[jira] [Commented] (WW-5184) Add optional parameter value check to ParametersInterceptor
[
https://issues.apache.org/jira/browse/WW-5184?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17611461#comment-17611461
]
ASF subversion and git services commented on WW-5184:
-
Commit 5338b44c233dbc7a26a5b0c6b0993d770fa5340e in struts's branch
refs/heads/master from Lukasz Lenart
[ https://gitbox.apache.org/repos/asf?p=struts.git;h=5338b44c2 ]
WW-5184 Reduces code complexity when handling excluded/accepted values patterns
> Add optional parameter value check to ParametersInterceptor
> ---
>
> Key: WW-5184
> URL: https://issues.apache.org/jira/browse/WW-5184
> Project: Struts 2
> Issue Type: Improvement
>Affects Versions: 6.0.0
>Reporter: Brian Andle
>Priority: Major
> Fix For: 6.1.0
>
> Time Spent: 6h 50m
> Remaining Estimate: 0h
>
> It is known that developers utilizing Struts/Freemarker should always ensure
> proper sanitization to prevent OGNL/Freemarker evaluation on untrusted user
> input when %{/$\{ in FTL being passed into Struts tags.
> These patterns aren't always practical to resolve/find especially in legacy
> code. This isn't a solely a legacy code issue of course, it's just as easy to
> make a mistake in newer code as well.
> The following would end up rendering 81
> Payload:
> {code:java}
> untrustedInput=%25%7B9%2A9%7D {code}
> FTL:
>
> {code:java}
> <@s.form theme="simple" action="${untrustedInput}" id="myForm4">
> {code}
>
> Java:
> {code:java}
> private String untrustedInput;
> public String getUntrustedInput() {
> return untrustedInput;
> }
> public void setUntrustedInput(String untrustedInput) {
> this.untrustedInput = untrustedInput;
> } {code}
>
> This ticket is to add an optional `params.excludeValuePatterns` so that
> ParametersInterceptor can drop incoming parameter itself if the value matches
> a pattern to be excluded.
>
> {code:java}
> name="params.excludeValuePatterns">.*\$\{.*?\}.*,.*%\{.*?\}.*{code}
>
> Since this is a pattern and would be executed against the values themselves
> there is the potential of a performance impact however I since it's optional
> we shouldn't see any measurable impact when not enabled.
>
> *NOTE:* I did add a `params.acceptValuePatterns` pattern that is
> null/disabled by default. This might not ever be used but mimic'd the Pattern
> matcher the ParametersInterceptor/CookieInterceptor.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (WW-5184) Add optional parameter value check to ParametersInterceptor
[
https://issues.apache.org/jira/browse/WW-5184?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17611460#comment-17611460
]
ASF subversion and git services commented on WW-5184:
-
Commit cbfd3a7ab94b1fda96536a88eee56a1e9e63fc64 in struts's branch
refs/heads/master from Lukasz Lenart
[ https://gitbox.apache.org/repos/asf?p=struts.git;h=cbfd3a7ab ]
WW-5184 Improves logging around excluding/accepting values of incoming
parameters
> Add optional parameter value check to ParametersInterceptor
> ---
>
> Key: WW-5184
> URL: https://issues.apache.org/jira/browse/WW-5184
> Project: Struts 2
> Issue Type: Improvement
>Affects Versions: 6.0.0
>Reporter: Brian Andle
>Priority: Major
> Fix For: 6.1.0
>
> Time Spent: 6h 50m
> Remaining Estimate: 0h
>
> It is known that developers utilizing Struts/Freemarker should always ensure
> proper sanitization to prevent OGNL/Freemarker evaluation on untrusted user
> input when %{/$\{ in FTL being passed into Struts tags.
> These patterns aren't always practical to resolve/find especially in legacy
> code. This isn't a solely a legacy code issue of course, it's just as easy to
> make a mistake in newer code as well.
> The following would end up rendering 81
> Payload:
> {code:java}
> untrustedInput=%25%7B9%2A9%7D {code}
> FTL:
>
> {code:java}
> <@s.form theme="simple" action="${untrustedInput}" id="myForm4">
> {code}
>
> Java:
> {code:java}
> private String untrustedInput;
> public String getUntrustedInput() {
> return untrustedInput;
> }
> public void setUntrustedInput(String untrustedInput) {
> this.untrustedInput = untrustedInput;
> } {code}
>
> This ticket is to add an optional `params.excludeValuePatterns` so that
> ParametersInterceptor can drop incoming parameter itself if the value matches
> a pattern to be excluded.
>
> {code:java}
> name="params.excludeValuePatterns">.*\$\{.*?\}.*,.*%\{.*?\}.*{code}
>
> Since this is a pattern and would be executed against the values themselves
> there is the potential of a performance impact however I since it's optional
> we shouldn't see any measurable impact when not enabled.
>
> *NOTE:* I did add a `params.acceptValuePatterns` pattern that is
> null/disabled by default. This might not ever be used but mimic'd the Pattern
> matcher the ParametersInterceptor/CookieInterceptor.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (WW-5184) Add optional parameter value check to ParametersInterceptor
[
https://issues.apache.org/jira/browse/WW-5184?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17611462#comment-17611462
]
ASF subversion and git services commented on WW-5184:
-
Commit 58f287bf4a89ca87f8c13d4ba96e38f803d86e60 in struts's branch
refs/heads/master from Lukasz Lenart
[ https://gitbox.apache.org/repos/asf?p=struts.git;h=58f287bf4 ]
Merge pull request #607 from apache/WW-5184-log
[WW-5184] Uses debug log level when parameter value was not accepted
> Add optional parameter value check to ParametersInterceptor
> ---
>
> Key: WW-5184
> URL: https://issues.apache.org/jira/browse/WW-5184
> Project: Struts 2
> Issue Type: Improvement
>Affects Versions: 6.0.0
>Reporter: Brian Andle
>Priority: Major
> Fix For: 6.1.0
>
> Time Spent: 6h 50m
> Remaining Estimate: 0h
>
> It is known that developers utilizing Struts/Freemarker should always ensure
> proper sanitization to prevent OGNL/Freemarker evaluation on untrusted user
> input when %{/$\{ in FTL being passed into Struts tags.
> These patterns aren't always practical to resolve/find especially in legacy
> code. This isn't a solely a legacy code issue of course, it's just as easy to
> make a mistake in newer code as well.
