode logging as in other check methods > Add optional parameter value check to ParametersInterceptor > --- > > Key: WW-5184 > URL: https://issues.apache.org/jira/browse/WW-5184 > Project: Struts 2 > Issue Type: Improvement >Affects Versions: 6.0.0 >Reporter: Brian Andle >Priority: Major > Fix For: 6.1.0 > > Time Spent: 5h 40m > Remaining Estimate: 0h > > It is known that developers utilizing Struts/Freemarker should always ensure > proper sanitization to prevent OGNL/Freemarker evaluation on untrusted user > input when %{/$\{ in FTL being passed into Struts tags. > These patterns aren't always practical to resolve/find especially in legacy > code. This isn't a solely a legacy code issue of course, it's just as easy to > make a mistake in newer code as well. > The following would end up rendering 81 > Payload: > {code:java} > untrustedInput=%25%7B9%2A9%7D {code} > FTL: > > {code:java} > <@s.form theme="simple" action="${untrustedInput}" id="myForm4"> > {code} > > Java: > {code:java} > private String untrustedInput; > public String getUntrustedInput() { > return untrustedInput; > } > public void setUntrustedInput(String untrustedInput) { > this.untrustedInput = untrustedInput; > } {code} > > This ticket is to add an optional `params.excludeValuePatterns` so that > ParametersInterceptor can drop incoming parameter itself if the value matches > a pattern to be excluded. > > {code:java} > name="params.excludeValuePatterns">.*\$\{.*?\}.*,.*%\{.*?\}.*{code} > > Since this is a pattern and would be executed against the values themselves > there is the potential of a performance impact however I since it's optional > we shouldn't see any measurable impact when not enabled. > > *NOTE:* I did add a `params.acceptValuePatterns` pattern that is > null/disabled by default. This might not ever be used but mimic'd the Pattern > matcher the ParametersInterceptor/CookieInterceptor. > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (WW-5184) Add optional parameter value check to ParametersInterceptor
[ https://issues.apache.org/jira/browse/WW-5184?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17610468#comment-17610468 ] ASF subversion and git services commented on WW-5184: - Commit acdf452a3b5af6b8fd7560126c0f0a9cc0f4b15f in struts's branch refs/heads/WW-5184-log from Lukasz Lenart [ https://gitbox.apache.org/repos/asf?p=struts.git;h=acdf452a3 ] WW-5184 Stops logging value of unaccepted parameter to avoid potential vulnerability > Add optional parameter value check to ParametersInterceptor > --- > > Key: WW-5184 > URL: https://issues.apache.org/jira/browse/WW-5184 > Project: Struts 2 > Issue Type: Improvement >Affects Versions: 6.0.0 >Reporter: Brian Andle >Priority: Major > Fix For: 6.1.0 > > Time Spent: 5h 20m > Remaining Estimate: 0h > > It is known that developers utilizing Struts/Freemarker should always ensure > proper sanitization to prevent OGNL/Freemarker evaluation on untrusted user > input when %{/$\{ in FTL being passed into Struts tags. > These patterns aren't always practical to resolve/find especially in legacy > code. This isn't a solely a legacy code issue of course, it's just as easy to > make a mistake in newer code as well. > The following would end up rendering 81 > Payload: > {code:java} > untrustedInput=%25%7B9%2A9%7D {code} > FTL: > > {code:java} > <@s.form theme="simple" action="${untrustedInput}" id="myForm4"> > {code} > > Java: > {code:java} > private String untrustedInput; > public String getUntrustedInput() { > return untrustedInput; > } > public void setUntrustedInput(String untrustedInput) { > this.untrustedInput = untrustedInput; > } {code} > > This ticket is to add an optional `params.excludeValuePatterns` so that > ParametersInterceptor can drop incoming parameter itself if the value matches > a pattern to be excluded. > > {code:java} > name="params.excludeValuePatterns">.*\$\{.*?\}.*,.*%\{.*?\}.*{code} > > Since this is a pattern and would be executed against the values themselves > there is the potential of a performance impact however I since it's optional > we shouldn't see any measurable impact when not enabled. > > *NOTE:* I did add a `params.acceptValuePatterns` pattern that is > null/disabled by default. This might not ever be used but mimic'd the Pattern > matcher the ParametersInterceptor/CookieInterceptor. > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (WW-5184) Add optional parameter value check to ParametersInterceptor
