Package com.atlassian.crowd.xwork.interceptors

Class SafeParametersInterceptor

java.lang.Object
com.opensymphony.xwork2.interceptor.AbstractInterceptor
com.opensymphony.xwork2.interceptor.MethodFilterInterceptor
com.opensymphony.xwork2.interceptor.ParametersInterceptor
com.atlassian.crowd.xwork.interceptors.SafeParametersInterceptor
All Implemented Interfaces:
com.opensymphony.xwork2.interceptor.Interceptor, Serializable
public class SafeParametersInterceptor extends com.opensymphony.xwork2.interceptor.ParametersInterceptor
Injects submitted form parameters into action properties. This implementation performs white-list based sanity checks on incoming parameters before allowing OGNL to perform any potentially dangerous operations on an action, closing off an entire category of parameter injection attacks.

Parameters that set a value on an action directly will be allowed. However:

  1. To defend against possible OGNL vulnerabilities (especially Unicode attacks), parameter names will be filtered so only ascii alphanumeric characters (plus the underscore) are permitted
The dot-notation (i.e. a parameter called "search.query"), the map-notation (i.e. a parameter called "map['key']") and the index-based notation (i.e., a parameter called "list[1]") are not allowed.

Portions of this class are copied from XWork under the Apache license, Copyright (c) 2002-2003 by OpenSymphony

See Also:

  • Field Summary

    Fields inherited from class com.opensymphony.xwork2.interceptor.ParametersInterceptor

    ordered, PARAM_NAME_MAX_LENGTH

    Fields inherited from class com.opensymphony.xwork2.interceptor.MethodFilterInterceptor

    excludeMethods, includeMethods

  • Constructor Summary

    Constructors
    Constructor
    Description
    SafeParametersInterceptor()
     

  • Method Summary

    Modifier and Type
    Method
    Description
    protected boolean
    isAcceptableParameter(String name, Object action)
     

    Methods inherited from class com.opensymphony.xwork2.interceptor.ParametersInterceptor

    acceptableName, addParametersToContext, doIntercept, getOrderedComparator, getParameterLogMap, isAccepted, isExcluded, isOrdered, isWithinLengthLimit, notifyDeveloperParameterException, retrieveParameters, setAcceptedPatterns, setAcceptParamNames, setDevMode, setExcludedPatterns, setExcludeParams, setOrdered, setParameters, setParamNameMaxLength, setValueStackFactory

    Methods inherited from class com.opensymphony.xwork2.interceptor.MethodFilterInterceptor

    applyInterceptor, getExcludeMethodsSet, getIncludeMethodsSet, intercept, setExcludeMethods, setIncludeMethods

    Methods inherited from class com.opensymphony.xwork2.interceptor.AbstractInterceptor

    destroy, init

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

  • Constructor Details

    • SafeParametersInterceptor

      public SafeParametersInterceptor()

  • Method Details

    • isAcceptableParameter

      protected boolean isAcceptableParameter(String name, Object action)
      Overrides:
      isAcceptableParameter in class com.opensymphony.xwork2.interceptor.ParametersInterceptor