This is an automated email from the ASF dual-hosted git repository.
git-site-role pushed a commit to branch asf-staging
in repository https://gitbox.apache.org/repos/asf/struts-site.git
The following commit(s) were added to refs/heads/asf-staging by this push:
new 63bc6cd39 Updates stage by Jenkins
63bc6cd39 is described below
commit 63bc6cd393982825b24a0fa1903458818b1d87a2
Author: jenkins <bui...@apache.org>
AuthorDate: Tue Jan 2 08:48:47 2024 +0000
Updates stage by Jenkins
---
content/plugins/plugins-architecture.html | 12 +++++++++
content/security/index.html | 41 ++++++++++++++++++++++++++++---
2 files changed, 50 insertions(+), 3 deletions(-)
diff --git a/content/plugins/plugins-architecture.html
b/content/plugins/plugins-architecture.html
index 02c10f9de..72b5c3a72 100644
--- a/content/plugins/plugins-architecture.html
+++ b/content/plugins/plugins-architecture.html
@@ -494,6 +494,18 @@ For example, a plugin could provide a new class to create
Action classes or map
<td>prototype</td>
<td>com.opensymphony.xwork2.ognl.SecurityMemberAccess</td>
</tr>
+ <tr>
+ <td>struts.compoundRootAccessor</td>
+ <td>Define a custom CompoundRootAccessor implementation, used to resolve
classes and manipulate the CompoundRoot (since 6.4.0)</td>
+ <td>singleton</td>
+ <td>com.opensymphony.xwork2.ognl.accessor.RootAccessor</td>
+ </tr>
+ <tr>
+ <td>struts.methodAccessor</td>
+ <td>Define a custom MethodAccessor implementation, used to evaluate OGNL
method calls (since 6.4.0)</td>
+ <td>singleton</td>
+ <td>ognl.MethodAccessor</td>
+ </tr>
</tbody>
</table>
diff --git a/content/security/index.html b/content/security/index.html
index 8a0841857..6161c56ea 100644
--- a/content/security/index.html
+++ b/content/security/index.html
@@ -172,6 +172,7 @@
</li>
<li><a
href="#proactively-protecting-against-ognl-expression-injections-attacks"
id="markdown-toc-proactively-protecting-against-ognl-expression-injections-attacks">Proactively
protecting against OGNL Expression Injections attacks</a> <ul>
<li><a href="#run-ognl-expressions-inside-sandbox"
id="markdown-toc-run-ognl-expressions-inside-sandbox">Run OGNL expressions
inside sandbox</a></li>
+ <li><a href="#restricting-access-to-the-struts-context-actioncontext"
id="markdown-toc-restricting-access-to-the-struts-context-actioncontext">Restricting
access to the Struts Context (ActionContext)</a></li>
<li><a href="#apply-a-maximum-allowed-length-on-ognl-expressions"
id="markdown-toc-apply-a-maximum-allowed-length-on-ognl-expressions">Apply a
maximum allowed length on OGNL expressions</a></li>
<li><a href="#ognl-member-access"
id="markdown-toc-ognl-member-access">OGNL Member Access</a> <ul>
<li><a href="#additional-options"
id="markdown-toc-additional-options">Additional Options</a></li>
@@ -465,6 +466,36 @@ state.</p>
<p>Note: This feature does not work with JDK 21 and above.</p>
+<h3 id="restricting-access-to-the-struts-context-actioncontext">Restricting
access to the Struts Context (ActionContext)</h3>
+
+<p>The Struts ActionContext is a core construct of the Struts framework. It is
shared and manipulated throughout the
+codebase. From the ActionContext, it is possible to access application
parameters, the ‘OgnlValueStack’, the current
+request/response/session, the servlet context, the Guice container, and a
number of other objects either directly or
+indirectly via the directly exposed objects. The Struts ActionContext enables
powerful features and functionality, but
+it also presents a major security risk if not properly secured.</p>
+
+<p>The Struts ActionContext is accessible to OGNL expressions. In the case of
an OGNL expression exploit, usually achieved
+through some form of server-side template injection or parameter injection,
the ActionContext is a prime gadget for
+escalation of the vulnerability, often to remote code execution (RCE). Whilst
known harmful capabilities of the
+ActionContext items are blocked by the OGNL Member Access policy exclusion
list (see below), this is not always
+effective due to the myriad of changing objects available on the
ActionContext. The new allowlist capability (also see