[ https://issues.apache.org/jira/browse/WW-5184?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17610451#comment-17610451 ] ASF subversion and git services commented on WW-5184: - Commit ddbd02e6bb4c00b647e1a8f89610d5ff3165aeb6 in struts's branch refs/heads/WW-5184-log from Lukasz Lenart [ https://gitbox.apache.org/repos/asf?p=struts.git;h=ddbd02e6b ] WW-5184 Uses debug log level when parameter value was not accepted > Add optional parameter value check to ParametersInterceptor > --- > > Key: WW-5184 > URL: https://issues.apache.org/jira/browse/WW-5184 > Project: Struts 2 > Issue Type: Improvement >Affects Versions: 6.0.0 >Reporter: Brian Andle >Priority: Major > Fix For: 6.1.0 > > Time Spent: 4h 50m > Remaining Estimate: 0h > > It is known that developers utilizing Struts/Freemarker should always ensure > proper sanitization to prevent OGNL/Freemarker evaluation on untrusted user > input when %{/$\{ in FTL being passed into Struts tags. > These patterns aren't always practical to resolve/find especially in legacy > code. This isn't a solely a legacy code issue of course, it's just as easy to > make a mistake in newer code as well. > The following would end up rendering 81 > Payload: > {code:java} > untrustedInput=%25%7B9%2A9%7D {code} > FTL: > > {code:java} > <@s.form theme="simple" action="${untrustedInput}" id="myForm4"> > {code} > > Java: > {code:java} > private String untrustedInput; > public String getUntrustedInput() { > return untrustedInput; > } > public void setUntrustedInput(String untrustedInput) { > this.untrustedInput = untrustedInput; > } {code} > > This ticket is to add an optional `params.excludeValuePatterns` so that > ParametersInterceptor can drop incoming parameter itself if the value matches > a pattern to be excluded. > > {code:java} > name="params.excludeValuePatterns">.*\$\{.*?\}.*,.*%\{.*?\}.*{code} > > Since this is a pattern and would be executed against the values themselves > there is the potential of a performance impact however I since it's optional > we shouldn't see any measurable impact when not enabled. > > *NOTE:* I did add a `params.acceptValuePatterns` pattern that is > null/disabled by default. This might not ever be used but mimic'd the Pattern > matcher the ParametersInterceptor/CookieInterceptor. > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (WW-5184) Add optional parameter value check to ParametersInterceptor
[ https://issues.apache.org/jira/browse/WW-5184?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17606665#comment-17606665 ] ASF GitHub Bot commented on WW-5184: brianandle commented on PR #170: URL: https://github.com/apache/struts-site/pull/170#issuecomment-1251236323 Yes, it's ready > Add optional parameter value check to ParametersInterceptor > --- > > Key: WW-5184 > URL: https://issues.apache.org/jira/browse/WW-5184 > Project: Struts 2 > Issue Type: Improvement >Affects Versions: 6.0.0 >Reporter: Brian Andle >Priority: Major > Fix For: 6.1.0 > > Time Spent: 4h 50m > Remaining Estimate: 0h > > It is known that developers utilizing Struts/Freemarker should always ensure > proper sanitization to prevent OGNL/Freemarker evaluation on untrusted user > input when %{/$\{ in FTL being passed into Struts tags. > These patterns aren't always practical to resolve/find especially in legacy > code. This isn't a solely a legacy code issue of course, it's just as easy to > make a mistake in newer code as well. > The following would end up rendering 81 > Payload: > {code:java} > untrustedInput=%25%7B9%2A9%7D {code} > FTL: > > {code:java} > <@s.form theme="simple" action="${untrustedInput}" id="myForm4"> > {code} > > Java: > {code:java} > private String untrustedInput; > public String getUntrustedInput() { > return untrustedInput; > } > public void setUntrustedInput(String untrustedInput) { > this.untrustedInput = untrustedInput; > } {code} > > This ticket is to add an optional `params.excludeValuePatterns` so that > ParametersInterceptor can drop incoming parameter itself if the value matches > a pattern to be excluded. > > {code:java} > name="params.excludeValuePatterns">.*\$\{.*?\}.*,.*%\{.*?\}.*{code} > > Since this is a pattern and would be executed against the values themselves > there is the potential of a performance impact however I since it's optional > we shouldn't see any measurable impact when not enabled. > > *NOTE:* I did add a `params.acceptValuePatterns` pattern that is > null/disabled by default. This might not ever be used but mimic'd the Pattern > matcher the ParametersInterceptor/CookieInterceptor. > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (WW-5184) Add optional parameter value check to ParametersInterceptor
