You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@struts.apache.org by "Kusal Kithul-Godage (Jira)" <ji...@apache.org> on 2023/02/18 01:26:00 UTC
[jira] [Comment Edited] (WW-5268) Add configuration option to exempt classes from OGNL package exclusions
[ https://issues.apache.org/jira/browse/WW-5268?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17690670#comment-17690670 ]
Kusal Kithul-Godage edited comment on WW-5268 at 2/18/23 1:25 AM:
------------------------------------------------------------------
[~yasserzamani] [~lukaszlenart]
Upon further thought, I might argue that any measure which makes security more stringent or reduces the effort required to, might be worthwhile. It would obviously be better if a product had:
{noformat}
excludedPackageNames=com.example.mostlyunsafe
excludedPackageExemptClasses=com.example.mostlyunsafe.SafeClass{noformat}
rather than nothing at all.
I also wanted to bring attention to another concern of mine. It wasn't completely clear to me until reading the source code that the `excludedPackageNames` only checks the package of the declaring and target classes. Given that `excludedClasses` does an `#isAssignableFrom` check, I would argue that for consistency, we should be checking the package of every superclass and implemented interface against the `excludedPackageNames`. Currently, it's easy to assume that adding classes from packages in `excludedPackageNames` to `excludedClasses` is redundant when it actually isn't.
Any thoughts?
was (Author: JIRAUSER298544):
[~yasserzamani] [~lukaszlenart]
Upon further thought, I might argue that any measure which makes security more stringent or reduces the effort required to, might be worthwhile. It would obviously be better if a product had:
{noformat}
excludedPackageNames=com.example.mostlyunsafe
excludedPackageExemptClasses=com.example.mostlyunsafe.SafeClass{noformat}
rather than nothing at all.
I also wanted to bring attention to another concern of mine. It wasn't completely clear to me until reading the source code that the `excludedPackageNames` only checks the package of the declaring and member classes. Given that `excludedClasses` does an `#isAssignableFrom` check, I would argue that for consistency, we should be checking the package of every superclass and implemented interface against the `excludedPackageNames`. Currently, it's easy to assume that adding classes from packages in `excludedPackageNames` to `excludedClasses` is redundant when it actually isn't.
Any thoughts?
> Add configuration option to exempt classes from OGNL package exclusions
> -----------------------------------------------------------------------
>
> Key: WW-5268
> URL: https://issues.apache.org/jira/browse/WW-5268
> Project: Struts 2
> Issue Type: Improvement
> Components: Core
> Reporter: Kusal Kithul-Godage
> Priority: Minor
> Fix For: 6.2.0
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> It is currently possible to exclude packages from OGNL evaluation using `struts.excludedPackageNamePatterns` and `struts.excludedPackageNames`.
> There may exist a scenario where you wish to have certain packages excluded/blocklisted by default, but exempt specific classes from these packages that have been assessed to be safe.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)