> The following would end up rendering 81
> Payload:
> {code:java}
> untrustedInput=%25%7B9%2A9%7D {code}
> FTL:
>
> {code:java}
> <@s.form theme="simple" action="${untrustedInput}" id="myForm4">
> {code}
>
> Java:
> {code:java}
> private String untrustedInput;
> public String getUntrustedInput() {
> return untrustedInput;
> }
> public void setUntrustedInput(String untrustedInput) {
> this.untrustedInput = untrustedInput;
> } {code}
>
> This ticket is to add an optional `params.excludeValuePatterns` so that
> ParametersInterceptor can drop incoming parameter itself if the value matches
> a pattern to be excluded.
>
> {code:java}
> name="params.excludeValuePatterns">.*\$\{.*?\}.*,.*%\{.*?\}.*{code}
>
> Since this is a pattern and would be executed against the values themselves
> there is the potential of a performance impact however I since it's optional
> we shouldn't see any measurable impact when not enabled.
>
> *NOTE:* I did add a `params.acceptValuePatterns` pattern that is
> null/disabled by default. This might not ever be used but mimic'd the Pattern
> matcher the ParametersInterceptor/CookieInterceptor.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (WW-5184) Add optional parameter value check to ParametersInterceptor
[
https://issues.apache.org/jira/browse/WW-5184?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17611459#comment-17611459
]
ASF subversion and git services commented on WW-5184:
-
Commit ddbd02e6bb4c00b647e1a8f89610d5ff3165aeb6 in struts's branch
refs/heads/master from Lukasz Lenart
[ https://gitbox.apache.org/repos/asf?p=struts.git;h=ddbd02e6b ]
WW-5184 Uses debug log level when parameter value was not accepted
> Add optional parameter value check to ParametersInterceptor
> ---
>
> Key: WW-5184
> URL: https://issues.apache.org/jira/browse/WW-5184
> Project: Struts 2
> Issue Type: Improvement
>Affects Versions: 6.0.0
>Reporter: Brian Andle
>Priority: Major
> Fix For: 6.1.0
>
> Time Spent: 6h 50m
> Remaining Estimate: 0h
>
> It is known that developers utilizing Struts/Freemarker should always ensure
> proper sanitization to prevent OGNL/Freemarker evaluation on untrusted user
> input when %{/$\{ in FTL being passed into Struts tags.
> These patterns aren't always practical to resolve/find especially in legacy
> code. This isn't a solely a legacy code issue of course, it's just as easy to
> make a mistake in newer code as well.
> The following would end up rendering 81
> Payload:
> {code:java}
> untrustedInput=%25%7B9%2A9%7D {code}
> FTL:
>
> {code:java}
> <@s.form theme="simple" action="${untrustedInput}" id="myForm4">
> {code}
>
> Java:
> {code:java}
> private String untrustedInput;
> public String getUntrustedInput() {
> return untrustedInput;
> }
> public void setUntrustedInput(String untrustedInput) {
> this.untrustedInput = untrustedInput;
> } {code}
>
> This ticket is to add an optional `params.excludeValuePatterns` so that
> ParametersInterceptor can drop incoming parameter itself if the value matches
> a pattern to be excluded.
>
> {code:java}
> name="params.excludeValuePatterns">.*\$\{.*?\}.*,.*%\{.*?\}.*{code}
>
> Since this is a pattern and would be executed against the values themselves
> there is the potential of a performance impact however I since it's optional
> we shouldn't see any measurable impact when not enabled.
>
> *NOTE:* I did add a `params.acceptValuePatterns` pattern that is
> null/disabled by default. This might not ever be used but mimic'd the Pattern
> matcher the ParametersInterceptor/CookieInterceptor.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (WW-5184) Add optional parameter value check to ParametersInterceptor
[
https://issues.apache.org/jira/browse/WW-5184?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17611380#comment-17611380
]
ASF subversion and git services commented on WW-5184:
-
Commit 5338b44c233dbc7a26a5b0c6b0993d770fa5340e in struts's branch
refs/heads/WW-5184-log from Lukasz Lenart
[ https://gitbox.apache.org/repos/asf?p=struts.git;h=5338b44c2 ]
WW-5184 Reduces code complexity when handling excluded/accepted values patterns
> Add optional parameter value check to ParametersInterceptor
> ---
>
> Key: WW-5184
> URL: https://issues.apache.org/jira/browse/WW-5184
> Project: Struts 2
> Issue Type: Improvement
>Affects Versions: 6.0.0
>Reporter: Brian Andle
>Priority: Major
> Fix For: 6.1.0
>
> Time Spent: 6h
> Remaining Estimate: 0h
>
> It is known that developers utilizing Struts/Freemarker should always ensure
> proper sanitization to prevent OGNL/Freemarker evaluation on untrusted user
> input when %{/$\{ in FTL being passed into Struts tags.
> These patterns aren't always practical to resolve/find especially in legacy
> code. This isn't a solely a legacy code issue of course, it's just as easy to
> make a mistake in newer code as well.
> The following would end up rendering 81
> Payload:
> {code:java}
> untrustedInput=%25%7B9%2A9%7D {code}
> FTL:
>
> {code:java}
> <@s.form theme="simple" action="${untrustedInput}" id="myForm4">
> {code}
>
> Java:
> {code:java}
> private String untrustedInput;
> public String getUntrustedInput() {
> return untrustedInput;
> }
> public void setUntrustedInput(String untrustedInput) {
> this.untrustedInput = untrustedInput;
> } {code}
>
> This ticket is to add an optional `params.excludeValuePatterns` so that
> ParametersInterceptor can drop incoming parameter itself if the value matches
> a pattern to be excluded.
>
> {code:java}
> name="params.excludeValuePatterns">.*\$\{.*?\}.*,.*%\{.*?\}.*{code}
>
> Since this is a pattern and would be executed against the values themselves
> there is the potential of a performance impact however I since it's optional
> we shouldn't see any measurable impact when not enabled.
>
> *NOTE:* I did add a `params.acceptValuePatterns` pattern that is
> null/disabled by default. This might not ever be used but mimic'd the Pattern
> matcher the ParametersInterceptor/CookieInterceptor.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (WW-5184) Add optional parameter value check to ParametersInterceptor
[
https://issues.apache.org/jira/browse/WW-5184?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17611378#comment-17611378
]
ASF subversion and git services commented on WW-5184:
-
Commit cbfd3a7ab94b1fda96536a88eee56a1e9e63fc64 in struts's branch
refs/heads/WW-5184-log from Lukasz Lenart
[ https://gitbox.apache.org/repos/asf?p=struts.git;h=cbfd3a7ab ]
WW-5184 Improves logging around excluding/accepting values of incoming
parameters
> Add optional parameter value check to ParametersInterceptor
> ---
>
> Key: WW-5184
> URL: https://issues.apache.org/jira/browse/WW-5184
> Project: Struts 2
> Issue Type: Improvement
>Affects Versions: 6.0.0
>Reporter: Brian Andle
>Priority: Major
> Fix For: 6.1.0
>
> Time Spent: 5h 50m
> Remaining Estimate: 0h
>
> It is known that developers utilizing Struts/Freemarker should always ensure
> proper sanitization to prevent OGNL/Freemarker evaluation on untrusted user
> input when %{/$\{ in FTL being passed into Struts tags.
