You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@struts.apache.org by "datta kudale (JIRA)" <ji...@apache.org> on 2010/12/09 10:32:02 UTC
[jira] Created: (WW-3541) Request Parameter to Action Object
Mapping Plugin for Insecure Direct Object References
Request Parameter to Action Object Mapping Plugin for Insecure Direct Object References
---------------------------------------------------------------------------------------
Key: WW-3541
URL: https://issues.apache.org/jira/browse/WW-3541
Project: Struts 2
Issue Type: New Feature
Components: Core Interceptors
Affects Versions: 2.2.1.1
Environment: All OS
Reporter: datta kudale
JSP Parameter to Action Object Mapping (Security) Plugin does this great thing. Here is also a short overview of what it does and why a developer would want to use it.
Many applications expose their internal object references to users. Attackers use parameter tampering to change references and violate the intended but unenforced access control policy. Frequently, these references point to file systems and databases, but any exposed application construct could be vulnerable.
The best protection is to avoid exposing direct object references to users by using an index, indirect reference map, or other indirect method that is easy to validate. If a direct object reference must be used, ensure that the user is authorized before using it.
* Avoid exposing your private object references to users whenever possible, such as primary keys or filenames
* Validate any private object references extensively with an "accept known good" approach
* Verify authorization to all referenced objects
So to avoid internal object implementation to end user, this plugin can be used.
Please refer following link for Plugin
https://cwiki.apache.org/confluence/display/S2PLUGINS/Request+Parameter+to+Action+Object+Mapping+Plugin+for+Insecure+Direct+Object+References
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] [Updated] (WW-3541) Request Parameter to Action Object
Mapping Plugin for Insecure Direct Object References
Posted by "Lukasz Lenart (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WW-3541?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Lukasz Lenart updated WW-3541:
------------------------------
Fix Version/s: Future
Any progress ?
> Request Parameter to Action Object Mapping Plugin for Insecure Direct Object References
> ---------------------------------------------------------------------------------------
>
> Key: WW-3541
> URL: https://issues.apache.org/jira/browse/WW-3541
> Project: Struts 2
> Issue Type: New Feature
> Components: Core Interceptors
> Affects Versions: 2.2.1.1
> Environment: All OS
> Reporter: datta kudale
> Fix For: Future
>
> Original Estimate: 96h
> Remaining Estimate: 96h
>
> JSP Parameter to Action Object Mapping (Security) Plugin does this great thing. Here is also a short overview of what it does and why a developer would want to use it.
> Many applications expose their internal object references to users. Attackers use parameter tampering to change references and violate the intended but unenforced access control policy. Frequently, these references point to file systems and databases, but any exposed application construct could be vulnerable.
> The best protection is to avoid exposing direct object references to users by using an index, indirect reference map, or other indirect method that is easy to validate. If a direct object reference must be used, ensure that the user is authorized before using it.
> * Avoid exposing your private object references to users whenever possible, such as primary keys or filenames
> * Validate any private object references extensively with an "accept known good" approach
> * Verify authorization to all referenced objects
> So to avoid internal object implementation to end user, this plugin can be used.
> Please refer following link for Plugin
> https://cwiki.apache.org/confluence/display/S2PLUGINS/Request+Parameter+to+Action+Object+Mapping+Plugin+for+Insecure+Direct+Object+References
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (WW-3541) Request Parameter to Action Object
Mapping Plugin for Insecure Direct Object References
Posted by "datta kudale (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WW-3541?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12975448#action_12975448 ]
datta kudale commented on WW-3541:
----------------------------------
Any updates
> Request Parameter to Action Object Mapping Plugin for Insecure Direct Object References
> ---------------------------------------------------------------------------------------
>
> Key: WW-3541
> URL: https://issues.apache.org/jira/browse/WW-3541
> Project: Struts 2
> Issue Type: New Feature
> Components: Core Interceptors
> Affects Versions: 2.2.1.1
> Environment: All OS
> Reporter: datta kudale
> Original Estimate: 96h
> Remaining Estimate: 96h
>
> JSP Parameter to Action Object Mapping (Security) Plugin does this great thing. Here is also a short overview of what it does and why a developer would want to use it.
