WW-5364 Automatically populate OGNL allowlist #800
Conversation
kusalk
force-pushed
the
WW-5364-populate-allowlist
branch
3 times, most recently
from
6a47136
to
324f825
Compare
kusalk
force-pushed
the
WW-5364-populate-allowlist
branch
from
324f825
to
d431531
Compare
kusalk
force-pushed
the
WW-5364-populate-allowlist
branch
from
d431531
to
cf178dd
Compare
kusalk
force-pushed
the
WW-5364-populate-allowlist
branch
from
b6bd2ee
to
d7df9ce
Compare
# Conflicts: # core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
kusalk
force-pushed
the
WW-5364-populate-allowlist
branch
from
f164e4a
to
0566a20
Compare
|
WIP: Need to add more unit test coverage for this one |
…oviderAllowlist
kusalk
force-pushed
the
WW-5364-populate-allowlist
branch
from
2a70545
to
589219b
Compare
| @@ -34,6 +34,19 @@ | |||
| <constant name="struts.custom.i18n.resources" value="globalMessages" /> | |||
| <constant name="struts.action.extension" value="action,," /> | |||
|
|
|||
| <constant name="struts.allowlist.enable" value="true" /> | |||
There was a problem hiding this comment.
Moved this here so that we can utilise it for tests in core
| @@ -395,6 +359,57 @@ protected Container createBootstrapContainer(List<ContainerProvider> providers) | |||
| return builder.create(true); | |||
| } | |||
|
|
|||
| public static ContainerBuilder bootstrapFactories(ContainerBuilder builder) { | |||
There was a problem hiding this comment.
Extracted code into this method for reuse by the StrutsDefaultConfigurationProvider
| @@ -57,6 +59,19 @@ public class SecurityMemberAccess implements MemberAccess { | |||
|
|
|||
| private static final Logger LOG = LogManager.getLogger(SecurityMemberAccess.class); | |||
|
|
|||
| private static final Set<String> ALLOWLIST_REQUIRED_PACKAGES = unmodifiableSet(new HashSet<>(Arrays.asList( | |||
There was a problem hiding this comment.
Required system allowlist defined here - it's possible I've missed some packages/classes, can add as needed
| @@ -65,12 +80,14 @@ public class SecurityMemberAccess implements MemberAccess { | |||
| private Set<String> excludedPackageNames = emptySet(); | |||
| private Set<String> excludedPackageExemptClasses = emptySet(); | |||
| private boolean enforceAllowlistEnabled = false; | |||
| private Set<String> allowlistClasses = emptySet(); | |||
| private Set<Class<?>> allowlistClasses = emptySet(); | |||
There was a problem hiding this comment.
While we use String comparison for the exclusion list, we use Class comparison for the allowlist to prevent accidentally allowing through another Class with the same name (in applications with multiple classloaders)
| Class.forName("com.opensymphony.xwork2.TextProvider"), | ||
| Class.forName("org.apache.struts2.interceptor.NoOpInterceptor"), | ||
| Class.forName("com.opensymphony.xwork2.interceptor.Interceptor"), | ||
| Class.forName("java.lang.Object"), |
There was a problem hiding this comment.
Even though java.lang.Object is added to the allowlist as it is a superclass, the exclusion list always takes precedence and so this class will not be allowed in practice
| }); | ||
| } | ||
|
|
||
| public abstract class XWorkJUnit4TestCase extends com.opensymphony.xwork2.XWorkJUnit4TestCase { |
There was a problem hiding this comment.
Extended the moved class for compat
| */ | ||
| package org.apache.struts2.junit; | ||
|
|
||
| public abstract class XWorkTestCase extends com.opensymphony.xwork2.XWorkTestCase { |
There was a problem hiding this comment.
Added this for consistency
| @@ -44,8 +44,6 @@ | |||
|
|
|||
| <interceptors> | |||
| <interceptor name="alias" class="com.opensymphony.xwork2.interceptor.AliasInterceptor"/> | |||
| <interceptor name="autowiring" | |||
There was a problem hiding this comment.
This class isn't provided by core
There was a problem hiding this comment.
Made some changes to this file to attempt to load every class defined in a package and add it to the allowlist
|
Kudos, SonarCloud Quality Gate passed! |
WW-5364
We automatically populate the allowlist from interceptors, actions and result types defined in XML configuration.
This will allow most applications to turn on the OGNL allowlist with no or limited additional configuration.
We can then consider turning this security option on by default in Struts 7.0.
Documentation: apache/struts-site#213