Uploaded image for project: 'Struts 2'
  1. Struts 2
  2. WW-4939

Use securely generated constants

Attach filesAttach ScreenshotAdd voteVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Open
    • Critical
    • Resolution: Unresolved
    • None
    • 6.1.0
    • Core
    • None

    Description

      Right now all the constants are well know and can be used in exploits, ie. public static final String ACTION_MAPPING = "struts.actionMapping";

      Instead of using string literals we should generate random strings at runtime to avoid using literals directly in exploits. Users can still use the constants in their code but not in dynamic expressions.

          public static final String AUTH_TOKEN = generateUUID();
      
          public static String generateUUID() {
              return new BigInteger(165, RANDOM).toString(36).toUpperCase();
          }
      

      This will probably break backward compatibility but using string literals instead of the constants by the users is a bad practice anyway.

      Attachments

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            Unassigned Unassigned
            lukaszlenart Lukasz Lenart

            Dates

              Created:
              Updated:

              Slack

                Issue deployment