Does the ModelDriven interface poses a security explot in struts2?
background: I coded a struts2 ActionSupport class with ModelDriven. It\'s a hibernate/spring web app, using OSIV and attached entities in the view (JSP).
I received
-
Your architect is right, putting objects with access to sensitive information on the ValueStack poses a potential security risk. A malicious user could indeed reset the password with the above attack.
BUT:
Since he is an architect he should have designed ways for proper validation/restriction of input parameters. Using the ParamsInterceptor in Struts2 it's fairly easy to only allow specific parameters to be passed to an action. Thus, it's not your work that sucks, it's your system's architecture. Developers should be able to focus on implementing business logic. The infrastructure must be provided by the architect.
Cheers,
w
讨论(0) -
ModelDriven interceptor is blind
Yes Model Interface could be a source of security issue, if you do not handle incoming parameters you will face security holes.
You have to use parameter interceptor.
In the struts.xml change your params interceptor as:
<interceptor-ref name="params"> <param name="excludeParams">\w+((\.\w+)|(\[\d+\])|(\(\d+\))|(\['\w+'\])|(\('\w+'\)))*</param> </interceptor-ref>Then in your action implement
ParameterNameAwareand writeacceptableParameterName.public class sample implements ParameterNameAware(){ public boolean acceptableParameterName(String parameterName) { if (("username".equals(parameterName) || "firstname".equals(parameterName) || "lastname".equals(parameterName)) return true; else return false; } }The above is important, if your User pojo has lots of other properties and only some of them should be get from user.
If you use lots of ModelDriven actions you can make it general.
Create an base action which extends the
ParameterNameAware. Then try to develop a general approach to have a list of your action and valid parameters :We used spring to read the list of actions and their acceptable parameters. In the spring xml we added:
<util:properties id="actionsValidParameters" location="classpath:/configs/actions-valid-parameters.properties" />The
actions-valid-parameters.propertiesis as :save-user=username,description,firstname,lastname save-address=zipcode,city,detail,detail.addLine1,detail.addLine2,detail.noHint, If Address Object has an Detail object and you want to fill some properties in the Detail object, make sure you include the 'detail' in above list.
The action is as
public class BaseActionSupport extends ActionSupport implements ParameterNameAware { @Resource(name = "actionsValidParameters") public Properties actionsValidParameters; @Override public boolean acceptableParameterName(String parameterName) { String actionName = ActionContext.getContext().getName(); String validParams = (String) actionsValidParameters.get(actionName); //If the action is not defined in the list, it is assumed that the action can accept all parameters. You can return false so if the action is not in the list no parameter is accepeted. It is up to you! if(StringUtils.isBlank(validParams)) return true; // Search all the list of parameters. //You can split the validParams to array and search array. Pattern pattern = Pattern.compile("(?<=^|,)" + parameterName + "(?=,|$)"); Matcher matcher = pattern.matcher(validParams); boolean accepeted = matcher.find(); LOG.debug( "The {} parameter is {} in action {}, Position (excluding the action name) {} , {} , mathced {} ", parameterName, accepeted, actionName, matcher.start(), matcher.end(), matcher.group()); return accepeted; } }Now wrtie your actions as
public class UserAction extends BaseActionSupport implements ModelDriven<User>{ }讨论(0)
加载中...
- 热议问题