[ https://issues.apache.org/jira/browse/WW-5184?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17606606#comment-17606606 ] ASF subversion and git services commented on WW-5184: - Commit 3c8e0710fe47b92ba8bd15d667660f2a67eb6d4b in struts-site's branch refs/heads/master from brianandle [ https://gitbox.apache.org/repos/asf?p=struts-site.git;h=3c8e0710f ] Update docs for WW-5184 (#170) * Update parameters-interceptor.md Updating for excludeValuePatterns/WW-5184 NOTE: The existing Using `ParameterNameAware` could be dangerous as `ParameterNameAware#acceptableParameterName(String)` text is wrong because of WW-4323 but I see thats slated to be fixed in 6.1.0. * Update parameters-interceptor.md * Update parameters-interceptor.md * Update parameters-interceptor.md > Add optional parameter value check to ParametersInterceptor > --- > > Key: WW-5184 > URL: https://issues.apache.org/jira/browse/WW-5184 > Project: Struts 2 > Issue Type: Improvement >Affects Versions: 6.0.0 >Reporter: Brian Andle >Priority: Major > Fix For: 6.1.0 > > Time Spent: 4h 50m > Remaining Estimate: 0h > > It is known that developers utilizing Struts/Freemarker should always ensure > proper sanitization to prevent OGNL/Freemarker evaluation on untrusted user > input when %{/$\{ in FTL being passed into Struts tags. > These patterns aren't always practical to resolve/find especially in legacy > code. This isn't a solely a legacy code issue of course, it's just as easy to > make a mistake in newer code as well. > The following would end up rendering 81 > Payload: > {code:java} > untrustedInput=%25%7B9%2A9%7D {code} > FTL: > > {code:java} > <@s.form theme="simple" action="${untrustedInput}" id="myForm4"> > {code} > > Java: > {code:java} > private String untrustedInput; > public String getUntrustedInput() { > return untrustedInput; > } > public void setUntrustedInput(String untrustedInput) { > this.untrustedInput = untrustedInput; > } {code} > > This ticket is to add an optional `params.excludeValuePatterns` so that > ParametersInterceptor can drop incoming parameter itself if the value matches > a pattern to be excluded. > > {code:java} > name="params.excludeValuePatterns">.*\$\{.*?\}.*,.*%\{.*?\}.*{code} > > Since this is a pattern and would be executed against the values themselves > there is the potential of a performance impact however I since it's optional > we shouldn't see any measurable impact when not enabled. > > *NOTE:* I did add a `params.acceptValuePatterns` pattern that is > null/disabled by default. This might not ever be used but mimic'd the Pattern > matcher the ParametersInterceptor/CookieInterceptor. > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (WW-5184) Add optional parameter value check to ParametersInterceptor
[ https://issues.apache.org/jira/browse/WW-5184?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17606605#comment-17606605 ] ASF GitHub Bot commented on WW-5184: lukaszlenart merged PR #170: URL: https://github.com/apache/struts-site/pull/170 > Add optional parameter value check to ParametersInterceptor > --- > > Key: WW-5184 > URL: https://issues.apache.org/jira/browse/WW-5184 > Project: Struts 2 > Issue Type: Improvement >Affects Versions: 6.0.0 >Reporter: Brian Andle >Priority: Major > Fix For: 6.1.0 > > Time Spent: 4h 50m > Remaining Estimate: 0h > > It is known that developers utilizing Struts/Freemarker should always ensure > proper sanitization to prevent OGNL/Freemarker evaluation on untrusted user > input when %{/$\{ in FTL being passed into Struts tags. > These patterns aren't always practical to resolve/find especially in legacy > code. This isn't a solely a legacy code issue of course, it's just as easy to > make a mistake in newer code as well. > The following would end up rendering 81 > Payload: > {code:java} > untrustedInput=%25%7B9%2A9%7D {code} > FTL: > > {code:java} > <@s.form theme="simple" action="${untrustedInput}" id="myForm4"> > {code} > > Java: > {code:java} > private String untrustedInput; > public String getUntrustedInput() { > return untrustedInput; > } > public void setUntrustedInput(String untrustedInput) { > this.untrustedInput = untrustedInput; > } {code} > > This ticket is to add an optional `params.excludeValuePatterns` so that > ParametersInterceptor can drop incoming parameter itself if the value matches > a pattern to be excluded. > > {code:java} > name="params.excludeValuePatterns">.*\$\{.*?\}.*,.*%\{.*?\}.*{code} > > Since this is a pattern and would be executed against the values themselves > there is the potential of a performance impact however I since it's optional > we shouldn't see any measurable impact when not enabled. > > *NOTE:* I did add a `params.acceptValuePatterns` pattern that is > null/disabled by default. This might not ever be used but mimic'd the Pattern > matcher the ParametersInterceptor/CookieInterceptor. > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (WW-5184) Add optional parameter value check to ParametersInterceptor
