WW-5407 Extend SecurityMemberAccess proxy detection to other proxies #911
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
kusalk
changed the title
lukaszlenart
reviewed
Apr 9, 2024
kusalk
reviewed
Apr 9, 2024
| <groupId>org.hibernate</groupId> | ||
| <artifactId>hibernate-core</artifactId> | ||
| <version>6.4.4.Final</version> | ||
| <optional>true</optional> |
lukaszlenart
reviewed
Apr 9, 2024
core/pom.xml
Outdated
| <dependency> | ||
| <groupId>org.hibernate</groupId> | ||
| <artifactId>hibernate-core</artifactId> | ||
| <version>6.4.4.Final</version> |
There was a problem hiding this comment.
As far I know this version won't work on JDK8 which is a base version for Struts 6.x
There was a problem hiding this comment.
You are correct - downgraded to Hibernate 5 as this proxy detection code is identical :)
jefferyxhy
force-pushed
the
issue/WW-5407-extend-SecurityMemberAccess-proxy-detection-to-proxies
branch
from
b3578e2
to
0074b70
Compare
|
@jefferyxhy is a colleague of mine at Atlassian who is helping implement some security enhancements. |
Comment on lines
135
to
136
| if (hasMember(clazz, member)) | ||
| return true; |
There was a problem hiding this comment.
Shouldn't be inlined?
return hasMember(clazz, member);There was a problem hiding this comment.
@lukaszlenart updated. Thanks
kusalk
deleted the
issue/WW-5407-extend-SecurityMemberAccess-proxy-detection-to-proxies
branch
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
WW-5407
Reason
Currently
SecurityMemberAccess#isAccessiblereturn true for a method of a proxy object, which expose the beans at risk of being changed. We need to have the ability to detect proxy object and reject the access if required.See Jira card above for more details.
Changes/ Solution
currently in
isAccessible -> checkProxyMemberAccess, it usedisallowProxyMemberAccess && ProxyUtil.isProxyMember(member, target)which is not enough, asisProxyMemberonly matches the member directly from proxy class, and does not match those ones original from the target class.So we update the
isAccessible:checkProxyAccessbeforecheckProxyMemberAccesswhich is controlled by:struts.disallowProxyObjectAccess: an new struts constant to enable or disable this checking (default asfalse)Result & Impact
struts.disallowProxyObjectAccessasdefault, no difference.struts.disallowProxyObjectAccessastrue, access to any member of a proxy object will be rejected, including both proxy member and original member of class. Which means whenever chained parametera.b.c.d.xhas one part that is a proxy, we reject the set to the lastx