> These patterns aren't always practical to resolve/find especially in legacy
> code. This isn't a solely a legacy code issue of course, it's just as easy to
> make a mistake in newer code as well.
> The following would end up rendering 81
> Payload:
> {code:java}
> untrustedInput=%25%7B9%2A9%7D {code}
> FTL:
>
> {code:java}
> <@s.form theme="simple" action="${untrustedInput}" id="myForm4">
> {code}
>
> Java:
> {code:java}
> private String untrustedInput;
> public String getUntrustedInput() {
> return untrustedInput;
> }
> public void setUntrustedInput(String untrustedInput) {
> this.untrustedInput = untrustedInput;
> } {code}
>
> This ticket is to add an optional `params.excludeValuePatterns` so that
> ParametersInterceptor can drop incoming parameter itself if the value matches
> a pattern to be excluded.
>
> {code:java}
> name="params.excludeValuePatterns">.*\$\{.*?\}.*,.*%\{.*?\}.*{code}
>
> Since this is a pattern and would be executed against the values themselves
> there is the potential of a performance impact however I since it's optional
> we shouldn't see any measurable impact when not enabled.
>
> *NOTE:* I did add a `params.acceptValuePatterns` pattern that is
> null/disabled by default. This might not ever be used but mimic'd the Pattern
> matcher the ParametersInterceptor/CookieInterceptor.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (WW-5184) Add optional parameter value check to ParametersInterceptor
[
https://issues.apache.org/jira/browse/WW-5184?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17611373#comment-17611373
]
ASF subversion and git services commented on WW-5184:
-
Commit 8bd91b36048eab8c13dbe3e2eb12303f9b18388e in struts's branch
refs/heads/WW-5184-log from Lukasz Lenart
[ https://gitbox.apache.org/repos/asf?p=struts.git;h=8bd91b360 ]
WW-5184 Uses the same pattern with devMode logging as in other check methods
> Add optional parameter value check to ParametersInterceptor
> ---
>
> Key: WW-5184
> URL: https://issues.apache.org/jira/browse/WW-5184
> Project: Struts 2
> Issue Type: Improvement
>Affects Versions: 6.0.0
>Reporter: Brian Andle
>Priority: Major
> Fix For: 6.1.0
>
> Time Spent: 5h 40m
> Remaining Estimate: 0h
>
> It is known that developers utilizing Struts/Freemarker should always ensure
> proper sanitization to prevent OGNL/Freemarker evaluation on untrusted user
> input when %{/$\{ in FTL being passed into Struts tags.
> These patterns aren't always practical to resolve/find especially in legacy
> code. This isn't a solely a legacy code issue of course, it's just as easy to
> make a mistake in newer code as well.
> The following would end up rendering 81
> Payload:
> {code:java}
> untrustedInput=%25%7B9%2A9%7D {code}
> FTL:
>
> {code:java}
> <@s.form theme="simple" action="${untrustedInput}" id="myForm4">
> {code}
>
> Java:
> {code:java}
> private String untrustedInput;
> public String getUntrustedInput() {
> return untrustedInput;
> }
> public void setUntrustedInput(String untrustedInput) {
> this.untrustedInput = untrustedInput;
> } {code}
>
> This ticket is to add an optional `params.excludeValuePatterns` so that
> ParametersInterceptor can drop incoming parameter itself if the value matches
> a pattern to be excluded.
>
> {code:java}
> name="params.excludeValuePatterns">.*\$\{.*?\}.*,.*%\{.*?\}.*{code}
>
> Since this is a pattern and would be executed against the values themselves
> there is the potential of a performance impact however I since it's optional
> we shouldn't see any measurable impact when not enabled.
>
> *NOTE:* I did add a `params.acceptValuePatterns` pattern that is
> null/disabled by default. This might not ever be used but mimic'd the Pattern
> matcher the ParametersInterceptor/CookieInterceptor.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (WW-5184) Add optional parameter value check to ParametersInterceptor
[
https://issues.apache.org/jira/browse/WW-5184?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17610468#comment-17610468
]
ASF subversion and git services commented on WW-5184:
-
Commit acdf452a3b5af6b8fd7560126c0f0a9cc0f4b15f in struts's branch
refs/heads/WW-5184-log from Lukasz Lenart
[ https://gitbox.apache.org/repos/asf?p=struts.git;h=acdf452a3 ]
WW-5184 Stops logging value of unaccepted parameter to avoid potential
vulnerability
> Add optional parameter value check to ParametersInterceptor
> ---
>
> Key: WW-5184
> URL: https://issues.apache.org/jira/browse/WW-5184
> Project: Struts 2
> Issue Type: Improvement
>Affects Versions: 6.0.0
>Reporter: Brian Andle
>Priority: Major
> Fix For: 6.1.0
>
> Time Spent: 5h 20m
> Remaining Estimate: 0h
>
> It is known that developers utilizing Struts/Freemarker should always ensure
> proper sanitization to prevent OGNL/Freemarker evaluation on untrusted user
> input when %{/$\{ in FTL being passed into Struts tags.
> These patterns aren't always practical to resolve/find especially in legacy
> code. This isn't a solely a legacy code issue of course, it's just as easy to
> make a mistake in newer code as well.
> The following would end up rendering 81
> Payload:
> {code:java}
> untrustedInput=%25%7B9%2A9%7D {code}
> FTL:
>
> {code:java}
> <@s.form theme="simple" action="${untrustedInput}" id="myForm4">
> {code}
>
> Java:
> {code:java}
> private String untrustedInput;
> public String getUntrustedInput() {
> return untrustedInput;
> }
> public void setUntrustedInput(String untrustedInput) {
> this.untrustedInput = untrustedInput;
> } {code}
>
> This ticket is to add an optional `params.excludeValuePatterns` so that
> ParametersInterceptor can drop incoming parameter itself if the value matches
> a pattern to be excluded.
>
> {code:java}
> name="params.excludeValuePatterns">.*\$\{.*?\}.*,.*%\{.*?\}.*{code}
>
> Since this is a pattern and would be executed against the values themselves
> there is the potential of a performance impact however I since it's optional
> we shouldn't see any measurable impact when not enabled.