[ https://issues.apache.org/jira/browse/WW-5184?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17606599#comment-17606599 ] ASF GitHub Bot commented on WW-5184: lukaszlenart commented on PR #170: URL: https://github.com/apache/struts-site/pull/170#issuecomment-1251021119 is it ready? > Add optional parameter value check to ParametersInterceptor > --- > > Key: WW-5184 > URL: https://issues.apache.org/jira/browse/WW-5184 > Project: Struts 2 > Issue Type: Improvement >Affects Versions: 6.0.0 >Reporter: Brian Andle >Priority: Major > Fix For: 6.1.0 > > Time Spent: 4h 50m > Remaining Estimate: 0h > > It is known that developers utilizing Struts/Freemarker should always ensure > proper sanitization to prevent OGNL/Freemarker evaluation on untrusted user > input when %{/$\{ in FTL being passed into Struts tags. > These patterns aren't always practical to resolve/find especially in legacy > code. This isn't a solely a legacy code issue of course, it's just as easy to > make a mistake in newer code as well. > The following would end up rendering 81 > Payload: > {code:java} > untrustedInput=%25%7B9%2A9%7D {code} > FTL: > > {code:java} > <@s.form theme="simple" action="${untrustedInput}" id="myForm4"> > {code} > > Java: > {code:java} > private String untrustedInput; > public String getUntrustedInput() { > return untrustedInput; > } > public void setUntrustedInput(String untrustedInput) { > this.untrustedInput = untrustedInput; > } {code} > > This ticket is to add an optional `params.excludeValuePatterns` so that > ParametersInterceptor can drop incoming parameter itself if the value matches > a pattern to be excluded. > > {code:java} > name="params.excludeValuePatterns">.*\$\{.*?\}.*,.*%\{.*?\}.*{code} > > Since this is a pattern and would be executed against the values themselves > there is the potential of a performance impact however I since it's optional > we shouldn't see any measurable impact when not enabled. > > *NOTE:* I did add a `params.acceptValuePatterns` pattern that is > null/disabled by default. This might not ever be used but mimic'd the Pattern > matcher the ParametersInterceptor/CookieInterceptor. > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (WW-5184) Add optional parameter value check to ParametersInterceptor
[ https://issues.apache.org/jira/browse/WW-5184?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17604877#comment-17604877 ] Brian Andle commented on WW-5184: - Thanks [~lukaszlenart] > Add optional parameter value check to ParametersInterceptor > --- > > Key: WW-5184 > URL: https://issues.apache.org/jira/browse/WW-5184 > Project: Struts 2 > Issue Type: Improvement >Affects Versions: 6.0.0 >Reporter: Brian Andle >Priority: Major > Fix For: 6.1.0 > > Time Spent: 4.5h > Remaining Estimate: 0h > > It is known that developers utilizing Struts/Freemarker should always ensure > proper sanitization to prevent OGNL/Freemarker evaluation on untrusted user > input when %{/$\{ in FTL being passed into Struts tags. > These patterns aren't always practical to resolve/find especially in legacy > code. This isn't a solely a legacy code of course it's just as easy to make a > mistake in newer code as well. > The following would end up rendering 81 > Payload: > {code:java} > untrustedInput=%25%7B9%2A9%7D {code} > FTL: > > {code:java} > <@s.form theme="simple" action="${untrustedInput}" id="myForm4"> > {code} > > Java: > {code:java} > private String untrustedInput; > public String getUntrustedInput() { > return untrustedInput; > } > public void setUntrustedInput(String untrustedInput) { > this.untrustedInput = untrustedInput; > } {code} > > This ticket is to add an optional `params.excludeValuePatterns` so that > ParametersInterceptor can drop incoming parameter itself if the value matches > a pattern to be excluded. > > {code:java} > name="params.excludeValuePatterns">.*\$\{.*?\}.*,.*%\{.*?\}.*{code} > > Since this is a pattern and would be executed against the values themselves > there is the potential of a performance impact however I since it's optional > we shouldn't see any measurable impact when not enabled. > > *NOTE:* I did add a `params.acceptValuePatterns` pattern that is > null/disabled by default. This might not ever be used but mimic'd the Pattern > matcher the ParametersInterceptor/CookieInterceptor. > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (WW-5184) Add optional parameter value check to ParametersInterceptor
