(struts-site) 01/01: WW-5339 Document new OGNL security options

Mon, 04 Dec 2023 22:34:33 -0800 

This is an automated email from the ASF dual-hosted git repository.

kusal pushed a commit to branch WW-5339-ognl-map
in repository https://gitbox.apache.org/repos/asf/struts-site.git
commit 329b83ffaab6e314d699a54a2eccd0dcb2a99158
Author: Kusal Kithul-Godage <g...@kusal.io>
AuthorDate: Tue Dec 5 17:34:22 2023 +1100

    WW-5339 Document new OGNL security options
---
 source/security/index.md | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/source/security/index.md b/source/security/index.md
index 4cd785f09..50f6b9597 100644
--- a/source/security/index.md
+++ b/source/security/index.md
@@ -315,8 +315,6 @@ There are 4 options that can be used to configure excluded 
packages and classes:
 
 The defaults are defined 
[here](https://github.com/apache/struts/blob/master/core/src/main/resources/struts-excluded-classes.xml).
 
-Additionally, static methods are blocked, and static fields can also be 
blocked with 'struts.allowStaticFieldAccess'.
-
 Any expression or target which does not pass this criteria will be blocked, 
and you will see a warning in the logs:
 
 ```
@@ -329,6 +327,15 @@ of such expression is `java.lang.Class` which is excluded.
 It is possible to redefine the above constants in `struts.xml`, but avoid 
reducing the list, instead extending the list
 with other known dangerous classes or packages in your application.
 
+#### Additional Options
+
+We additionally recommend enabling the following options and hope to enable 
them by default in a future major version.
+
+ * `struts.ognl.allowStaticFieldAccess=false` - static methods are always 
blocked, but static fields can also optionally be blocked
+ * `struts.disallowProxyMemberAccess=true` - disallow proxied objects from 
being used in OGNL expressions as they may present a security risk
+ * `struts.disallowDefaultPackageAccess=true` - disallow access to classes in 
the default package which should not be used in production
+ * `struts.ognl.disallowCustomOgnlMap=true` - disallow construction of custom 
OGNL maps which can be used to bypass the SecurityMemberAccess policy
+
 #### Allowlist Capability
 
 > Note: since Struts 6.4.

Reply via email to