> Many applications expose their internal object references to users. Attackers use parameter tampering to change references and violate the intended but unenforced access control policy. Frequently, these references point to file systems and databases, but any exposed application construct could be vulnerable.
> The best protection is to avoid exposing direct object references to users by using an index, indirect reference map, or other indirect method that is easy to validate. If a direct object reference must be used, ensure that the user is authorized before using it.
> * Avoid exposing your private object references to users whenever possible, such as primary keys or filenames
> * Validate any private object references extensively with an "accept known good" approach
> * Verify authorization to all referenced objects
> So to avoid internal object implementation to end user, this plugin can be used.
> Please refer following link for Plugin
> https://cwiki.apache.org/confluence/display/S2PLUGINS/Request+Parameter+to+Action+Object+Mapping+Plugin+for+Insecure+Direct+Object+References
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (WW-3541) Request Parameter to Action Object
Mapping Plugin for Insecure Direct Object References
Posted by "datta kudale (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WW-3541?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12975455#action_12975455 ]
datta kudale commented on WW-3541:
----------------------------------
Ok I will change license to ASF2
> Request Parameter to Action Object Mapping Plugin for Insecure Direct Object References
> ---------------------------------------------------------------------------------------
>
> Key: WW-3541
> URL: https://issues.apache.org/jira/browse/WW-3541
> Project: Struts 2
> Issue Type: New Feature
> Components: Core Interceptors
> Affects Versions: 2.2.1.1
> Environment: All OS
> Reporter: datta kudale
> Original Estimate: 96h
> Remaining Estimate: 96h
>
> JSP Parameter to Action Object Mapping (Security) Plugin does this great thing. Here is also a short overview of what it does and why a developer would want to use it.
> Many applications expose their internal object references to users. Attackers use parameter tampering to change references and violate the intended but unenforced access control policy. Frequently, these references point to file systems and databases, but any exposed application construct could be vulnerable.
> The best protection is to avoid exposing direct object references to users by using an index, indirect reference map, or other indirect method that is easy to validate. If a direct object reference must be used, ensure that the user is authorized before using it.
> * Avoid exposing your private object references to users whenever possible, such as primary keys or filenames
> * Validate any private object references extensively with an "accept known good" approach
> * Verify authorization to all referenced objects
> So to avoid internal object implementation to end user, this plugin can be used.
> Please refer following link for Plugin
> https://cwiki.apache.org/confluence/display/S2PLUGINS/Request+Parameter+to+Action+Object+Mapping+Plugin+for+Insecure+Direct+Object+References
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (WW-3541) Request Parameter to Action Object
Mapping Plugin for Insecure Direct Object References
Posted by "Dave Newton (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WW-3541?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Dave Newton updated WW-3541:
----------------------------
Flags: [Important] (was: [Important, Patch])
> Request Parameter to Action Object Mapping Plugin for Insecure Direct Object References
> ---------------------------------------------------------------------------------------
>
> Key: WW-3541
> URL: https://issues.apache.org/jira/browse/WW-3541
> Project: Struts 2
> Issue Type: New Feature
> Components: Core Interceptors
> Affects Versions: 2.2.1.1
> Environment: All OS
> Reporter: datta kudale
> Original Estimate: 96h
> Remaining Estimate: 96h
>
> JSP Parameter to Action Object Mapping (Security) Plugin does this great thing. Here is also a short overview of what it does and why a developer would want to use it.
> Many applications expose their internal object references to users. Attackers use parameter tampering to change references and violate the intended but unenforced access control policy. Frequently, these references point to file systems and databases, but any exposed application construct could be vulnerable.
> The best protection is to avoid exposing direct object references to users by using an index, indirect reference map, or other indirect method that is easy to validate. If a direct object reference must be used, ensure that the user is authorized before using it.
> * Avoid exposing your private object references to users whenever possible, such as primary keys or filenames
> * Validate any private object references extensively with an "accept known good" approach
> * Verify authorization to all referenced objects
> So to avoid internal object implementation to end user, this plugin can be used.