[ https://issues.apache.org/jira/browse/WW-5184?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17604780#comment-17604780 ] ASF subversion and git services commented on WW-5184: - Commit 5763476830bcb71cef69fbd602f491330fa159fe in struts's branch refs/heads/master from Brian Andle [ https://gitbox.apache.org/repos/asf?p=struts.git;h=576347683 ] WW-5184 - Change info to warn from peer review > Add optional parameter value check to ParametersInterceptor > --- > > Key: WW-5184 > URL: https://issues.apache.org/jira/browse/WW-5184 > Project: Struts 2 > Issue Type: Improvement >Affects Versions: 6.0.0 >Reporter: Brian Andle >Priority: Major > Fix For: 6.1.0 > > Time Spent: 4h 20m > Remaining Estimate: 0h > > It is known that developers utilizing Struts/Freemarker should always ensure > proper sanitization to prevent OGNL/Freemarker evaluation on untrusted user > input when %{/$\{ in FTL being passed into Struts tags. > These patterns aren't always practical to resolve/find especially in legacy > code. This isn't a solely a legacy code of course it's just as easy to make a > mistake in newer code as well. > The following would end up rendering 81 > Payload: > {code:java} > untrustedInput=%25%7B9%2A9%7D {code} > FTL: > > {code:java} > <@s.form theme="simple" action="${untrustedInput}" id="myForm4"> > {code} > > Java: > {code:java} > private String untrustedInput; > public String getUntrustedInput() { > return untrustedInput; > } > public void setUntrustedInput(String untrustedInput) { > this.untrustedInput = untrustedInput; > } {code} > > This ticket is to add an optional `params.excludeValuePatterns` so that > ParametersInterceptor can drop incoming parameter itself if the value matches > a pattern to be excluded. > > {code:java} > name="params.excludeValuePatterns">.*\$\{.*?\}.*,.*%\{.*?\}.*{code} > > Since this is a pattern and would be executed against the values themselves > there is the potential of a performance impact however I since it's optional > we shouldn't see any measurable impact when not enabled. > > *NOTE:* I did add a `params.acceptValuePatterns` pattern that is > null/disabled by default. This might not ever be used but mimic'd the Pattern > matcher the ParametersInterceptor/CookieInterceptor. > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (WW-5184) Add optional parameter value check to ParametersInterceptor
[ https://issues.apache.org/jira/browse/WW-5184?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17604779#comment-17604779 ] ASF subversion and git services commented on WW-5184: - Commit 105b22fb9a4a02a1719f73cb035a8e249d876554 in struts's branch refs/heads/master from Brian Andle [ https://gitbox.apache.org/repos/asf?p=struts.git;h=105b22fb9 ] WW-5184 - Add optional parameter value check to ParametersInterceptor > Add optional parameter value check to ParametersInterceptor > --- > > Key: WW-5184 > URL: https://issues.apache.org/jira/browse/WW-5184 > Project: Struts 2 > Issue Type: Improvement >Affects Versions: 6.0.0 >Reporter: Brian Andle >Priority: Major > Fix For: 6.1.0 > > Time Spent: 4h 20m > Remaining Estimate: 0h > > It is known that developers utilizing Struts/Freemarker should always ensure > proper sanitization to prevent OGNL/Freemarker evaluation on untrusted user > input when %{/$\{ in FTL being passed into Struts tags. > These patterns aren't always practical to resolve/find especially in legacy > code. This isn't a solely a legacy code of course it's just as easy to make a > mistake in newer code as well. > The following would end up rendering 81 > Payload: > {code:java} > untrustedInput=%25%7B9%2A9%7D {code} > FTL: > > {code:java} > <@s.form theme="simple" action="${untrustedInput}" id="myForm4"> > {code} > > Java: > {code:java} > private String untrustedInput; > public String getUntrustedInput() { > return untrustedInput; > } > public void setUntrustedInput(String untrustedInput) { > this.untrustedInput = untrustedInput; > } {code} > > This ticket is to add an optional `params.excludeValuePatterns` so that > ParametersInterceptor can drop incoming parameter itself if the value matches > a pattern to be excluded. > > {code:java} > name="params.excludeValuePatterns">.*\$\{.*?\}.*,.*%\{.*?\}.*{code} > > Since this is a pattern and would be executed against the values themselves > there is the potential of a performance impact however I since it's optional > we shouldn't see any measurable impact when not enabled. > > *NOTE:* I did add a `params.acceptValuePatterns` pattern that is > null/disabled by default. This might not ever be used but mimic'd the Pattern > matcher the ParametersInterceptor/CookieInterceptor. > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (WW-5184) Add optional parameter value check to ParametersInterceptor
