Struts 2 insecure direct object reference – part 2 – ParameterNameAware

I discussed security issues in a previous post regarding malicious HTTP request parameters injecting data into a Struts 2 application. Jon pointed out an interface I had forgotten about, ParameterNameAware.

How this works is quite simple. Your action class implements ParameterNameAware, and in the acceptableParameterName(String parameterName) method, you return true only if the client is allowed to set the given parameter. A modified version of BadAction2 from the previous post is presented below:

// Modified from BadAction2
class GoodAction extends ActionSupport implements Preparable, ModelDriven<Address>, ParameterNameAware {
  private Address oldAddress;
  private Address address = new Address();

  public void prepare() {
    oldAddress = ((Address) ActionContext.getContext().getSession().get("address")).clone();
  }

  public String execute() {
    ActionContext.getContext().getSession().put("address", address);
    return SUCCESS;
  }

  public Address getModel() {
    return address;
  }

  public Address getOldAddress() {
    return oldAddress;
  }

  public boolean acceptableParameterName(String parameterName) {
    // A whitelist would be better, but this illustrates the concept
    return !parameterName.matches("oldAddress.*");
  }
}

// Address class contains street, city, state, zip, etc.

This would allow the client to set street, city, etc., but parameters such as oldAddress or oldAddress.city would be ignored.

Post a Comment

Your email is never shared. Required fields are marked *

*
*