Details
-
Improvement
-
Status: Closed
-
Major
-
Resolution: Fixed
-
6.0.0
-
None
-
None
Description
It is known that developers utilizing Struts/Freemarker should always ensure proper sanitization to prevent OGNL/Freemarker evaluation on untrusted user input when %{/${ in FTL being passed into Struts tags.
These patterns aren't always practical to resolve/find especially in legacy code. This isn't a solely a legacy code issue of course, it's just as easy to make a mistake in newer code as well.
The following would end up rendering 81
Payload:
untrustedInput=%25%7B9%2A9%7D
FTL:
<@s.form theme="simple" action="${untrustedInput}" id="myForm4"> </@s.form>
Java:
private String untrustedInput; public String getUntrustedInput() { return untrustedInput; } public void setUntrustedInput(String untrustedInput) { this.untrustedInput = untrustedInput; }
This ticket is to add an optional `params.excludeValuePatterns` so that ParametersInterceptor can drop incoming parameter itself if the value matches a pattern to be excluded.
<param name="params.excludeValuePatterns">.*\$\{.*?\}.*,.*%\{.*?\}.*</param>
Since this is a pattern and would be executed against the values themselves there is the potential of a performance impact however I since it's optional we shouldn't see any measurable impact when not enabled.
NOTE: I did add a `params.acceptValuePatterns` pattern that is null/disabled by default. This might not ever be used but mimic'd the Pattern matcher the ParametersInterceptor/CookieInterceptor.