Struts 2
  1. Struts 2
  2. WW-3537

XSRF flaw in struts2/trunk/plugins/rest/src/main/java/org/apache/struts2/rest/RestActionMapper.java

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 2.2.1
    • Fix Version/s: 2.2.1.1
    • Component/s: Plugin - REST
    • Labels:
      None
    • Flags:
      Important

      Description

      I believe I've just found a major XSFR flaw in the REST plugin's RestActionMapper.

      See http://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29 for more details concerning XSRF.

      Manually performing a GET request on a create() method using the name!method convention, the create() method actually gets invoked (btw, the model is also populated).
      As far as I can see, ANY of the operations with side effects (create, update, destroy) can be invoked this way (using a GET request)

      The code in RestActionMapper seems to totally ignore the HTTP-method used:

      // handle "name!method" convention.
      String name = mapping.getName();
      int exclamation = name.lastIndexOf("!");

      if (exclamation != -1)

      { mapping.setName(name.substring(0, exclamation)); mapping.setMethod(name.substring(exclamation + 1)); }

      Most other REST frameworks use annotations like @GET/@POST or similar mechanisms on the controller methods in order to make sure that the correct method is used, otherwise yielding a 400 BAD REQUEST or similar.

      Has this issue been addressed before?

      In the current state, I would not recommend using the REST plugin for production use.

        Activity

        Stefan Magnus Landrø created issue -
        Lukasz Lenart made changes -
        Field Original Value New Value
        Resolution Fixed [ 1 ]
        Status Open [ 1 ] Resolved [ 5 ]
        Assignee Lukasz Lenart [ lukaszlenart ]
        Lukasz Lenart made changes -
        Status Resolved [ 5 ] Closed [ 6 ]

          People

          • Assignee:
            Lukasz Lenart
            Reporter:
            Stefan Magnus Landrø
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development