> Please refer following link for Plugin
> https://cwiki.apache.org/confluence/display/S2PLUGINS/Request+Parameter+to+Action+Object+Mapping+Plugin+for+Insecure+Direct+Object+References
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (WW-3541) Request Parameter to Action Object
Mapping Plugin for Insecure Direct Object References
Posted by "Lukasz Lenart (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WW-3541?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12975977#action_12975977 ]
Lukasz Lenart commented on WW-3541:
-----------------------------------
Some readings
http://www.apache.org/licenses/#grants
http://www.apache.org/licenses/#clas
> Request Parameter to Action Object Mapping Plugin for Insecure Direct Object References
> ---------------------------------------------------------------------------------------
>
> Key: WW-3541
> URL: https://issues.apache.org/jira/browse/WW-3541
> Project: Struts 2
> Issue Type: New Feature
> Components: Core Interceptors
> Affects Versions: 2.2.1.1
> Environment: All OS
> Reporter: datta kudale
> Original Estimate: 96h
> Remaining Estimate: 96h
>
> JSP Parameter to Action Object Mapping (Security) Plugin does this great thing. Here is also a short overview of what it does and why a developer would want to use it.
> Many applications expose their internal object references to users. Attackers use parameter tampering to change references and violate the intended but unenforced access control policy. Frequently, these references point to file systems and databases, but any exposed application construct could be vulnerable.
> The best protection is to avoid exposing direct object references to users by using an index, indirect reference map, or other indirect method that is easy to validate. If a direct object reference must be used, ensure that the user is authorized before using it.
> * Avoid exposing your private object references to users whenever possible, such as primary keys or filenames
> * Validate any private object references extensively with an "accept known good" approach
> * Verify authorization to all referenced objects
> So to avoid internal object implementation to end user, this plugin can be used.
> Please refer following link for Plugin
> https://cwiki.apache.org/confluence/display/S2PLUGINS/Request+Parameter+to+Action+Object+Mapping+Plugin+for+Insecure+Direct+Object+References
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (WW-3541) Request Parameter to Action Object
Mapping Plugin for Insecure Direct Object References
Posted by "datta kudale (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WW-3541?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12975467#action_12975467 ]
datta kudale commented on WW-3541:
----------------------------------
Please check following link. I have updated license to ASF2
https://cwiki.apache.org/confluence/display/S2PLUGINS/Request+Parameter+to+Action+Object+Mapping+Plugin+for+Insecure+Direct+Object+References
> Request Parameter to Action Object Mapping Plugin for Insecure Direct Object References
> ---------------------------------------------------------------------------------------
>
> Key: WW-3541
> URL: https://issues.apache.org/jira/browse/WW-3541
> Project: Struts 2
> Issue Type: New Feature
> Components: Core Interceptors
> Affects Versions: 2.2.1.1
> Environment: All OS
> Reporter: datta kudale
> Original Estimate: 96h
> Remaining Estimate: 96h
>
> JSP Parameter to Action Object Mapping (Security) Plugin does this great thing. Here is also a short overview of what it does and why a developer would want to use it.
> Many applications expose their internal object references to users. Attackers use parameter tampering to change references and violate the intended but unenforced access control policy. Frequently, these references point to file systems and databases, but any exposed application construct could be vulnerable.
> The best protection is to avoid exposing direct object references to users by using an index, indirect reference map, or other indirect method that is easy to validate. If a direct object reference must be used, ensure that the user is authorized before using it.
> * Avoid exposing your private object references to users whenever possible, such as primary keys or filenames
> * Validate any private object references extensively with an "accept known good" approach
> * Verify authorization to all referenced objects
> So to avoid internal object implementation to end user, this plugin can be used.
> Please refer following link for Plugin
> https://cwiki.apache.org/confluence/display/S2PLUGINS/Request+Parameter+to+Action+Object+Mapping+Plugin+for+Insecure+Direct+Object+References
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (WW-3541) Request Parameter to Action Object
Mapping Plugin for Insecure Direct Object References
Posted by "Dave Newton (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WW-3541?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12969721#action_12969721 ]
Dave Newton commented on WW-3541:
---------------------------------
Are you asking that the plugin be included in core? If not, please close your issue.
And it's not a patch, so I'm removing that flag.