>
> *NOTE:* I did add a `params.acceptValuePatterns` pattern that is
> null/disabled by default. This might not ever be used but mimic'd the Pattern
> matcher the ParametersInterceptor/CookieInterceptor.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (WW-5184) Add optional parameter value check to ParametersInterceptor
[
https://issues.apache.org/jira/browse/WW-5184?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17610451#comment-17610451
]
ASF subversion and git services commented on WW-5184:
-
Commit ddbd02e6bb4c00b647e1a8f89610d5ff3165aeb6 in struts's branch
refs/heads/WW-5184-log from Lukasz Lenart
[ https://gitbox.apache.org/repos/asf?p=struts.git;h=ddbd02e6b ]
WW-5184 Uses debug log level when parameter value was not accepted
> Add optional parameter value check to ParametersInterceptor
> ---
>
> Key: WW-5184
> URL: https://issues.apache.org/jira/browse/WW-5184
> Project: Struts 2
> Issue Type: Improvement
>Affects Versions: 6.0.0
>Reporter: Brian Andle
>Priority: Major
> Fix For: 6.1.0
>
> Time Spent: 4h 50m
> Remaining Estimate: 0h
>
> It is known that developers utilizing Struts/Freemarker should always ensure
> proper sanitization to prevent OGNL/Freemarker evaluation on untrusted user
> input when %{/$\{ in FTL being passed into Struts tags.
> These patterns aren't always practical to resolve/find especially in legacy
> code. This isn't a solely a legacy code issue of course, it's just as easy to
> make a mistake in newer code as well.
> The following would end up rendering 81
> Payload:
> {code:java}
> untrustedInput=%25%7B9%2A9%7D {code}
> FTL:
>
> {code:java}
> <@s.form theme="simple" action="${untrustedInput}" id="myForm4">
> {code}
>
> Java:
> {code:java}
> private String untrustedInput;
> public String getUntrustedInput() {
> return untrustedInput;
> }
> public void setUntrustedInput(String untrustedInput) {
> this.untrustedInput = untrustedInput;
> } {code}
>
> This ticket is to add an optional `params.excludeValuePatterns` so that
> ParametersInterceptor can drop incoming parameter itself if the value matches
> a pattern to be excluded.
>
> {code:java}
> name="params.excludeValuePatterns">.*\$\{.*?\}.*,.*%\{.*?\}.*{code}
>
> Since this is a pattern and would be executed against the values themselves
> there is the potential of a performance impact however I since it's optional
> we shouldn't see any measurable impact when not enabled.
>
> *NOTE:* I did add a `params.acceptValuePatterns` pattern that is
> null/disabled by default. This might not ever be used but mimic'd the Pattern
> matcher the ParametersInterceptor/CookieInterceptor.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (WW-5184) Add optional parameter value check to ParametersInterceptor
[
https://issues.apache.org/jira/browse/WW-5184?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17606665#comment-17606665
]
ASF GitHub Bot commented on WW-5184:
brianandle commented on PR #170:
URL: https://github.com/apache/struts-site/pull/170#issuecomment-1251236323
Yes, it's ready
> Add optional parameter value check to ParametersInterceptor
> ---
>
> Key: WW-5184
> URL: https://issues.apache.org/jira/browse/WW-5184
> Project: Struts 2
> Issue Type: Improvement
>Affects Versions: 6.0.0
>Reporter: Brian Andle
>Priority: Major
> Fix For: 6.1.0
>
> Time Spent: 4h 50m
> Remaining Estimate: 0h
>
> It is known that developers utilizing Struts/Freemarker should always ensure
> proper sanitization to prevent OGNL/Freemarker evaluation on untrusted user
> input when %{/$\{ in FTL being passed into Struts tags.
> These patterns aren't always practical to resolve/find especially in legacy
> code. This isn't a solely a legacy code issue of course, it's just as easy to
> make a mistake in newer code as well.
> The following would end up rendering 81
> Payload:
> {code:java}
> untrustedInput=%25%7B9%2A9%7D {code}
> FTL:
>
> {code:java}
> <@s.form theme="simple" action="${untrustedInput}" id="myForm4">
> {code}
>
> Java:
> {code:java}
> private String untrustedInput;
> public String getUntrustedInput() {
> return untrustedInput;
> }
> public void setUntrustedInput(String untrustedInput) {
> this.untrustedInput = untrustedInput;
> } {code}
>
> This ticket is to add an optional `params.excludeValuePatterns` so that
> ParametersInterceptor can drop incoming parameter itself if the value matches
> a pattern to be excluded.
>
> {code:java}
> name="params.excludeValuePatterns">.*\$\{.*?\}.*,.*%\{.*?\}.*{code}
>
> Since this is a pattern and would be executed against the values themselves
> there is the potential of a performance impact however I since it's optional
> we shouldn't see any measurable impact when not enabled.
>
> *NOTE:* I did add a `params.acceptValuePatterns` pattern that is
> null/disabled by default. This might not ever be used but mimic'd the Pattern
> matcher the ParametersInterceptor/CookieInterceptor.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (WW-5184) Add optional parameter value check to ParametersInterceptor
[
https://issues.apache.org/jira/browse/WW-5184?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17606606#comment-17606606
]
ASF subversion and git services commented on WW-5184:
-
Commit 3c8e0710fe47b92ba8bd15d667660f2a67eb6d4b in struts-site's branch
refs/heads/master from brianandle
[ https://gitbox.apache.org/repos/asf?p=struts-site.git;h=3c8e0710f ]
Update docs for WW-5184 (#170)
* Update parameters-interceptor.md
Updating for excludeValuePatterns/WW-5184
NOTE: The existing Using `ParameterNameAware` could be dangerous as
`ParameterNameAware#acceptableParameterName(String)` text is wrong because of
WW-4323 but I see thats slated to be fixed in 6.1.0.
* Update parameters-interceptor.md
* Update parameters-interceptor.md
* Update parameters-interceptor.md
> Add optional parameter value check to ParametersInterceptor
> ---
>
> Key: WW-5184
> URL: https://issues.apache.org/jira/browse/WW-5184
> Project: Struts 2
> Issue Type: Improvement
>Affects Versions: 6.0.0
>Reporter: Brian Andle
>Priority: Major
> Fix For: 6.1.0
>
> Time Spent: 4h 50m
> Remaining Estimate: 0h
>
> It is known that developers utilizing Struts/Freemarker should always ensure
> proper sanitization to prevent OGNL/Freemarker evaluation on untrusted user
> input when %{/$\{ in FTL being passed into Struts tags.
> These patterns aren't always practical to resolve/find especially in legacy
> code. This isn't a solely a legacy code issue of course, it's just as easy to
> make a mistake in newer code as well.