+below) offers much stronger protection. However, for the strongest level of
protection, we recommend disabling access
+to the ActionContext from OGNL expressions entirely.</p>
+
+<p>Note that before disabling access to the ActionContext from OGNL
expressions, you should ensure that your application
+does not rely on this capability. As of Struts 6.4.0, the Set and Action
Struts components require this capability.</p>
+
+<p>To disable access to the ActionContext from OGNL expressions, set the
following constants in your <code class="language-plaintext
highlighter-rouge">struts.xml</code> or
+<code class="language-plaintext highlighter-rouge">struts.properties</code>
file. Please also refer to the documentation below for further details on these
configuration
+options.</p>
+
+<div class="language-xml highlighter-rouge"><div class="highlight"><pre
class="highlight"><code><span class="nt"><constant</span> <span
class="na">name=</span><span
class="s">"struts.ognl.valueStackFallbackToContext"</span> <span
class="na">value=</span><span class="s">"false"</span><span
class="nt">/></span>
+<span class="nt"><constant</span> <span class="na">name=</span><span
class="s">"struts.ognl.excludedNodeTypes"</span> <span
class="na">value=</span><span class="s">"
+ ognl.ASTThisVarRef,
+ ognl.ASTVarRef
+"</span><span class="nt">/></span>
+</code></pre></div></div>
+
<h3 id="apply-a-maximum-allowed-length-on-ognl-expressions">Apply a maximum
allowed length on OGNL expressions</h3>
<p>You can enable this via Struts configuration key <code
class="language-plaintext
highlighter-rouge">struts.ognl.expressionMaxLength</code> (defaults to 256).
OGNL thereupon doesn’t evaluate any
@@ -513,6 +544,7 @@ with other known dangerous classes or packages in your
application.</p>
<li><code class="language-plaintext
highlighter-rouge">struts.disallowProxyMemberAccess=true</code> - disallow
proxied objects from being used in OGNL expressions as they may present a
security risk</li>
<li><code class="language-plaintext
highlighter-rouge">struts.disallowDefaultPackageAccess=true</code> - disallow
access to classes in the default package which should not be used in
production</li>
<li><code class="language-plaintext
highlighter-rouge">struts.ognl.disallowCustomOgnlMap=true</code> - disallow
construction of custom OGNL maps which can be used to bypass the
SecurityMemberAccess policy</li>
+ <li><code class="language-plaintext
highlighter-rouge">struts.ognl.valueStackFallbackToContext=false</code> -
disable fallback to OGNL context lookup if expression does not evaluate to a
valid value</li>
</ul>
<h4 id="allowlist-capability">Allowlist Capability</h4>
@@ -557,10 +589,13 @@ overriding methods as not to reduce protections offered
by the default implement
<p>The Struts OGNL Guard allows applications to completely disable certain
OGNL expression features/capabilities. This
feature is disabled by default but can be enabled and configured with <code
class="language-plaintext
highlighter-rouge">struts.ognl.excludedNodeTypes</code>.</p>
-<p>It is recommended to disable any OGNL feature you are not leveraging in
your application. For applications using a
-minimal number of Struts features, you may find the following list a good
starting point.</p>
+<p>It is recommended to disable any OGNL feature you are not leveraging in
your application.</p>
+
+<p>For example, if you do not need to use the addition operation in any OGNL
expressions, you can add <code class="language-plaintext
highlighter-rouge">ognl.ASTAdd</code> to your
+excluded node types. This will mitigate against a host of String concatenation
attacks.</p>
-<p>Please be aware that this list WILL break certain Struts features:</p>
+<p>For applications using a minimal number of Struts features, you may find
the following list a good starting point.
+Please be aware that this list WILL break certain Struts features:</p>
<div class="language-xml highlighter-rouge"><div class="highlight"><pre
class="highlight"><code><span class="nt"><constant</span> <span
class="na">name=</span><span class="s">"struts.ognl.excludedNodeTypes"</span>
<span class="na">value=</span><span class="s">"