> Request Parameter to Action Object Mapping Plugin for Insecure Direct Object References
> ---------------------------------------------------------------------------------------
>
> Key: WW-3541
> URL: https://issues.apache.org/jira/browse/WW-3541
> Project: Struts 2
> Issue Type: New Feature
> Components: Core Interceptors
> Affects Versions: 2.2.1.1
> Environment: All OS
> Reporter: datta kudale
> Original Estimate: 96h
> Remaining Estimate: 96h
>
> JSP Parameter to Action Object Mapping (Security) Plugin does this great thing. Here is also a short overview of what it does and why a developer would want to use it.
> Many applications expose their internal object references to users. Attackers use parameter tampering to change references and violate the intended but unenforced access control policy. Frequently, these references point to file systems and databases, but any exposed application construct could be vulnerable.
> The best protection is to avoid exposing direct object references to users by using an index, indirect reference map, or other indirect method that is easy to validate. If a direct object reference must be used, ensure that the user is authorized before using it.
> * Avoid exposing your private object references to users whenever possible, such as primary keys or filenames
> * Validate any private object references extensively with an "accept known good" approach
> * Verify authorization to all referenced objects
> So to avoid internal object implementation to end user, this plugin can be used.
> Please refer following link for Plugin
> https://cwiki.apache.org/confluence/display/S2PLUGINS/Request+Parameter+to+Action+Object+Mapping+Plugin+for+Insecure+Direct+Object+References
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (WW-3541) Request Parameter to Action Object
Mapping Plugin for Insecure Direct Object References
Posted by "Lukasz Lenart (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WW-3541?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12975454#action_12975454 ]
Lukasz Lenart commented on WW-3541:
-----------------------------------
How is it related to ModelDriven ? And the second thing, your plugin base on GPL3 license which isn't compatible with ASF2.
> Request Parameter to Action Object Mapping Plugin for Insecure Direct Object References
> ---------------------------------------------------------------------------------------
>
> Key: WW-3541
> URL: https://issues.apache.org/jira/browse/WW-3541
> Project: Struts 2
> Issue Type: New Feature
> Components: Core Interceptors
> Affects Versions: 2.2.1.1
> Environment: All OS
> Reporter: datta kudale
> Original Estimate: 96h
> Remaining Estimate: 96h
>
> JSP Parameter to Action Object Mapping (Security) Plugin does this great thing. Here is also a short overview of what it does and why a developer would want to use it.
> Many applications expose their internal object references to users. Attackers use parameter tampering to change references and violate the intended but unenforced access control policy. Frequently, these references point to file systems and databases, but any exposed application construct could be vulnerable.
> The best protection is to avoid exposing direct object references to users by using an index, indirect reference map, or other indirect method that is easy to validate. If a direct object reference must be used, ensure that the user is authorized before using it.
> * Avoid exposing your private object references to users whenever possible, such as primary keys or filenames
> * Validate any private object references extensively with an "accept known good" approach
> * Verify authorization to all referenced objects
> So to avoid internal object implementation to end user, this plugin can be used.
> Please refer following link for Plugin
> https://cwiki.apache.org/confluence/display/S2PLUGINS/Request+Parameter+to+Action+Object+Mapping+Plugin+for+Insecure+Direct+Object+References
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (WW-3541) Request Parameter to Action Object
Mapping Plugin for Insecure Direct Object References
Posted by "Lukasz Lenart (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WW-3541?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12975474#action_12975474 ]
Lukasz Lenart commented on WW-3541:
-----------------------------------
Ok, but you must donate the code to ASF, including it here as a patch should be sufficient
> Request Parameter to Action Object Mapping Plugin for Insecure Direct Object References
> ---------------------------------------------------------------------------------------
>
> Key: WW-3541
> URL: https://issues.apache.org/jira/browse/WW-3541
> Project: Struts 2
> Issue Type: New Feature
> Components: Core Interceptors
> Affects Versions: 2.2.1.1
> Environment: All OS
> Reporter: datta kudale
> Original Estimate: 96h
> Remaining Estimate: 96h
>
> JSP Parameter to Action Object Mapping (Security) Plugin does this great thing. Here is also a short overview of what it does and why a developer would want to use it.