> The following would end up rendering 81
> Payload:
> {code:java}
> untrustedInput=%25%7B9%2A9%7D {code}
> FTL:
>
> {code:java}
> <@s.form theme="simple" action="${untrustedInput}" id="myForm4">
> {code}
>
> Java:
> {code:java}
> private String untrustedInput;
> public String getUntrustedInput() {
> return untrustedInput;
> }
> public void setUntrustedInput(String untrustedInput) {
> this.untrustedInput = untrustedInput;
> } {code}
>
> This ticket is to add an optional `params.excludeValuePatterns` so that
> ParametersInterceptor can drop incoming parameter itself if the value matches
> a pattern to be excluded.
>
> {code:java}
> name="params.excludeValuePatterns">.*\$\{.*?\}.*,.*%\{.*?\}.*{code}
>
> Since this is a pattern and would be executed against the values themselves
> there is the potential of a performance impact however I since it's optional
> we shouldn't see any measurable impact when not enabled.
>
> *NOTE:* I did add a `params.acceptValuePatterns` pattern that is
> null/disabled by default. This might not ever be used but mimic'd the Pattern
> matcher the ParametersInterceptor/CookieInterceptor.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (WW-5184) Add optional parameter value check to ParametersInterceptor
[
https://issues.apache.org/jira/browse/WW-5184?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17606605#comment-17606605
]
ASF GitHub Bot commented on WW-5184:
lukaszlenart merged PR #170:
URL: https://github.com/apache/struts-site/pull/170
> Add optional parameter value check to ParametersInterceptor
> ---
>
> Key: WW-5184
> URL: https://issues.apache.org/jira/browse/WW-5184
> Project: Struts 2
> Issue Type: Improvement
>Affects Versions: 6.0.0
>Reporter: Brian Andle
>Priority: Major
> Fix For: 6.1.0
>
> Time Spent: 4h 50m
> Remaining Estimate: 0h
>
> It is known that developers utilizing Struts/Freemarker should always ensure
> proper sanitization to prevent OGNL/Freemarker evaluation on untrusted user
> input when %{/$\{ in FTL being passed into Struts tags.
> These patterns aren't always practical to resolve/find especially in legacy
> code. This isn't a solely a legacy code issue of course, it's just as easy to
> make a mistake in newer code as well.
> The following would end up rendering 81
> Payload:
> {code:java}
> untrustedInput=%25%7B9%2A9%7D {code}
> FTL:
>
> {code:java}
> <@s.form theme="simple" action="${untrustedInput}" id="myForm4">
> {code}
>
> Java:
> {code:java}
> private String untrustedInput;
> public String getUntrustedInput() {
> return untrustedInput;
> }
> public void setUntrustedInput(String untrustedInput) {
> this.untrustedInput = untrustedInput;
> } {code}
>
> This ticket is to add an optional `params.excludeValuePatterns` so that
> ParametersInterceptor can drop incoming parameter itself if the value matches
> a pattern to be excluded.
>
> {code:java}
> name="params.excludeValuePatterns">.*\$\{.*?\}.*,.*%\{.*?\}.*{code}
>
> Since this is a pattern and would be executed against the values themselves
> there is the potential of a performance impact however I since it's optional
> we shouldn't see any measurable impact when not enabled.
>
> *NOTE:* I did add a `params.acceptValuePatterns` pattern that is
> null/disabled by default. This might not ever be used but mimic'd the Pattern
> matcher the ParametersInterceptor/CookieInterceptor.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (WW-5184) Add optional parameter value check to ParametersInterceptor
[
https://issues.apache.org/jira/browse/WW-5184?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17606599#comment-17606599
]
ASF GitHub Bot commented on WW-5184:
lukaszlenart commented on PR #170:
URL: https://github.com/apache/struts-site/pull/170#issuecomment-1251021119
is it ready?
> Add optional parameter value check to ParametersInterceptor
> ---
>
> Key: WW-5184
> URL: https://issues.apache.org/jira/browse/WW-5184
> Project: Struts 2
> Issue Type: Improvement
>Affects Versions: 6.0.0
>Reporter: Brian Andle
>Priority: Major
> Fix For: 6.1.0
>
> Time Spent: 4h 50m
> Remaining Estimate: 0h
>
> It is known that developers utilizing Struts/Freemarker should always ensure
> proper sanitization to prevent OGNL/Freemarker evaluation on untrusted user
> input when %{/$\{ in FTL being passed into Struts tags.
> These patterns aren't always practical to resolve/find especially in legacy
> code. This isn't a solely a legacy code issue of course, it's just as easy to
> make a mistake in newer code as well.
> The following would end up rendering 81
> Payload:
> {code:java}
> untrustedInput=%25%7B9%2A9%7D {code}
> FTL:
>
> {code:java}
> <@s.form theme="simple" action="${untrustedInput}" id="myForm4">
> {code}
>
> Java:
> {code:java}
> private String untrustedInput;
> public String getUntrustedInput() {
> return untrustedInput;
> }
> public void setUntrustedInput(String untrustedInput) {
> this.untrustedInput = untrustedInput;
> } {code}
>
> This ticket is to add an optional `params.excludeValuePatterns` so that
> ParametersInterceptor can drop incoming parameter itself if the value matches
> a pattern to be excluded.
>
> {code:java}
> name="params.excludeValuePatterns">.*\$\{.*?\}.*,.*%\{.*?\}.*{code}
>
> Since this is a pattern and would be executed against the values themselves
> there is the potential of a performance impact however I since it's optional
> we shouldn't see any measurable impact when not enabled.
>
> *NOTE:* I did add a `params.acceptValuePatterns` pattern that is
> null/disabled by default. This might not ever be used but mimic'd the Pattern
> matcher the ParametersInterceptor/CookieInterceptor.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (WW-5184) Add optional parameter value check to ParametersInterceptor
[
https://issues.apache.org/jira/browse/WW-5184?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17604877#comment-17604877
]
Brian Andle commented on WW-5184:
-
Thanks [~lukaszlenart]
> Add optional parameter value check to ParametersInterceptor
> ---
>
> Key: WW-5184
> URL: https://issues.apache.org/jira/browse/WW-5184
> Project: Struts 2
> Issue Type: Improvement
>Affects Versions: 6.0.0
>Reporter: Brian Andle
>Priority: Major
> Fix For: 6.1.0
>
> Time Spent: 4.5h
> Remaining Estimate: 0h
>
> It is known that developers utilizing Struts/Freemarker should always ensure
> proper sanitization to prevent OGNL/Freemarker evaluation on untrusted user
> input when %{/$\{ in FTL being passed into Struts tags.
