Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WW-5417 bump ognl version to fix security issue #915

Merged
merged 2 commits into from Apr 19, 2024
Merged

WW-5417 bump ognl version to fix security issue #915

merged 2 commits into from Apr 19, 2024

Conversation

jefferyxhy
Copy link
Contributor

@jefferyxhy jefferyxhy commented Apr 18, 2024
edited

WW-5417

bump the Ognl version to fix the security issue that ObjectPropertyAccessor#setPossibleProperty bypass SecurityMemberAccess right check.

 

*********************** From Ognl PR ***********************

OgnlRuntime.setFieldValue doesn't check member access rights via MemberAccess interface

 

Reason

  • Investigation shows that getMethodValue/ setMethodValue / getFieldValue are all updated with member access rights check but not setFieldValue, which cause ObjectPropertyAccessor#setPossibleProperty expose to security vuln.
  • ObjectPropertyAccessor#setPossibleProperty has a fallback mechanism using getWriteMethod which also lack member access rights check

 

Changes/ Solution

  • add field member access check to OgnlRuntime#setFieldValue that is controlled by parameter checkAccessAndExistence
  • add method member access check to ObjectPropertyAccessor#setPossibleProperty code block that uses OgnlRuntime#getWriteMethod

 

Result & Impact
now ObjectPropertyAccessor#setPossibleProperty will also check member access rights when fallback to use:

  • OgnlRuntime.setFieldValue
  • method invoke that is from OgnlRuntime.getWriteMethod

jefferyxhy
jefferyxhy commented Apr 18, 2024
View reviewed changes
pom.xml Outdated
@@ -112,7 +112,7 @@
<asm.version>9.6</asm.version>
<jackson.version>2.16.1</jackson.version>
<log4j2.version>2.23.1</log4j2.version>
<ognl.version>3.3.4</ognl.version>
<ognl.version>3.3.4-atlassian-1</ognl.version>
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To be replaced with 3.3.5 once released OGNL patch PR

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Try you to use 3.3.5 verision

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated. Thanks

kusalk
kusalk reviewed Apr 18, 2024
View reviewed changes
core/src/test/java/org/apache/struts2/ognl/OgnlSetPossiblePropertyTest.java
}


public static class HolderWithPublicField {
Copy link
Member

@kusalk kusalk Apr 18, 2024
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@lukaszlenart This is a PoC of the original public field bug I reported

kusalk
kusalk reviewed Apr 18, 2024
View reviewed changes
core/src/test/java/org/apache/struts2/ognl/OgnlSetPossiblePropertyTest.java
}
}

public static class HolderWhoseFieldWithPublicSetterDifferentFieldName {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@lukaszlenart This is a PoC of the new public setter bug discovered by @jefferyxhy

@kusalk
Copy link
Member

kusalk commented Apr 18, 2024

Remaining tests are variations for full coverage and to prevent regressions

@kusalk
Copy link
Member

kusalk commented Apr 18, 2024

The builds are failing as the Atlassian forked release is not on the Central repo, it is only available on our repo.
Anyway, this PR is just preparing for the merge and release of the corresponding OGNL PR (orphan-oss/ognl#264)

jefferyxhy
jefferyxhy commented Apr 19, 2024
View reviewed changes
pom.xml
@@ -112,7 +112,7 @@
<asm.version>9.6</asm.version>
<jackson.version>2.16.1</jackson.version>
<log4j2.version>2.23.1</log4j2.version>
<ognl.version>3.3.4</ognl.version>
<ognl.version>3.3.5</ognl.version>
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@lukaszlenart updated with 3.3.5. Thanks

@jefferyxhy jefferyxhy marked this pull request as ready for review April 19, 2024 04:59
lukaszlenart
lukaszlenart approved these changes Apr 19, 2024
View reviewed changes
Copy link
Member

@lukaszlenart lukaszlenart left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👏

@kusalk kusalk merged commit f5cfb88 into apache:master Apr 19, 2024
7 checks passed
@kusalk kusalk deleted the issue/WW-5417-bump-ongl-version-to-fix-security-issue branch April 19, 2024 07:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kusalk kusalk kusalk left review comments

@lukaszlenart lukaszlenart lukaszlenart approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@jefferyxhy @kusalk @lukaszlenart