struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Lukasz Lenart (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (WW-4939) Use securely generated constants
Date Wed, 30 May 2018 05:30:00 GMT

    [ https://issues.apache.org/jira/browse/WW-4939?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16494703#comment-16494703
] 

Lukasz Lenart commented on WW-4939:
-----------------------------------

Nope, it was just an example :) Here is a full example

{code:java}
    public static final SecureRandom RANDOM = new SecureRandom();

    public static final String AUTH_TOKEN = generateUUID();

    public static String generateUUID() {
        return new BigInteger(165, RANDOM).toString(36).toUpperCase();
    }
{code}

Just one thing, my example generates random strings without dashes, does {{java.util.UUID.randomUUID()}}
do the same?

Basically I would hide implementation behind a static method, something like {{public static
String StrutsConstants#generateUUID()}} to easily switch to different logic if needed.

> Use securely generated constants
> --------------------------------
>
>                 Key: WW-4939
>                 URL: https://issues.apache.org/jira/browse/WW-4939
>             Project: Struts 2
>          Issue Type: Improvement
>          Components: Core
>            Reporter: Lukasz Lenart
>            Priority: Critical
>             Fix For: 2.6
>
>
> Right now all the constants are well know and can be used in exploits, ie. {{public static
final String ACTION_MAPPING = "struts.actionMapping";}}
> Instead of using string literals we should generate random strings at runtime to avoid
using literals directly in exploits. Users can still use the constants in their code but not
in dynamic expressions.
> {code:java}
>     public static final String AUTH_TOKEN = generateUUID();
>     public static String generateUUID() {
>         return new BigInteger(165, RANDOM).toString(36).toUpperCase();
>     }
> {code}
> This will probably break backward compatibility but using string literals instead of
the constants by the users is a bad practice anyway.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message