> These patterns aren't always practical to resolve/find especially in legacy
> code. This isn't a solely a legacy code of course it's just as easy to make a
> mistake in newer code as well.
> The following would end up rendering 81
> Payload:
> {code:java}
> untrustedInput=%25%7B9%2A9%7D {code}
> FTL:
>
> {code:java}
> <@s.form theme="simple" action="${untrustedInput}" id="myForm4">
> {code}
>
> Java:
> {code:java}
> private String untrustedInput;
> public String getUntrustedInput() {
> return untrustedInput;
> }
> public void setUntrustedInput(String untrustedInput) {
> this.untrustedInput = untrustedInput;
> } {code}
>
> This ticket is to add an optional `params.excludeValuePatterns` so that
> ParametersInterceptor can drop incoming parameter itself if the value matches
> a pattern to be excluded.
>
> {code:java}
> name="params.excludeValuePatterns">.*\$\{.*?\}.*,.*%\{.*?\}.*{code}
>
> Since this is a pattern and would be executed against the values themselves
> there is the potential of a performance impact however I since it's optional
> we shouldn't see any measurable impact when not enabled.
>
> *NOTE:* I did add a `params.acceptValuePatterns` pattern that is
> null/disabled by default. This might not ever be used but mimic'd the Pattern
> matcher the ParametersInterceptor/CookieInterceptor.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (WW-5184) Add optional parameter value check to ParametersInterceptor
[
https://issues.apache.org/jira/browse/WW-5184?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17604780#comment-17604780
]
ASF subversion and git services commented on WW-5184:
-
Commit 5763476830bcb71cef69fbd602f491330fa159fe in struts's branch
refs/heads/master from Brian Andle
[ https://gitbox.apache.org/repos/asf?p=struts.git;h=576347683 ]
WW-5184 - Change info to warn from peer review
> Add optional parameter value check to ParametersInterceptor
> ---
>
> Key: WW-5184
> URL: https://issues.apache.org/jira/browse/WW-5184
> Project: Struts 2
> Issue Type: Improvement
>Affects Versions: 6.0.0
>Reporter: Brian Andle
>Priority: Major
> Fix For: 6.1.0
>
> Time Spent: 4h 20m
> Remaining Estimate: 0h
>
> It is known that developers utilizing Struts/Freemarker should always ensure
> proper sanitization to prevent OGNL/Freemarker evaluation on untrusted user
> input when %{/$\{ in FTL being passed into Struts tags.
> These patterns aren't always practical to resolve/find especially in legacy
> code. This isn't a solely a legacy code of course it's just as easy to make a
> mistake in newer code as well.
> The following would end up rendering 81
> Payload:
> {code:java}
> untrustedInput=%25%7B9%2A9%7D {code}
> FTL:
>
> {code:java}
> <@s.form theme="simple" action="${untrustedInput}" id="myForm4">
> {code}
>
> Java:
> {code:java}
> private String untrustedInput;
> public String getUntrustedInput() {
> return untrustedInput;
> }
> public void setUntrustedInput(String untrustedInput) {
> this.untrustedInput = untrustedInput;
> } {code}
>
> This ticket is to add an optional `params.excludeValuePatterns` so that
> ParametersInterceptor can drop incoming parameter itself if the value matches
> a pattern to be excluded.
>
> {code:java}
> name="params.excludeValuePatterns">.*\$\{.*?\}.*,.*%\{.*?\}.*{code}
>
> Since this is a pattern and would be executed against the values themselves
> there is the potential of a performance impact however I since it's optional
> we shouldn't see any measurable impact when not enabled.
>
> *NOTE:* I did add a `params.acceptValuePatterns` pattern that is
> null/disabled by default. This might not ever be used but mimic'd the Pattern
> matcher the ParametersInterceptor/CookieInterceptor.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (WW-5184) Add optional parameter value check to ParametersInterceptor
[
https://issues.apache.org/jira/browse/WW-5184?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17604779#comment-17604779
]
ASF subversion and git services commented on WW-5184:
-
Commit 105b22fb9a4a02a1719f73cb035a8e249d876554 in struts's branch
refs/heads/master from Brian Andle
[ https://gitbox.apache.org/repos/asf?p=struts.git;h=105b22fb9 ]
WW-5184 - Add optional parameter value check to ParametersInterceptor
> Add optional parameter value check to ParametersInterceptor
> ---
>
> Key: WW-5184
> URL: https://issues.apache.org/jira/browse/WW-5184
> Project: Struts 2
> Issue Type: Improvement
>Affects Versions: 6.0.0
>Reporter: Brian Andle
>Priority: Major
> Fix For: 6.1.0
>
> Time Spent: 4h 20m
> Remaining Estimate: 0h
>
> It is known that developers utilizing Struts/Freemarker should always ensure
> proper sanitization to prevent OGNL/Freemarker evaluation on untrusted user
> input when %{/$\{ in FTL being passed into Struts tags.
> These patterns aren't always practical to resolve/find especially in legacy
> code. This isn't a solely a legacy code of course it's just as easy to make a
> mistake in newer code as well.
> The following would end up rendering 81
> Payload:
> {code:java}
> untrustedInput=%25%7B9%2A9%7D {code}
> FTL:
>
> {code:java}
> <@s.form theme="simple" action="${untrustedInput}" id="myForm4">
> {code}
>
> Java:
> {code:java}
> private String untrustedInput;
> public String getUntrustedInput() {
> return untrustedInput;
> }
> public void setUntrustedInput(String untrustedInput) {
> this.untrustedInput = untrustedInput;
> } {code}
>
> This ticket is to add an optional `params.excludeValuePatterns` so that
> ParametersInterceptor can drop incoming parameter itself if the value matches
> a pattern to be excluded.
>
> {code:java}
> name="params.excludeValuePatterns">.*\$\{.*?\}.*,.*%\{.*?\}.*{code}
>
> Since this is a pattern and would be executed against the values themselves
> there is the potential of a performance impact however I since it's optional
> we shouldn't see any measurable impact when not enabled.