[ https://issues.apache.org/jira/browse/WW-5184?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17604782#comment-17604782 ] ASF subversion and git services commented on WW-5184: - Commit a5899726a0791863c7abe4680e07ae5c69cc8113 in struts's branch refs/heads/master from Lukasz Lenart [ https://gitbox.apache.org/repos/asf?p=struts.git;h=a5899726a ] Merge pull request #559 from brianandle/WW-5184_v2 WW-5184 - Add optional parameter value check to ParametersInterceptor > Add optional parameter value check to ParametersInterceptor > --- > > Key: WW-5184 > URL: https://issues.apache.org/jira/browse/WW-5184 > Project: Struts 2 > Issue Type: Improvement >Affects Versions: 6.0.0 >Reporter: Brian Andle >Priority: Major > Fix For: 6.1.0 > > Time Spent: 4h 20m > Remaining Estimate: 0h > > It is known that developers utilizing Struts/Freemarker should always ensure > proper sanitization to prevent OGNL/Freemarker evaluation on untrusted user > input when %{/$\{ in FTL being passed into Struts tags. > These patterns aren't always practical to resolve/find especially in legacy > code. This isn't a solely a legacy code of course it's just as easy to make a > mistake in newer code as well. > The following would end up rendering 81 > Payload: > {code:java} > untrustedInput=%25%7B9%2A9%7D {code} > FTL: > > {code:java} > <@s.form theme="simple" action="${untrustedInput}" id="myForm4"> > {code} > > Java: > {code:java} > private String untrustedInput; > public String getUntrustedInput() { > return untrustedInput; > } > public void setUntrustedInput(String untrustedInput) { > this.untrustedInput = untrustedInput; > } {code} > > This ticket is to add an optional `params.excludeValuePatterns` so that > ParametersInterceptor can drop incoming parameter itself if the value matches > a pattern to be excluded. > > {code:java} > name="params.excludeValuePatterns">.*\$\{.*?\}.*,.*%\{.*?\}.*{code} > > Since this is a pattern and would be executed against the values themselves > there is the potential of a performance impact however I since it's optional > we shouldn't see any measurable impact when not enabled. > > *NOTE:* I did add a `params.acceptValuePatterns` pattern that is > null/disabled by default. This might not ever be used but mimic'd the Pattern > matcher the ParametersInterceptor/CookieInterceptor. > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (WW-5184) Add optional parameter value check to ParametersInterceptor
[ https://issues.apache.org/jira/browse/WW-5184?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17604781#comment-17604781 ] ASF subversion and git services commented on WW-5184: - Commit 584634a9b5ed66eabc5655a49d704a7038bd1e27 in struts's branch refs/heads/master from Brian Andle [ https://gitbox.apache.org/repos/asf?p=struts.git;h=584634a9b ] WW-5184 - Added ParameterValueAware interface and unit test > Add optional parameter value check to ParametersInterceptor > --- > > Key: WW-5184 > URL: https://issues.apache.org/jira/browse/WW-5184 > Project: Struts 2 > Issue Type: Improvement >Affects Versions: 6.0.0 >Reporter: Brian Andle >Priority: Major > Fix For: 6.1.0 > > Time Spent: 4h 20m > Remaining Estimate: 0h > > It is known that developers utilizing Struts/Freemarker should always ensure > proper sanitization to prevent OGNL/Freemarker evaluation on untrusted user > input when %{/$\{ in FTL being passed into Struts tags. > These patterns aren't always practical to resolve/find especially in legacy > code. This isn't a solely a legacy code of course it's just as easy to make a > mistake in newer code as well. > The following would end up rendering 81 > Payload: > {code:java} > untrustedInput=%25%7B9%2A9%7D {code} > FTL: > > {code:java} > <@s.form theme="simple" action="${untrustedInput}" id="myForm4"> > {code} > > Java: > {code:java} > private String untrustedInput; > public String getUntrustedInput() { > return untrustedInput; > } > public void setUntrustedInput(String untrustedInput) { > this.untrustedInput = untrustedInput; > } {code} > > This ticket is to add an optional `params.excludeValuePatterns` so that > ParametersInterceptor can drop incoming parameter itself if the value matches > a pattern to be excluded. > > {code:java} > name="params.excludeValuePatterns">.*\$\{.*?\}.*,.*%\{.*?\}.*{code} > > Since this is a pattern and would be executed against the values themselves > there is the potential of a performance impact however I since it's optional > we shouldn't see any measurable impact when not enabled. > > *NOTE:* I did add a `params.acceptValuePatterns` pattern that is > null/disabled by default. This might not ever be used but mimic'd the Pattern > matcher the ParametersInterceptor/CookieInterceptor. > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (WW-5184) Add optional parameter value check to ParametersInterceptor
