You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@struts.apache.org by "Kusal Kithul-Godage (Jira)" <ji...@apache.org> on 2023/02/28 12:16:00 UTC

[jira] [Created] (WW-5287) Make excludedPackageNames check more stringent

Kusal Kithul-Godage created WW-5287:
---------------------------------------

             Summary: Make excludedPackageNames check more stringent
                 Key: WW-5287
                 URL: https://issues.apache.org/jira/browse/WW-5287
             Project: Struts 2
          Issue Type: Improvement
          Components: Core
    Affects Versions: 6.1.1
            Reporter: Kusal Kithul-Godage


{{struts.excludedPackageNames}} and {{struts.excludedPackageNamePatterns}} only do a check against the package of the declaring and target classes of an OGNL expression target.

For more robust security, we should be checking the package of every superclass and implemented interface. This will also be more consistent with {{struts.excludedClasses}} which does an {{#isAssignableFrom}} check.

This is rather straightforward by leveraging the following methods, but will come at a slight performance cost:
{{org.apache.commons.lang3.ClassUtils#getAllInterfaces}}
{{org.apache.commons.lang3.ClassUtils#getAllSuperclasses}}

Additionally, we should ensure that for any {{struts.excludedPackageExemptClasses}}, an assignable class exists for every matching excluded package (any matching interface or superclass).



--
This message was sent by Atlassian Jira
(v8.20.10#820010)