[
https://issues.apache.org/jira/browse/WW-5268?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17690670#comment-17690670
]
Kusal Kithul-Godage edited comment on WW-5268 at 2/18/23 1:25 AM:
------------------------------------------------------------------
[~yasserzamani] [~lukaszlenart]
Upon further thought, I might argue that any measure which makes security more
stringent or reduces the effort required to, might be worthwhile. It would
obviously be better if a product had:
{noformat}
excludedPackageNames=com.example.mostlyunsafe
excludedPackageExemptClasses=com.example.mostlyunsafe.SafeClass{noformat}
rather than nothing at all.
I also wanted to bring attention to another concern of mine. It wasn't
completely clear to me until reading the source code that the
`excludedPackageNames` only checks the package of the declaring and target
classes. Given that `excludedClasses` does an `#isAssignableFrom` check, I
would argue that for consistency, we should be checking the package of every
superclass and implemented interface against the `excludedPackageNames`.
Currently, it's easy to assume that adding classes from packages in
`excludedPackageNames` to `excludedClasses` is redundant when it actually isn't.
Any thoughts?
was (Author: JIRAUSER298544):
[~yasserzamani] [~lukaszlenart]
Upon further thought, I might argue that any measure which makes security more
stringent or reduces the effort required to, might be worthwhile. It would
obviously be better if a product had:
{noformat}
excludedPackageNames=com.example.mostlyunsafe
excludedPackageExemptClasses=com.example.mostlyunsafe.SafeClass{noformat}
rather than nothing at all.
I also wanted to bring attention to another concern of mine. It wasn't
completely clear to me until reading the source code that the
`excludedPackageNames` only checks the package of the declaring and member
classes. Given that `excludedClasses` does an `#isAssignableFrom` check, I
would argue that for consistency, we should be checking the package of every
superclass and implemented interface against the `excludedPackageNames`.
Currently, it's easy to assume that adding classes from packages in
`excludedPackageNames` to `excludedClasses` is redundant when it actually isn't.
Any thoughts?
> Add configuration option to exempt classes from OGNL package exclusions
> -----------------------------------------------------------------------
>
> Key: WW-5268
> URL: https://issues.apache.org/jira/browse/WW-5268
> Project: Struts 2
> Issue Type: Improvement
> Components: Core
> Reporter: Kusal Kithul-Godage
> Priority: Minor
> Fix For: 6.2.0
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> It is currently possible to exclude packages from OGNL evaluation using
> `struts.excludedPackageNamePatterns` and `struts.excludedPackageNames`.
> There may exist a scenario where you wish to have certain packages
> excluded/blocklisted by default, but exempt specific classes from these
> packages that have been assessed to be safe.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