[ https://issues.apache.org/jira/browse/WW-5184?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17550073#comment-17550073 ] Brian Andle commented on WW-5184: - Created [https://github.com/apache/struts/pull/559/files] for master branch > Add optional parameter value check to ParametersInterceptor > --- > > Key: WW-5184 > URL: https://issues.apache.org/jira/browse/WW-5184 > Project: Struts 2 > Issue Type: Improvement >Reporter: Brian Andle >Priority: Major > Time Spent: 1h 50m > Remaining Estimate: 0h > > It is known that developers utilizing Struts/Freemarker should always ensure > proper sanitization to prevent OGNL/Freemarker evaluation on untrusted user > input when %{/$\{ in FTL being passed into Struts tags. > These patterns aren't always practical to resolve/find especially in legacy > code. This isn't a solely a legacy code of course it's just as easy to make a > mistake in newer code as well. > The following would end up rendering 81 > Payload: > {code:java} > untrustedInput=%25%7B9%2A9%7D {code} > FTL: > > {code:java} > <@s.form theme="simple" action="${untrustedInput}" id="myForm4"> > {code} > > Java: > {code:java} > private String untrustedInput; > public String getUntrustedInput() { > return untrustedInput; > } > public void setUntrustedInput(String untrustedInput) { > this.untrustedInput = untrustedInput; > } {code} > > This ticket is to add an optional `params.excludeValuePatterns` so that > ParametersInterceptor can drop incoming parameter itself if the value matches > a pattern to be excluded. > > {code:java} > name="params.excludeValuePatterns">.*\$\{.*?\}.*,.*%\{.*?\}.*{code} > > Since this is a pattern and would be executed against the values themselves > there is the potential of a performance impact however I since it's optional > we shouldn't see any measurable impact when not enabled. > > *NOTE:* I did add a `params.acceptValuePatterns` pattern that is > null/disabled by default. This might not ever be used but mimic'd the Pattern > matcher the ParametersInterceptor/CookieInterceptor. > -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (WW-5184) Add optional parameter value check to ParametersInterceptor
[ https://issues.apache.org/jira/browse/WW-5184?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17545901#comment-17545901 ] Brian Andle commented on WW-5184: - Review comments implemented. 3 of the 4 pipeline tests passed. The Java 7 failed for the same JAVA_HOME issue as above. > Add optional parameter value check to ParametersInterceptor > --- > > Key: WW-5184 > URL: https://issues.apache.org/jira/browse/WW-5184 > Project: Struts 2 > Issue Type: Improvement >Reporter: Brian Andle >Priority: Major > Time Spent: 1h > Remaining Estimate: 0h > > It is known that developers utilizing Struts/Freemarker should always ensure > proper sanitization to prevent OGNL/Freemarker evaluation on untrusted user > input when %{/$\{ in FTL being passed into Struts tags. > These patterns aren't always practical to resolve/find especially in legacy > code. This isn't a solely a legacy code of course it's just as easy to make a > mistake in newer code as well. > The following would end up rendering 81 > Payload: > {code:java} > untrustedInput=%25%7B9%2A9%7D {code} > FTL: > > {code:java} > <@s.form theme="simple" action="${untrustedInput}" id="myForm4"> > {code} > > Java: > {code:java} > private String untrustedInput; > public String getUntrustedInput() { > return untrustedInput; > } > public void setUntrustedInput(String untrustedInput) { > this.untrustedInput = untrustedInput; > } {code} > > This ticket is to add an optional `params.excludeValuePatterns` so that > ParametersInterceptor can drop incoming parameter itself if the value matches > a pattern to be excluded. > > {code:java} > name="params.excludeValuePatterns">.*\$\{.*?\}.*,.*%\{.*?\}.*{code} > > Since this is a pattern and would be executed against the values themselves > there is the potential of a performance impact however I since it's optional > we shouldn't see any measurable impact when not enabled. > > *NOTE:* I did add a `params.acceptValuePatterns` pattern that is > null/disabled by default. This might not ever be used but mimic'd the Pattern > matcher the ParametersInterceptor/CookieInterceptor. > -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (WW-5184) Add optional parameter value check to ParametersInterceptor
