struts icon indicating copy to clipboard operation
struts copied to clipboard

Published 20 hours ago verified publisher icon apache

WW-5428 Allowlist capability should resolve Hibernate proxies when disableProxyObjects is not set

Open kusalk opened this issue 1 year ago • 3 comments

WW-5428

The OGNL allowlist capability cannot resolve proxy objects and thus will not work in applications where proxy objects such as Spring beans and Hibernate entities are accessed via OGNL.

Allowing access to such objects via OGNL is not recommended anyway as such access can be used to escalate an SSTI vulnerability.

However, given there seem to be many applications that still rely on accessing Hibernate entities directly, it would still offer much greater security in these cases, if the allowlist were enabled with exemptions for Hibernate proxies, rather than disabled altogether.

As such, in this PR, if an application is configured with struts.disallowProxyObjectAccess=false, the allowlist capability will resolve the underlying class of any Hibernate proxies and enforce the allowlist against this class instead.

kusalk avatar Jun 17 '24 11:06 kusalk

Is it ready for review?

lukaszlenart avatar Jun 28 '24 07:06 lukaszlenart

@lukaszlenart I need to add coverage, will try get it done this weekend

kusalk avatar Jun 28 '24 07:06 kusalk

Quality Gate Failed Quality Gate failed

Failed conditions
8 Security Hotspots
28.7% Coverage on New Code (required ≥ 80%)
4.0% Duplication on New Code (required ≤ 3%)
E Security Rating on New Code (required ≥ A)
E Reliability Rating on New Code (required ≥ A)

See analysis details on SonarCloud

Catch issues before they fail your Quality Gate with our IDE extension SonarLint

sonarqubecloud[bot] avatar Jul 08 '24 10:07 sonarqubecloud[bot]