>
> *NOTE:* I did add a `params.acceptValuePatterns` pattern that is
> null/disabled by default. This might not ever be used but mimic'd the Pattern
> matcher the ParametersInterceptor/CookieInterceptor.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (WW-5184) Add optional parameter value check to ParametersInterceptor
[
https://issues.apache.org/jira/browse/WW-5184?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17604782#comment-17604782
]
ASF subversion and git services commented on WW-5184:
-
Commit a5899726a0791863c7abe4680e07ae5c69cc8113 in struts's branch
refs/heads/master from Lukasz Lenart
[ https://gitbox.apache.org/repos/asf?p=struts.git;h=a5899726a ]
Merge pull request #559 from brianandle/WW-5184_v2
WW-5184 - Add optional parameter value check to ParametersInterceptor
> Add optional parameter value check to ParametersInterceptor
> ---
>
> Key: WW-5184
> URL: https://issues.apache.org/jira/browse/WW-5184
> Project: Struts 2
> Issue Type: Improvement
>Affects Versions: 6.0.0
>Reporter: Brian Andle
>Priority: Major
> Fix For: 6.1.0
>
> Time Spent: 4h 20m
> Remaining Estimate: 0h
>
> It is known that developers utilizing Struts/Freemarker should always ensure
> proper sanitization to prevent OGNL/Freemarker evaluation on untrusted user
> input when %{/$\{ in FTL being passed into Struts tags.
> These patterns aren't always practical to resolve/find especially in legacy
> code. This isn't a solely a legacy code of course it's just as easy to make a
> mistake in newer code as well.
> The following would end up rendering 81
> Payload:
> {code:java}
> untrustedInput=%25%7B9%2A9%7D {code}
> FTL:
>
> {code:java}
> <@s.form theme="simple" action="${untrustedInput}" id="myForm4">
> {code}
>
> Java:
> {code:java}
> private String untrustedInput;
> public String getUntrustedInput() {
> return untrustedInput;
> }
> public void setUntrustedInput(String untrustedInput) {
> this.untrustedInput = untrustedInput;
> } {code}
>
> This ticket is to add an optional `params.excludeValuePatterns` so that
> ParametersInterceptor can drop incoming parameter itself if the value matches
> a pattern to be excluded.
>
> {code:java}
> name="params.excludeValuePatterns">.*\$\{.*?\}.*,.*%\{.*?\}.*{code}
>
> Since this is a pattern and would be executed against the values themselves
> there is the potential of a performance impact however I since it's optional
> we shouldn't see any measurable impact when not enabled.
>
> *NOTE:* I did add a `params.acceptValuePatterns` pattern that is
> null/disabled by default. This might not ever be used but mimic'd the Pattern
> matcher the ParametersInterceptor/CookieInterceptor.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (WW-5184) Add optional parameter value check to ParametersInterceptor
[
https://issues.apache.org/jira/browse/WW-5184?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17604781#comment-17604781
]
ASF subversion and git services commented on WW-5184:
-
Commit 584634a9b5ed66eabc5655a49d704a7038bd1e27 in struts's branch
refs/heads/master from Brian Andle
[ https://gitbox.apache.org/repos/asf?p=struts.git;h=584634a9b ]
WW-5184 - Added ParameterValueAware interface and unit test
> Add optional parameter value check to ParametersInterceptor
> ---
>
> Key: WW-5184
> URL: https://issues.apache.org/jira/browse/WW-5184
> Project: Struts 2
> Issue Type: Improvement
>Affects Versions: 6.0.0
>Reporter: Brian Andle
>Priority: Major
> Fix For: 6.1.0
>
> Time Spent: 4h 20m
> Remaining Estimate: 0h
>
> It is known that developers utilizing Struts/Freemarker should always ensure
> proper sanitization to prevent OGNL/Freemarker evaluation on untrusted user
> input when %{/$\{ in FTL being passed into Struts tags.
> These patterns aren't always practical to resolve/find especially in legacy
> code. This isn't a solely a legacy code of course it's just as easy to make a
> mistake in newer code as well.
> The following would end up rendering 81
> Payload:
> {code:java}
> untrustedInput=%25%7B9%2A9%7D {code}
> FTL:
>
> {code:java}
> <@s.form theme="simple" action="${untrustedInput}" id="myForm4">
> {code}
>
> Java:
> {code:java}
> private String untrustedInput;
> public String getUntrustedInput() {
> return untrustedInput;
> }
> public void setUntrustedInput(String untrustedInput) {
> this.untrustedInput = untrustedInput;
> } {code}
>
> This ticket is to add an optional `params.excludeValuePatterns` so that
> ParametersInterceptor can drop incoming parameter itself if the value matches
> a pattern to be excluded.
>
> {code:java}
> name="params.excludeValuePatterns">.*\$\{.*?\}.*,.*%\{.*?\}.*{code}
>
> Since this is a pattern and would be executed against the values themselves
> there is the potential of a performance impact however I since it's optional
> we shouldn't see any measurable impact when not enabled.
>
> *NOTE:* I did add a `params.acceptValuePatterns` pattern that is
> null/disabled by default. This might not ever be used but mimic'd the Pattern
> matcher the ParametersInterceptor/CookieInterceptor.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (WW-5184) Add optional parameter value check to ParametersInterceptor
[
https://issues.apache.org/jira/browse/WW-5184?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17550073#comment-17550073
]
Brian Andle commented on WW-5184:
-
Created [https://github.com/apache/struts/pull/559/files] for master branch
> Add optional parameter value check to ParametersInterceptor
> ---
>
> Key: WW-5184
> URL: https://issues.apache.org/jira/browse/WW-5184
> Project: Struts 2
> Issue Type: Improvement
>Reporter: Brian Andle
>Priority: Major
> Time Spent: 1h 50m
> Remaining Estimate: 0h
>
> It is known that developers utilizing Struts/Freemarker should always ensure
> proper sanitization to prevent OGNL/Freemarker evaluation on untrusted user
> input when %{/$\{ in FTL being passed into Struts tags.
> These patterns aren't always practical to resolve/find especially in legacy
> code. This isn't a solely a legacy code of course it's just as easy to make a
> mistake in newer code as well.
> The following would end up rendering 81
> Payload:
> {code:java}
> untrustedInput=%25%7B9%2A9%7D {code}
> FTL:
>
> {code:java}
> <@s.form theme="simple" action="${untrustedInput}" id="myForm4">
> {code}
>
> Java:
> {code:java}
> private String untrustedInput;
> public String getUntrustedInput() {
> return untrustedInput;
> }
> public void setUntrustedInput(String untrustedInput) {
> this.untrustedInput = untrustedInput;
> } {code}
>
> This ticket is to add an optional `params.excludeValuePatterns` so that
> ParametersInterceptor can drop incoming parameter itself if the value matches
> a pattern to be excluded.
>
> {code:java}
> name="params.excludeValuePatterns">.*\$\{.*?\}.*,.*%\{.*?\}.*{code}
>
> Since this is a pattern and would be executed against the values themselves
> there is the potential of a performance impact however I since it's optional
> we shouldn't see any measurable impact when not enabled.
>
> *NOTE:* I did add a `params.acceptValuePatterns` pattern that is
> null/disabled by default. This might not ever be used but mimic'd the Pattern
> matcher the ParametersInterceptor/CookieInterceptor.