[ https://issues.apache.org/jira/browse/WW-5184?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17545658#comment-17545658 ] Brian Andle commented on WW-5184: - Looks like the Java 7 and 11 pipelines failed because of environment setup issues. The JAVA_HOME environment variable is not defined correctly This environment variable is needed to run this program NB: JAVA_HOME should point to a JDK not a JRE > Add optional parameter value check to ParametersInterceptor > --- > > Key: WW-5184 > URL: https://issues.apache.org/jira/browse/WW-5184 > Project: Struts 2 > Issue Type: Improvement >Reporter: Brian Andle >Priority: Major > Time Spent: 10m > Remaining Estimate: 0h > > It is known that developers utilizing Struts/Freemarker should always ensure > proper sanitization to prevent OGNL/Freemarker evaluation on untrusted user > input when %{/$\{ in FTL being passed into Struts tags. > These patterns aren't always practical to resolve/find especially in legacy > code. This isn't a solely a legacy code of course it's just as easy to make a > mistake in newer code as well. > The following would end up rendering 81 > Payload: > {code:java} > untrustedInput=%25%7B9%2A9%7D {code} > FTL: > > {code:java} > <@s.form theme="simple" action="${untrustedInput}" id="myForm4"> > {code} > > Java: > {code:java} > private String untrustedInput; > public String getUntrustedInput() { > return untrustedInput; > } > public void setUntrustedInput(String untrustedInput) { > this.untrustedInput = untrustedInput; > } {code} > > This ticket is to add an optional `params.excludeValuePatterns` so that > ParametersInterceptor can drop incoming parameter itself if the value > patterns are excluded. > > {code:java} > name="params.excludeValuePatterns">.*\$\{.*?\}.*,.*%\{.*?\}.*{code} > > Since this is a pattern and would be executed against the values themselves > there is the potential of a performance impact however I since it's optional > we shouldn't see any measurable impact when not enabled. > > *NOTE:* I did add a `params.acceptValuePatterns` pattern that is > null/disabled by default. This might not ever be used but mimic'd the Pattern > matcher the ParametersInterceptor/CookieInterceptor. > -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (WW-5184) Add optional parameter value check to ParametersInterceptor
[ https://issues.apache.org/jira/browse/WW-5184?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17545637#comment-17545637 ] Brian Andle commented on WW-5184: - Created https://github.com/apache/struts/pull/557 > Add optional parameter value check to ParametersInterceptor > --- > > Key: WW-5184 > URL: https://issues.apache.org/jira/browse/WW-5184 > Project: Struts 2 > Issue Type: Improvement >Reporter: Brian Andle >Priority: Major > > It is known that developers utilizing Struts/Freemarker should always ensure > proper sanitization to prevent OGNL/Freemarker evaluation on untrusted user > input when %{/$\{ in FTL being passed into Struts tags. > The following would end up rendering 81 > Payload: > {code:java} > untrustedInput=%25%7B9%2A9%7D {code} > FTL: > > {code:java} > <@s.form theme="simple" action="${untrustedInput}" id="myForm4"> > {code} > > Java: > {code:java} > private String untrustedInput; > public String getUntrustedInput() { > return untrustedInput; > } > public void setUntrustedInput(String untrustedInput) { > this.untrustedInput = untrustedInput; > } {code} > > > These patterns aren't always practical to resolve/find especially in legacy > code. This isn't a solely a legacy code of course it's just as easy to make a > mistake in newer code as well. > This ticket is to add an optional `params.excludeValuePatterns` so that > ParametersInterceptor can drop incoming parameter itself if the value > patterns are excluded. > > > {code:java} > .*\$\{.*?\}.*,.*%\{.*?\}.* {code} > > Since this is a pattern and would be executed against the values themselves > there is the potential of a performance impact however I since it's optional > we shouldn't see any measurable impact when not enabled. > > *NOTE:* I did add a `params.acceptValuePatterns` pattern that is > null/disabled by default. This might not ever be used but mimic'd the Pattern > matcher the ParametersInterceptor/CookieInterceptor. > -- This message was sent by Atlassian Jira (v8.20.7#820007)