[jira] [Created] (WW-5184) Add optional parameter value check to ParametersInterceptor

["Brian Andle (Jira)" <ji...@apache.org>]

Brian Andle created WW-5184:
-------------------------------

             Summary: Add optional parameter value check to ParametersInterceptor
                 Key: WW-5184
                 URL: https://issues.apache.org/jira/browse/WW-5184
             Project: Struts 2
          Issue Type: Improvement
            Reporter: Brian Andle


It is known that developers utilizing Struts/Freemarker should always  ensure proper sanitization to prevent OGNL/Freemarker evaluation on untrusted user input when %{/$\{ in FTL being passed into Struts tags.

The following would end up rendering 81

Payload:
{code:java}
untrustedInput=%25%7B9%2A9%7D {code}
FTL:

 
{code:java}
<@s.form theme="simple" action="${untrustedInput}" id="myForm4">

</...@s.form> {code}
 

Java:
{code:java}
    private String untrustedInput;
    public String getUntrustedInput() {
        return untrustedInput;
    }
    public void setUntrustedInput(String untrustedInput) {
        this.untrustedInput = untrustedInput;
    } {code}
 

 

These patterns aren't always practical to resolve/find especially in legacy code. This isn't a solely a legacy code of course it's just as easy to make a mistake in newer code as well.

This ticket is to add an optional `params.excludeValuePatterns` so that ParametersInterceptor can drop incoming parameter itself if the value patterns are excluded.

 

 
{code:java}
.*\$\{.*?\}.*,.*%\{.*?\}.* {code}
 

Since this is a pattern and would be executed against the values themselves there is the potential of a performance impact however I since it's optional we shouldn't see any measurable impact when not enabled.

 

*NOTE:* I did add a `params.acceptValuePatterns` pattern that is null/disabled by default. This might not ever be used but mimic'd the Pattern matcher the ParametersInterceptor/CookieInterceptor.

 



--
This message was sent by Atlassian Jira
(v8.20.7#820007)