Package com.atlassian.crowd.xwork.interceptors

Class SafeParametersInterceptor

java.lang.Object

org.apache.struts2.interceptor.AbstractInterceptor

org.apache.struts2.interceptor.MethodFilterInterceptor

org.apache.struts2.interceptor.parameter.ParametersInterceptor

com.atlassian.crowd.xwork.interceptors.SafeParametersInterceptor

All Implemented Interfaces:

Serializable, org.apache.struts2.interceptor.ConditionalInterceptor, org.apache.struts2.interceptor.Interceptor

public class SafeParametersInterceptor
extends org.apache.struts2.interceptor.parameter.ParametersInterceptor

Injects submitted form parameters into action properties. This implementation performs white-list based sanity checks on incoming parameters before allowing OGNL to perform any potentially dangerous operations on an action, closing off an entire category of parameter injection attacks.

Parameters that set a value on an action directly will be allowed. However:

1. To defend against possible OGNL vulnerabilities (especially Unicode attacks), parameter names will be filtered so only ascii alphanumeric characters (plus the underscore) are permitted

The dot-notation (i.e. a parameter called "search.query"), the map-notation (i.e. a parameter called "map['key']") and the index-based notation (i.e., a parameter called "list[1]") are not allowed.

Portions of this class are copied from XWork under the Apache license, Copyright (c) 2002-2003 by OpenSymphony

See Also:

• Serialized Form

Field Summary

Fields inherited from class org.apache.struts2.interceptor.parameter.ParametersInterceptor

ordered, PARAM_NAME_MAX_LENGTH, requireAnnotations, requireAnnotationsTransitionMode, threadAllowlist

Fields inherited from class org.apache.struts2.interceptor.MethodFilterInterceptor

excludeMethods, includeMethods

Constructor Summary

Constructors

Constructor	Description
SafeParametersInterceptor()

Method Summary

Modifier and Type	Method	Description
protected boolean	isAcceptableParameter(String name, Object action)

Methods inherited from class org.apache.struts2.interceptor.parameter.ParametersInterceptor

addParametersToContext, allowlistClass, allowlistFieldIfParameterized, allowlistParameterizedTypeArg, allowlistParamType, allowlistReturnTypeIfParameterized, applyMemberAccessProperties, applyParameters, applyParametersOnStack, batchApplyReflectionContextState, doIntercept, getBeanInfo, getOrderedComparator, getParameterAnnotation, getParameterLogMap, getPermittedInjectionDepth, hasValidAnnotatedField, hasValidAnnotatedMember, hasValidAnnotatedPropertyDescriptor, initNewHttpParameters, initParameterMap, isAcceptableName, isAcceptableParameterNameAware, isAcceptableParameterValue, isAcceptableParameterValueAware, isAcceptableValue, isAccepted, isExcluded, isOrdered, isParameterAnnotatedAndAllowlist, isParamValueAccepted, isParamValueExcluded, isWithinLengthLimit, notifyDeveloperParameterException, retrieveParameters, setAcceptedPatterns, setAcceptedValuePatterns, setAcceptParamNames, setDevMode, setDynamicMethodInvocation, setExcludedPatterns, setExcludedValuePatterns, setExcludeParams, setOrdered, setParamNameMaxLength, setRequireAnnotations, setRequireAnnotationsTransitionMode, setThreadAllowlist, setValueStackFactory, toAcceptableParameters, toNewStack

Methods inherited from class org.apache.struts2.interceptor.MethodFilterInterceptor

applyInterceptor, getExcludeMethodsSet, getIncludeMethodsSet, intercept, setExcludeMethods, setIncludeMethods

Methods inherited from class org.apache.struts2.interceptor.AbstractInterceptor

destroy, init, setDisabled, shouldIntercept

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

SafeParametersInterceptor

public SafeParametersInterceptor()

Method Details

isAcceptableParameter

protected boolean isAcceptableParameter(String name,
 Object action)

Overrides:

isAcceptableParameter in class org.apache.struts2.interceptor.parameter.ParametersInterceptor