> Many applications expose their internal object references to users. Attackers use parameter tampering to change references and violate the intended but unenforced access control policy. Frequently, these references point to file systems and databases, but any exposed application construct could be vulnerable.
> The best protection is to avoid exposing direct object references to users by using an index, indirect reference map, or other indirect method that is easy to validate. If a direct object reference must be used, ensure that the user is authorized before using it.
> * Avoid exposing your private object references to users whenever possible, such as primary keys or filenames
> * Validate any private object references extensively with an "accept known good" approach
> * Verify authorization to all referenced objects
> So to avoid internal object implementation to end user, this plugin can be used.
> Please refer following link for Plugin
> https://cwiki.apache.org/confluence/display/S2PLUGINS/Request+Parameter+to+Action+Object+Mapping+Plugin+for+Insecure+Direct+Object+References
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (WW-3541) Request Parameter to Action Object
Mapping Plugin for Insecure Direct Object References
Posted by "datta kudale (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WW-3541?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12975476#action_12975476 ]
datta kudale commented on WW-3541:
----------------------------------
Can you give details/process for donate code to ASF ?
> Request Parameter to Action Object Mapping Plugin for Insecure Direct Object References
> ---------------------------------------------------------------------------------------
>
> Key: WW-3541
> URL: https://issues.apache.org/jira/browse/WW-3541
> Project: Struts 2
> Issue Type: New Feature
> Components: Core Interceptors
> Affects Versions: 2.2.1.1
> Environment: All OS
> Reporter: datta kudale
> Original Estimate: 96h
> Remaining Estimate: 96h
>
> JSP Parameter to Action Object Mapping (Security) Plugin does this great thing. Here is also a short overview of what it does and why a developer would want to use it.
> Many applications expose their internal object references to users. Attackers use parameter tampering to change references and violate the intended but unenforced access control policy. Frequently, these references point to file systems and databases, but any exposed application construct could be vulnerable.
> The best protection is to avoid exposing direct object references to users by using an index, indirect reference map, or other indirect method that is easy to validate. If a direct object reference must be used, ensure that the user is authorized before using it.
> * Avoid exposing your private object references to users whenever possible, such as primary keys or filenames
> * Validate any private object references extensively with an "accept known good" approach
> * Verify authorization to all referenced objects
> So to avoid internal object implementation to end user, this plugin can be used.
> Please refer following link for Plugin
> https://cwiki.apache.org/confluence/display/S2PLUGINS/Request+Parameter+to+Action+Object+Mapping+Plugin+for+Insecure+Direct+Object+References
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (WW-3541) Request Parameter to Action Object
Mapping Plugin for Insecure Direct Object References
Posted by "datta kudale (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WW-3541?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12970156#action_12970156 ]
datta kudale commented on WW-3541:
----------------------------------
Yes, I want to include interceptor in core struts API.
> Request Parameter to Action Object Mapping Plugin for Insecure Direct Object References
> ---------------------------------------------------------------------------------------
>
> Key: WW-3541
> URL: https://issues.apache.org/jira/browse/WW-3541
> Project: Struts 2
> Issue Type: New Feature
> Components: Core Interceptors
> Affects Versions: 2.2.1.1
> Environment: All OS
> Reporter: datta kudale
> Original Estimate: 96h
> Remaining Estimate: 96h
>
> JSP Parameter to Action Object Mapping (Security) Plugin does this great thing. Here is also a short overview of what it does and why a developer would want to use it.
> Many applications expose their internal object references to users. Attackers use parameter tampering to change references and violate the intended but unenforced access control policy. Frequently, these references point to file systems and databases, but any exposed application construct could be vulnerable.
> The best protection is to avoid exposing direct object references to users by using an index, indirect reference map, or other indirect method that is easy to validate. If a direct object reference must be used, ensure that the user is authorized before using it.
> * Avoid exposing your private object references to users whenever possible, such as primary keys or filenames
> * Validate any private object references extensively with an "accept known good" approach
> * Verify authorization to all referenced objects
> So to avoid internal object implementation to end user, this plugin can be used.
> Please refer following link for Plugin
> https://cwiki.apache.org/confluence/display/S2PLUGINS/Request+Parameter+to+Action+Object+Mapping+Plugin+for+Insecure+Direct+Object+References
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.