发表新帖
发表新帖

Does the ModelDriven interface poses a security explot in struts2?

前端 未结
关注
2 910
情话喂你
情话喂你 2020-12-20 03:47

background: I coded a struts2 ActionSupport class with ModelDriven. It\'s a hibernate/spring web app, using OSIV and attached entities in the view (JSP).

I received

2条回答
  • 清酒与你
    清酒与你 (楼主)
    2020-12-20 04:05

    ModelDriven interceptor is blind

    Yes Model Interface could be a source of security issue, if you do not handle incoming parameters you will face security holes.

    You have to use parameter interceptor.

    In the struts.xml change your params interceptor as:

    
    \w+((\.\w+)|(\[\d+\])|(\(\d+\))|(\['\w+'\])|(\('\w+'\)))*

    Then in your action implement ParameterNameAware and write acceptableParameterName.

    public class sample implements ParameterNameAware(){
        public boolean acceptableParameterName(String parameterName) {  
       if (("username".equals(parameterName) || 
            "firstname".equals(parameterName) ||
            "lastname".equals(parameterName))
            return true;
        else
           return false;
    }

}

    The above is important, if your User pojo has lots of other properties and only some of them should be get from user.

    If you use lots of ModelDriven actions you can make it general.

    Create an base action which extends the ParameterNameAware . Then try to develop a general approach to have a list of your action and valid parameters :

    We used spring to read the list of actions and their acceptable parameters. In the spring xml we added:

    The actions-valid-parameters.properties is as :

    save-user=username,description,firstname,lastname
save-address=zipcode,city,detail,detail.addLine1,detail.addLine2,detail.no

    Hint, If Address Object has an Detail object and you want to fill some properties in the Detail object, make sure you include the 'detail' in above list.

    The action is as

    public class BaseActionSupport extends ActionSupport implements ParameterNameAware
{

@Resource(name = "actionsValidParameters")
public Properties actionsValidParameters;

@Override
public boolean acceptableParameterName(String parameterName) {

    String actionName = ActionContext.getContext().getName();
     String validParams = (String) actionsValidParameters.get(actionName);

    //If the action is not defined in the list, it is assumed that the action  can accept all parameters. You can return false so if the action is not in the list no parameter is accepeted. It is up to you!
    if(StringUtils.isBlank(validParams))
        return true;
    // Search all the list of parameters. 
            //You can split the validParams to array and search array.  
    Pattern pattern = Pattern.compile("(?<=^|,)" + parameterName
            + "(?=,|$)");
    Matcher matcher = pattern.matcher(validParams);
    boolean accepeted = matcher.find();
    LOG.debug(
            "The {} parameter is {} in action {}, Position (excluding the action name) {} , {} , mathced {} ",
            parameterName, accepeted, actionName, matcher.start(), matcher.end(),
            matcher.group());
    return accepeted;
    }

}

    Now wrtie your actions as 

      public class UserAction extends BaseActionSupport implements  
        ModelDriven{


}

    0 讨论(0)
 看不清?
提交回复
热议问题