Simple login action extending Action fails with 1.0.1-SNAPSHOT

[ilatypov]

A test of a simple Struts 1 application extending Action

https://github.com/julianvilas/rooted2k15/tree/master/struts-tester/struts1/struts1.struts1-helloworld-0.0.1-SNAPSHOT/src/main/java/com/vaannila

worked without the filter but showed no input with the 1.0.1-SNAPSHOT filter. My test consisted of submitting good (userName=foobar, password=foobar) and bad (userName=foobar, password=foobar2) inputs and expecting the respective displays of success.jsp and failure.jsp.

Using Alberto Fernández's maintenance branch of Struts 1 which included the fix in ActionServlet and the fix in RequestUtils protected against the RCE/Tomcat attack and held water with the form submission test of expected and unexpected benign inputs.

My guesses at how Struts 1 could fail with the filter and my attempts at addressing these guesses did not show improvements in the test.

[ilatypov]

Correction: it was the post-1.0.0 change that broke the filter's parameter processing.

af634ac?w=1

Before the change, request.getParameterNames() fetched parameters but consumed the request body; overriding getInputStream() in the wrapper was useless because request.getParameterNames() parses query string and body parameters. After the change the body is made available by the wrapper but super.getParameterNames() does not rely on the wrapper's getInputStream(), using the wrapped request.getInputStream().

The "either encapsulation or polymorphism" deficiency seems due to Java's statically compiled nature.

To sum up, the release 1.0.0 of the filter works (save for possible encoding issues in #2 and false positives in parameter values). It seems Alberto Fernández's maintenance releases such as com.github.albfernandez.struts:struts-core:1.3.10-ayg-07 et al. are free of the deficiencies, protecting against the RCE ".class." attack.

The mass assignment of business-sensitive fields (IDOR) needs addressing by a white-listing technique such as defining dedicated Data Transfer Objects.