fix(json-plugin): WW-5624 enforce @StrutsParameter in JSONPopulator.populateObject()#1651
fix(json-plugin): WW-5624 enforce @StrutsParameter in JSONPopulator.populateObject()#1651tranquac wants to merge 1 commit intoapache:mainfrom
Conversation
…bject() JSONPopulator.populateObject() uses Method.invoke() to set action properties from JSON input, bypassing the @StrutsParameter annotation check that ParametersInterceptor enforces for URL parameters. This allows mass assignment of unannotated properties via JSON request body. Add @StrutsParameter annotation check before Method.invoke() in JSONPopulator, gated by the existing struts.parameters.requireAnnotations setting. When enabled, only setters annotated with @StrutsParameter are populated from JSON input, consistent with ParametersInterceptor. Wire the requireAnnotations setting from StrutsConstants into JSONInterceptor -> JSONPopulator via @Inject.
|
Could you create a JIRA ticket first? I can include also changes in #1652 |
|
I requested a Jira account! And i will create create a JIRA ticket soon! |
|
I created JIRA ticket for this issue: https://issues.apache.org/jira/projects/WW/issues/WW-5624?filter=allissues |
lukaszlenart
changed the title
|
Thanks for reporting this. The issue in the JSON plugin looks valid: That said, I don't think this fix is sufficient as-is. In Struts, My main concern is that I think the right direction is to align the JSON plugin with the shared parameter-binding authorization rules used by |
|
Thanks for your feedback. I will quickly create a fullfill patch based on your comment. I will notify you when it's finished and create a new PR. |
2 participants
Summary
JSONPopulator.populateObject()in the struts2-json-plugin sets action properties via direct Java reflection (Method.invoke()) without checking the@StrutsParameterannotation. This bypasses the parameter allowlisting thatParametersInterceptorenforces for URL parameters, enabling mass assignment of unannotated properties via JSON request body.Changes
@StrutsParameterannotation check beforeMethod.invoke(). Whenstruts.parameters.requireAnnotationsis enabled and the setter lacks the annotation, the property is skipped with a debug log message.struts.parameters.requireAnnotationssetting via@InjectintoJSONPopulator.setRequireAnnotations().Impact
Without this fix:
With this fix, both pathways consistently enforce
@StrutsParameter.Test
A PoC application with 8 test cases demonstrates the bypass and fix. An action with
@StrutsParameter-annotated setter (setUsername) and unannotated setters (setRole,setAdmin) shows that JSON body sets unannotated fields before the fix, and blocks them after.