com.atlassian.crowd.xwork.interceptors
Class SafeParametersInterceptor
java.lang.Object
com.atlassian.crowd.xwork.interceptors.SafeParametersInterceptor
- All Implemented Interfaces:
- com.opensymphony.xwork.interceptor.Interceptor, Serializable
public class SafeParametersInterceptor
- extends Object
- implements com.opensymphony.xwork.interceptor.Interceptor
Injects submitted form parameters into action properties. This implementation performs white-list based
sanity checks on incoming parameters before allowing OGNL to perform any potentially dangerous operations on
an action, closing off an entire category of parameter injection attacks.
Parameters that set a value on an action directly will be allowed as will index-based setters for collections
of values. However:
- To defend against possible OGNL vulnerabilities (especially Unicode attacks), parameter names will be
filtered so only ascii alphanumeric characters (plus the underscore, square brackets and apostrophes) are permitted
- If the dot-notation is used to access some property on an action (i.e. a parameter called "search.query")
the type returned from the getter (getSearch()) MUST have the @ParameterSafe annotation for the parameter
to be accepted, or the getter method must have the @ParameterSafe annotation
- If the map-notation is used to access some property on an action (i.e. a parameter called "map['key']")
the getter method must have the @ParameterSafe annotation
These last two checks (@ParameterSafe checks for dot- and map-notation) can be skipped by setting
disableAnnotationChecks. When disabled this interceptor still prevents Unicode-attacks (amoungst other things)
but allows dot/map traversal of any POJO retrievable from an action. To disable, use a param e.g.
<interceptor name="params" class="com.atlassian.crowd.xwork.interceptors.SafeParametersInterceptor">
<param name="disableAnnotationChecks">true</param>
</interceptor>
Portions of this class are copied from XWork under the Apache license, Copyright (c) 2002-2003 by OpenSymphony
- See Also:
- Serialized Form
Field Summary |
static org.slf4j.Logger |
log
|
Method Summary |
protected void |
before(com.opensymphony.xwork.ActionInvocation invocation)
|
void |
destroy()
|
void |
init()
|
String |
intercept(com.opensymphony.xwork.ActionInvocation invocation)
|
void |
setDisableAnnotationChecks(boolean disableAnnotationChecks)
|
protected boolean |
shouldNotIntercept(com.opensymphony.xwork.ActionInvocation actionInvocation)
The implementation of this method should evalutate if the passed in actionInvocation.getAction()
is of a type NoParameters if it is, we should not bother
intercepting. |
Methods inherited from class java.lang.Object |
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
log
public static final org.slf4j.Logger log
SafeParametersInterceptor
public SafeParametersInterceptor()
init
public void init()
- Specified by:
init
in interface com.opensymphony.xwork.interceptor.Interceptor
destroy
public void destroy()
- Specified by:
destroy
in interface com.opensymphony.xwork.interceptor.Interceptor
intercept
public String intercept(com.opensymphony.xwork.ActionInvocation invocation)
throws Exception
- Specified by:
intercept
in interface com.opensymphony.xwork.interceptor.Interceptor
- Throws:
Exception
setDisableAnnotationChecks
public void setDisableAnnotationChecks(boolean disableAnnotationChecks)
shouldNotIntercept
protected boolean shouldNotIntercept(com.opensymphony.xwork.ActionInvocation actionInvocation)
- The implementation of this method should evalutate if the passed in actionInvocation.getAction()
is of a type
NoParameters
if it is, we should not bother
intercepting.
The reason for this abstract class is so we are compatible with both 1.0.3 and 1.2.3 of XWork.
- Parameters:
actionInvocation
- the action invocation being intercepted
- Returns:
- true if we are not of type
NoParameters
before
protected void before(com.opensymphony.xwork.ActionInvocation invocation)
throws Exception
- Throws:
Exception
Copyright © 2013 Atlassian. All Rights Reserved.