WW-5343 Make SecurityMemberAccess an extensible bean #791
Conversation
| @@ -133,7 +134,6 @@ public class DefaultConfiguration implements Configuration { | |||
| Map<String, Object> constants = new HashMap<>(); | |||
| constants.put(StrutsConstants.STRUTS_DEVMODE, Boolean.FALSE); | |||
| constants.put(StrutsConstants.STRUTS_OGNL_LOG_MISSING_PROPERTIES, Boolean.FALSE); | |||
| constants.put(StrutsConstants.STRUTS_OGNL_ENABLE_EVAL_EXPRESSION, Boolean.FALSE); | |||
There was a problem hiding this comment.
This constant is not required for bootstrapping
| } | ||
|
|
||
| private static Set<String> toClassesSet(String newDelimitedClasses) throws ConfigurationException { |
There was a problem hiding this comment.
Moved these utility methods into their own class
| private boolean enableEvalExpression; | ||
|
|
||
| private Set<String> excludedClasses = emptySet(); |
There was a problem hiding this comment.
All the configuration is now injected directly into SecurityMemberAccess except for devMode configuration
| public Set<String> getExcludedClasses() { | ||
| return excludedClasses; | ||
| return toClassesSet(container.getInstance(String.class, StrutsConstants.STRUTS_EXCLUDED_CLASSES)); |
There was a problem hiding this comment.
Deprecated getters are still functional for API compatibility
| @@ -922,8 +855,7 @@ protected Map<String, Object> createDefaultContext(Object root, ClassResolver cl | |||
| resolver = container.getInstance(CompoundRootAccessor.class); | |||
| } | |||
|
|
|||
| SecurityMemberAccess memberAccess = new SecurityMemberAccess(allowStaticFieldAccess); | |||
| memberAccess.disallowProxyMemberAccess(disallowProxyMemberAccess); | |||
| SecurityMemberAccess memberAccess = container.getInstance(SecurityMemberAccess.class); | |||
There was a problem hiding this comment.
This is a prototype bean so will be a new instance per context
| @@ -31,15 +31,19 @@ public interface MemberAccessValueStack { | |||
| * @deprecated please use {@link #useExcludeProperties(Set)} | |||
| */ | |||
| @Deprecated | |||
| void setExcludeProperties(Set<Pattern> excludeProperties); | |||
| default void setExcludeProperties(Set<Pattern> excludeProperties) { | |||
| useExcludeProperties(excludeProperties); | |||
There was a problem hiding this comment.
Lifted the deprecated implementations into the interface for cleanliness
| @@ -234,6 +234,8 @@ public final class StrutsConstants { | |||
| /** The name of the parameter to determine whether static field access will be allowed in OGNL expressions or not */ | |||
| public static final String STRUTS_ALLOW_STATIC_FIELD_ACCESS = "struts.ognl.allowStaticFieldAccess"; | |||
|
|
|||
| public static final String STRUTS_MEMBER_ACCESS = "struts.securityMemberAccess"; | |||
| @@ -31,33 +31,6 @@ public void setUp() throws Exception { | |||
| ognlUtil = container.getInstance(OgnlUtil.class); | |||
| } | |||
|
|
|||
| public void testDefaultExcludes() { | |||
There was a problem hiding this comment.
Deleted tests whose functionality is covered elsewhere
| * Test a raw OgnlValueStackFactory and OgnlValueStack generated by it | ||
| * when no static access flags are set (not present in configuration). | ||
| */ | ||
| public void testOgnlValueStackFromOgnlValueStackFactoryNoFlagsSet() { |
There was a problem hiding this comment.
This flag is now a required constant so this test is no longer applicable
| } | ||
|
|
||
| @Test | ||
| public void defaultExclusionList() throws Exception { |
There was a problem hiding this comment.
Moved/rewrote some tests here from OgnlUtilTest
core/src/main/java/com/opensymphony/xwork2/config/impl/DefaultConfiguration.java
Outdated
Show resolved
Hide resolved
| @@ -385,6 +386,7 @@ protected Container createBootstrapContainer(List<ContainerProvider> providers) | |||
| builder.factory(ExpressionCacheFactory.class, DefaultOgnlExpressionCacheFactory.class, Scope.SINGLETON); | |||
| builder.factory(BeanInfoCacheFactory.class, DefaultOgnlBeanInfoCacheFactory.class, Scope.SINGLETON); | |||
| builder.factory(OgnlUtil.class, Scope.SINGLETON); | |||
| builder.factory(SecurityMemberAccess.class, Scope.PROTOTYPE); | |||
There was a problem hiding this comment.
I wonder if this is a good idea, attacker could get access to the SMA just by having access to the Container
There was a problem hiding this comment.
Given it's prototype scope, I don't believe it to make any difference
There was a problem hiding this comment.
That is, the container would return a new instance, and not the one that is being used by the ValueStack
There was a problem hiding this comment.
I meant it will be possible creating a new instance via containers methods, yet we excluded the whole package com.opensymphony.xwork2.inject which means attacker cannot use container in the first place.
There was a problem hiding this comment.
True, I also don't think there's anything useful an attacker can do with a fresh SecurityMemberAccess instance
|
Kudos, SonarCloud Quality Gate passed! |
There was a problem hiding this comment.
I'm good but please update the docs to address that a new extension has been added (or at least update the ticket to inform users about it)
https://struts.apache.org/plugins/plugins-architecture#extension-points
|
Documentation PR is here: apache/struts-site#213 |
WW-5343
This will allow applications to easily extend the capabilities of
SecurityMemberAccess. It additionally allows us to significantly simplify the configuration loading.