Make XWork ParametersInterceptor safe from parameter injection attacks

Type atlassian
Modified 2019-08-19T23:54:04


The XWork ParametersInterceptor is a security nightmare as it gives user input (submitted form parameters) unfettered access to getter/setter methods on action objects. In addition, the interceptor has been shown in the past to be vulnerable to Unicode attacks. Rather than fight a constant (and often losing) battle to prevent actions from leaking important classes, we should rewrite the parameters interceptor to obey the following rules: Parameter keys will be ignored if they contain characters other than A-Za-z0-9, periods and square brackets. Where a parameter is reading a property using dot notation (i.e. ?searchBean.query=blah), the getter method for that property must have the @ActionSafeParameter annotation