ModelDriven接口是否在struts2中构成安全性explot？ [英] Does the ModelDriven interface poses a security explot in struts2?

问题描述

背景：我使用ModelDriven编写了一个struts2 ActionSupport类。这是一个hibernate / spring web应用程序，在视图中使用OSIV和附加实体（JSP）。

今天我收到了这封电子邮件，来自架构师'惩罚'对象
通过
ModelDriven< E> 接口引用struts2 valuestack上的附加实体。他是正确的还是什么？显然，这是我正在做的一件严肃的事情，但我没有遵循他所说的话，我真的不想接受他的提议，并在此之后在他的办公桌前拜访他。好家伙。时间改变职业。

< - >从建筑师---

比利，正如我们先前讨论过的，你仍然在代码
中一遍又一遍地犯同样的错误。这是您发生此错误的第四次，我担心您的工作质量为
。做出这一次甚至两次是一回事，但在第四次之后做出
，我想知道你是否无法理解我所说的话。以下内容将为你拼写出来。如果读完这封电子邮件后你没有收到，那就到我的办公桌上，我们会继续。这必须立即停止，并且我希望所有的
代码在一天结束前重构，以纠正这个错误。如果像
这样的代码泄露到生产环境中，我们将面临严重的安全问题。另外请注意，我正在复制Dave，以便可以发出正确的谴责。我也会向戴夫推荐你将从三级移到二级开发人员。阅读以下内容并请学习它，并按照我的说明重构所有代码。

关于绑定对象：

当Struts2操作类标记为ModelDriven接口时，模型
将绑定到HTML页面中的表单元素。例如，如果一个HTML表单
有一个名为userName的字段，并且一个动作类被定义为：

public class UserAction extends ActionSupport implements ModelDriven

并且UserModel是一个POJO，如下所示：

  public class UserModel {
私人字符串用户名; 
 
 public String getUserName（）{
 return userName; 
} 
 
 public void setUserName（String userName）{
 this.userName = userName; 
 
 
  

当表单被提交时，只要Action包含UserModel的一个实例，struts2
会将字段userName绑定到UserModel.userName，自动填充该值。

这种简单性对于恶意用户但是。如果一个对象被声明为
为ModelDriven，则最终用户即浏览用户可以通过模型设置器访问模型图
。以这种情况为例：

public class UserAction extends ActionSupport implements ModelDriven

和...

  public class UserModel {
 private String userName; 
 private UserEntity userEntity; 
 
 public String getUserName（）{
 return userName; 
} 
 
 public void setUserName（String userName）{
 this.userName = userName; 
} 
 
 pubic UserEntity getUserEntity（）{
 return userEntity; 
 
 
 $ / code $ / pre 
 
 
和...  
 
 
  @Entity 
 public class UserEntity {
 private String password; 
 
 public String getPassword（）{
 return password; 
} 
 
 public void setPassword（String password）{
 this.password = password; 
 
 
 $ / code> 
假设正在使用OSIV模式， 
 
 
 
一位狡猾的用户，他手上有一点知识或时间，可能会： 
 
 
  /myform?userName=billy&userEntity.password=newpassword 
  
假设实体在会话结束时被保存，上面的结果是改变
 billy的密码。  
 
 
关键是，对象图可用！  
 
 
使用ModelDriven时，使用替代方法是一种可怕的方法，您必须定义放置在值堆栈上的
细粒度模型，然后从模型到
目标对象，然后发送响应并允许事务提交。将访问敏感信息的对象放在ValueStack上会带来潜在的安全风险。恶意用户确实可以通过上述攻击重置密码。
 
 
 
但：：
 
 
因为他是一名架构师他应该设计适当的验证/限制输入参数的方法。在Struts2中使用ParamsInterceptor，只允许将特定的参数传递给一个动作是相当容易的。因此，这不是你的工作，它是你系统的架构。 
开发人员应该能够专注于实现业务逻辑。基础设施必须由建筑师提供。 
 
 
干杯，
 
 
 w 
 
background: I coded a struts2 ActionSupport class with ModelDriven.  It's a hibernate/spring web app, using OSIV and attached entities in the view (JSP).

I received this email today from the architect 'punishing' me for putting an object
that had a reference to an attached entity on the struts2 valuestack via the 
ModelDriven<E> interface.  Is he correct or what?  Obviously, this is a serious thing I am doing but I am not following what he is saying, and I really don't feel like taking up his offer and visiting him at his desk after this.  oh boy.  Time to change careers.

--- from the architect ---

Billy, as we previously discussed, you are still making the same mistakes in your code
over and over again.  This is the forth time you have made this error and I'm concerned
about the quality of your work.  It's one thing to make this once or even twice, but
after the forth time, I am wondering if you are unable to comprehend what I am saying.  The following will spell it out for you.  If you don't get it after reading this email, then come to my desk and we'll go over it.  This has to stop immediately, and I want all
your code refactored before the end of the day correcting this mistake.  If any code like
this bleeds into production, we'll have a serious security problem on our hands.  Also note that I am copying Dave on this so that a proper reprimand can be issued.  I am also going to recommend to Dave that you be moved from a Level III to Level II developer.  Read the following and please learn it, and refactor all your code as I've indicated.

About the binding objects:

When a Struts2 action class is marked with ModelDriven interface, the model 
will be bound to the form elements in the HTML page.  For example, if an HTML form
has a field called userName and an action class is defined as:

public class UserAction extends ActionSupport implements ModelDriven 

And UserModel is a POJO as follows:
public class UserModel {
  private String userName;

  public String getUserName() {
      return userName;
  }

  public void setUserName(String userName) { 
      this.userName = userName;
  }
}
When the form is submitted, as long as the Action contains an instance of UserModel, struts2 
will bind the field userName to UserModel.userName, automagically populating the value.

This simplicity has a high cost for malicious users, however.  If an object is declared
as ModelDriven, the end-user, the browsing user that is, has access to the models graph
via the models setters.  Take this case for example:

public class UserAction extends ActionSupport implements ModelDriven

and...
public class UserModel {
  private String userName;
  private UserEntity userEntity;

  public String getUserName() {
      return userName;
  }

  public void setUserName(String userName) { 
      this.userName = userName;
  }

  pubic UserEntity getUserEntity() {
      return userEntity;
  }
}
and...
@Entity
public class UserEntity {
    private String password;

    public String getPassword() {
        return password;
    }

    public void setPassword(String password) {
        this.password = password;
    }
 }
assuming the OSIV pattern is being used, and the entity UserEntity is attached.

A crafty user with a bit of fore knowledge or time on his hands may:
/myform?userName=billy&userEntity.password=newpassword
assuming the Entity is saved at the end of the session, the above results in changing
billy's password.  

The point is, the object graph is available!  

When using ModelDriven, and using the alternative is a horrible approach, you must define
fine grained models that are placed on the valuestack, and then copy from the model to
the target object before sending the response and allowing the transaction to commit.
解决方案
Your architect is right, putting objects with access to sensitive information on the ValueStack poses a potential security risk. A malicious user could indeed reset the password with the above attack.

BUT:

Since he is an architect he should have designed ways for proper validation/restriction of input parameters. Using the ParamsInterceptor in Struts2 it's fairly easy to only allow specific parameters to be passed to an action. Thus, it's not your work that sucks, it's your system's architecture.
Developers should be able to focus on implementing business logic. The infrastructure must be provided by the architect.

Cheers,

w

                        
这篇关于ModelDriven接口是否在struts2中构成安全性explot？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！