Kusal Kithul-Godage created WW-5287:
---------------------------------------
Summary: Make excludedPackageNames check more stringent
Key: WW-5287
URL: https://issues.apache.org/jira/browse/WW-5287
Project: Struts 2
Issue Type: Improvement
Components: Core
Affects Versions: 6.1.1
Reporter: Kusal Kithul-Godage
{{struts.excludedPackageNames}} and {{struts.excludedPackageNamePatterns}} only
do a check against the package of the declaring and target classes of an OGNL
expression target.
For more robust security, we should be checking the package of every superclass
and implemented interface. This will also be more consistent with
{{struts.excludedClasses}} which does an {{#isAssignableFrom}} check.
This is rather straightforward by leveraging the following methods, but will
come at a slight performance cost:
{{org.apache.commons.lang3.ClassUtils#getAllInterfaces}}
{{org.apache.commons.lang3.ClassUtils#getAllSuperclasses}}
Additionally, we should ensure that for any
{{struts.excludedPackageExemptClasses}}, an assignable class exists for every
matching excluded package (any matching interface or superclass).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
