Skip to content

Security: exclude Object's class methods #11

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 50 commits into from
Jun 18, 2014
Merged

Security: exclude Object's class methods #11

merged 50 commits into from
Jun 18, 2014

Conversation

lukaszlenart
Copy link
Member

This fix is a follow up of the latest security issues discovered with ParametersInterceptor to allow access object's getClass method via http request. This also solves problem accessing the same properties via method: prefix - it is blocked on OGNL level.

@lukaszlenart
Defines new logic to allow exclude some properties (eg. getClass)
2550384
@lukaszlenart
Adds constant under which excluded properties can be defined
bbcee42
@lukaszlenart
Extends tests to check if excluded properties works on higher level
14ad0ab
@lukaszlenart
Adds conversion of Struts property to XWork property
aff3a3a
@lukaszlenart
Includes check for braces in expression
58a5861
@lukaszlenart
Uses OgnlUtil to execute action/method instead of Reflection
bcc0327
@lukaszlenart
Updates tests as using Object's methods is prohibited
5d8aa8a
@lukaszlenart
Extends patterns with parenthesis during initialisation
53fb5ba
@lukaszlenart
Additional use cases to check method access
ee3c8d5
@lukaszlenart
Extends SecurityMemberAccess to included excluded classes
c778297
@lukaszlenart
Renames excluded properties to excluded classes
d5bd607
@lukaszlenart
Creates default context with excluded classes
2798057
@lukaszlenart
Sets excluded classes during injecting OgnlUtil
2180b06
@lukaszlenart
Adds mapping of excluded classes key
f0799fd
@lukaszlenart
Uses excluded classes to
afb5af1
@lukaszlenart
Updates test to use new excluded classes
cdfb94d
@lukaszlenart
Defines excluded classes
f84efa5
@lukaszlenart
Removes hardcoded excluded params
cb59074
@lukaszlenart
Adds special treatment of Object class and unit test
b3ca9ea
@lukaszlenart
Adds more use cases
ba0ac0d
@lukaszlenart
Merge branch 'develop' into feature/exclude-object-class
a5946d0 
Conflicts:
	xwork-core/src/main/java/com/opensymphony/xwork2/interceptor/ParametersInterceptor.java
@lukaszlenart
Adds logging of excluded classes
62ee6b1
@lukaszlenart
Removes override which isn't used anymore
7857b86
@lukaszlenart
Merge branch 'develop' into feature/exclude-object-class
08b44fd
@lukaszlenart
Converts class with patterns into Struts bean
65c023b
@lukaszlenart
Defines new extension point
4577e5e
@lukaszlenart
Cleans up imports
9884c49
@lukaszlenart
Uses newly defined Struts bean instead duplicating logic
735fd96
@lukaszlenart
Adds description about new extension point
ba1850a
@lukaszlenart
Extracts interface to simplify implementation by users
bfbc4c0
@pbenedict
Copy link
Member

Since the ExcludePatternChecker already logs the value and the matched pattern being excluded, I don't think we should repeat that logging again by the caller... or at least trim down the caller's logging to just say something has been excluded (cause the callee is already logging that detail).

lukaszlenart added 14 commits May 19, 2014 09:59
@lukaszlenart
Moves security related classes to security package
7faf91a
@lukaszlenart
Cleans up after moving to package
ec98c8a
@lukaszlenart
Cleans up after moving to package
97ef7b5
@lukaszlenart
Defines new service to check accepted patterns
b140faa
@lukaszlenart
Uses new service to check if param matches accepted patterns
8a93df1
@lukaszlenart
Adds ability to exclude whole packages based on regex
dba9da3
@lukaszlenart
Ties excluding packages into Struts DI mechanism
4ee18f9
@lukaszlenart
Uses WARN to report if package or class is excluded
5a5af1b
@lukaszlenart
Adds javax.* to excluded packages
2df72b9
@lukaszlenart
Adds option to define additional accepted/excluded patterns
89cbe13 
Also all patterns are by default case insensitive
@lukaszlenart
Adds additional method to check if value of param isn't excluded
5ebc064
@lukaszlenart
Adds additional default exclude patterns to avoid access to #context
eb8aae8
@lukaszlenart
Excludes ActionContext from Ognl evaluation
bbcc601
@lukaszlenart
Adds additional classes to be excluded
9654287
@asfgit asfgit merged commit 9654287 into develop Jun 18, 2014
@asfgit asfgit deleted the feature/exclude-object-class branch June 27, 2014 11:07
asfgit pushed a commit that referenced this pull request Jun 12, 2016
@victorsosa
Merge pull request #11 from apache/master
379b752 
update pull
kusalk added a commit that referenced this pull request Oct 4, 2023
@kusalk
Pull request #11: CONFSRVDEV-25415 Allow forwarding to Struts actions
8215118 
Merge in BAM/struts2-atlassian from issue/CONFSRVDEV-25415-allow-forwards to STRUTS_2_5_30-atlassian

* commit 'aa264376c2cf2ff591927a50988517aab7691939':
  CONFSRVDEV-25415 Fix infinite forward loop
  CONFSRVDEV-25415 Allow forwarding to Struts actions
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@lukaszlenart @pbenedict @asfgit