[WW-4939] Use securely generated constants - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Critical
Resolution: Won't Fix
Affects Version/s: None
Fix Version/s: None
Component/s: Core
Labels:
None

Description

Right now all the constants are well know and can be used in exploits, ie. public static final String ACTION_MAPPING = "struts.actionMapping";

Instead of using string literals we should generate random strings at runtime to avoid using literals directly in exploits. Users can still use the constants in their code but not in dynamic expressions.

    public static final String AUTH_TOKEN = generateUUID();

    public static String generateUUID() {
        return new BigInteger(165, RANDOM).toString(36).toUpperCase();
    }

This will probably break backward compatibility but using string literals instead of the constants by the users is a bad practice anyway.

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Lukasz Lenart

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 29/May/18 12:41

Updated:: 17/Oct/22 05:25

Resolved:: 17/Oct/22 05:25