>
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
[jira] [Commented] (WW-5184) Add optional parameter value check to ParametersInterceptor
[
https://issues.apache.org/jira/browse/WW-5184?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17545901#comment-17545901
]
Brian Andle commented on WW-5184:
-
Review comments implemented. 3 of the 4 pipeline tests passed. The Java 7
failed for the same JAVA_HOME issue as above.
> Add optional parameter value check to ParametersInterceptor
> ---
>
> Key: WW-5184
> URL: https://issues.apache.org/jira/browse/WW-5184
> Project: Struts 2
> Issue Type: Improvement
>Reporter: Brian Andle
>Priority: Major
> Time Spent: 1h
> Remaining Estimate: 0h
>
> It is known that developers utilizing Struts/Freemarker should always ensure
> proper sanitization to prevent OGNL/Freemarker evaluation on untrusted user
> input when %{/$\{ in FTL being passed into Struts tags.
> These patterns aren't always practical to resolve/find especially in legacy
> code. This isn't a solely a legacy code of course it's just as easy to make a
> mistake in newer code as well.
> The following would end up rendering 81
> Payload:
> {code:java}
> untrustedInput=%25%7B9%2A9%7D {code}
> FTL:
>
> {code:java}
> <@s.form theme="simple" action="${untrustedInput}" id="myForm4">
> {code}
>
> Java:
> {code:java}
> private String untrustedInput;
> public String getUntrustedInput() {
> return untrustedInput;
> }
> public void setUntrustedInput(String untrustedInput) {
> this.untrustedInput = untrustedInput;
> } {code}
>
> This ticket is to add an optional `params.excludeValuePatterns` so that
> ParametersInterceptor can drop incoming parameter itself if the value matches
> a pattern to be excluded.
>
> {code:java}
> name="params.excludeValuePatterns">.*\$\{.*?\}.*,.*%\{.*?\}.*{code}
>
> Since this is a pattern and would be executed against the values themselves
> there is the potential of a performance impact however I since it's optional
> we shouldn't see any measurable impact when not enabled.
>
> *NOTE:* I did add a `params.acceptValuePatterns` pattern that is
> null/disabled by default. This might not ever be used but mimic'd the Pattern
> matcher the ParametersInterceptor/CookieInterceptor.
>
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
[jira] [Commented] (WW-5184) Add optional parameter value check to ParametersInterceptor
[
https://issues.apache.org/jira/browse/WW-5184?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17545658#comment-17545658
]
Brian Andle commented on WW-5184:
-
Looks like the Java 7 and 11 pipelines failed because of environment setup
issues.
The JAVA_HOME environment variable is not defined correctly
This environment variable is needed to run this program
NB: JAVA_HOME should point to a JDK not a JRE
> Add optional parameter value check to ParametersInterceptor
> ---
>
> Key: WW-5184
> URL: https://issues.apache.org/jira/browse/WW-5184
> Project: Struts 2
> Issue Type: Improvement
>Reporter: Brian Andle
>Priority: Major
> Time Spent: 10m
> Remaining Estimate: 0h
>
> It is known that developers utilizing Struts/Freemarker should always ensure
> proper sanitization to prevent OGNL/Freemarker evaluation on untrusted user
> input when %{/$\{ in FTL being passed into Struts tags.
> These patterns aren't always practical to resolve/find especially in legacy
> code. This isn't a solely a legacy code of course it's just as easy to make a
> mistake in newer code as well.
> The following would end up rendering 81
> Payload:
> {code:java}
> untrustedInput=%25%7B9%2A9%7D {code}
> FTL:
>
> {code:java}
> <@s.form theme="simple" action="${untrustedInput}" id="myForm4">
> {code}
>
> Java:
> {code:java}
> private String untrustedInput;
> public String getUntrustedInput() {
> return untrustedInput;
> }
> public void setUntrustedInput(String untrustedInput) {
> this.untrustedInput = untrustedInput;
> } {code}
>
> This ticket is to add an optional `params.excludeValuePatterns` so that
> ParametersInterceptor can drop incoming parameter itself if the value
> patterns are excluded.
>
> {code:java}
> name="params.excludeValuePatterns">.*\$\{.*?\}.*,.*%\{.*?\}.*{code}
>
> Since this is a pattern and would be executed against the values themselves
> there is the potential of a performance impact however I since it's optional
> we shouldn't see any measurable impact when not enabled.
>
> *NOTE:* I did add a `params.acceptValuePatterns` pattern that is
> null/disabled by default. This might not ever be used but mimic'd the Pattern
> matcher the ParametersInterceptor/CookieInterceptor.
>
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
[jira] [Commented] (WW-5184) Add optional parameter value check to ParametersInterceptor
[
https://issues.apache.org/jira/browse/WW-5184?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17545637#comment-17545637
]
Brian Andle commented on WW-5184:
-
Created https://github.com/apache/struts/pull/557
> Add optional parameter value check to ParametersInterceptor
> ---
>
> Key: WW-5184
> URL: https://issues.apache.org/jira/browse/WW-5184
> Project: Struts 2
> Issue Type: Improvement
>Reporter: Brian Andle
>Priority: Major
>
> It is known that developers utilizing Struts/Freemarker should always ensure
> proper sanitization to prevent OGNL/Freemarker evaluation on untrusted user
> input when %{/$\{ in FTL being passed into Struts tags.
> The following would end up rendering 81
> Payload:
> {code:java}
> untrustedInput=%25%7B9%2A9%7D {code}
> FTL:
>
> {code:java}
> <@s.form theme="simple" action="${untrustedInput}" id="myForm4">
> {code}
>
> Java:
> {code:java}
> private String untrustedInput;
> public String getUntrustedInput() {
> return untrustedInput;
> }
> public void setUntrustedInput(String untrustedInput) {
> this.untrustedInput = untrustedInput;
> } {code}
>
>
> These patterns aren't always practical to resolve/find especially in legacy
> code. This isn't a solely a legacy code of course it's just as easy to make a
> mistake in newer code as well.
> This ticket is to add an optional `params.excludeValuePatterns` so that
> ParametersInterceptor can drop incoming parameter itself if the value
> patterns are excluded.
>
>
> {code:java}
> .*\$\{.*?\}.*,.*%\{.*?\}.* {code}
>
> Since this is a pattern and would be executed against the values themselves
> there is the potential of a performance impact however I since it's optional
> we shouldn't see any measurable impact when not enabled.
>
> *NOTE:* I did add a `params.acceptValuePatterns` pattern that is
> null/disabled by default. This might not ever be used but mimic'd the Pattern
> matcher the ParametersInterceptor/CookieInterceptor.
>
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
