fix(rest-plugin): enforce @StrutsParameter in JacksonJsonHandler.toObject()#1652
Open
tranquac wants to merge 1 commit intoapache:mainfrom
Open
fix(rest-plugin): enforce @StrutsParameter in JacksonJsonHandler.toObject()#1652tranquac wants to merge 1 commit intoapache:mainfrom
tranquac wants to merge 1 commit intoapache:mainfrom
Conversation
…ject() JacksonJsonHandler.toObject() uses ObjectMapper.readerForUpdating(target) to merge JSON request body directly into the action object, bypassing the @StrutsParameter annotation check that ParametersInterceptor enforces for URL parameters. This allows mass assignment of unannotated properties via REST JSON request body. When struts.parameters.requireAnnotations is enabled, deserialize JSON into a map first, then filter properties by @StrutsParameter annotation on the target's setter methods before setting them. Only annotated setters are populated, consistent with ParametersInterceptor behavior. When requireAnnotations is disabled, preserve the original unrestricted readerForUpdating() merge for backwards compatibility.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
JacksonJsonHandler.toObject()in the struts2-rest-plugin usesObjectMapper.readerForUpdating(target).readValue(reader)to merge JSON request body directly into the action object. Jackson sets any field with a matching setter, completely bypassing the@StrutsParameterannotation check thatParametersInterceptorenforces for URL parameters. This enables mass assignment of unannotated properties via REST JSON request body.Changes
struts.parameters.requireAnnotationsis enabled, deserialize JSON into a map first, then filter properties against the@StrutsParameterannotation on the target class's setter methods before setting them. When disabled, preserve the originalreaderForUpdating()merge for backwards compatibility.Impact
Without this fix:
With this fix, both pathways consistently enforce
@StrutsParameter.Test
A PoC application with 9 test cases demonstrates the bypass using an
OrderActionwith annotated (setItemName,setQuantity) and unannotated (setUnitPrice,setDiscount,setApproved,setInternalNote) setters. JSON body setsunitPricefrom 99.99 to 0.01 andapprovedto true before the fix.