Class ParametersInterceptor

All Implemented Interfaces:
Serializable, ConditionalInterceptor, Interceptor
Direct Known Subclasses:
ActionMappingParametersInterceptor

public class ParametersInterceptor extends MethodFilterInterceptor
This interceptor sets all parameters on the value stack.
See Also:
  • Field Details

    • PARAM_NAME_MAX_LENGTH

      protected static final int PARAM_NAME_MAX_LENGTH
      See Also:
    • ordered

      protected boolean ordered
    • requireAnnotations

      protected boolean requireAnnotations
    • requireAnnotationsTransitionMode

      protected boolean requireAnnotationsTransitionMode
    • threadAllowlist

      protected ThreadAllowlist threadAllowlist
  • Constructor Details

    • ParametersInterceptor

      public ParametersInterceptor()
  • Method Details

    • setValueStackFactory

      public void setValueStackFactory(ValueStackFactory valueStackFactory)
    • setThreadAllowlist

      public void setThreadAllowlist(ThreadAllowlist threadAllowlist)
    • setDevMode

      public void setDevMode(String mode)
    • setRequireAnnotations

      public void setRequireAnnotations(String requireAnnotations)
    • setRequireAnnotationsTransitionMode

      public void setRequireAnnotationsTransitionMode(String transitionMode)
      When 'Transition Mode' is enabled, parameters that are not 'nested' will be accepted without annotations. What this means in practice is that all public setters on an Action will be exposed for parameter injection again, and only 'nested' parameters, i.e. public getters on an Action, will require annotations.

      In this mode, the OGNL auto-allowlisting capability is not degraded in any way, and as such, it offers a convenient option for applications to enable the OGNL allowlist capability whilst they work through the process of annotating all their Action parameters.

    • setExcludedPatterns

      public void setExcludedPatterns(ExcludedPatternsChecker excludedPatterns)
    • setAcceptedPatterns

      public void setAcceptedPatterns(AcceptedPatternsChecker acceptedPatterns)
    • setDynamicMethodInvocation

      protected void setDynamicMethodInvocation(String dmiEnabled)
    • setParamNameMaxLength

      public void setParamNameMaxLength(int paramNameMaxLength)
      If the param name exceeds the configured maximum length it will not be accepted.
      Parameters:
      paramNameMaxLength - Maximum length of param names
    • doIntercept

      public String doIntercept(ActionInvocation invocation) throws Exception
      Description copied from class: MethodFilterInterceptor
      Subclasses must override to implement the interceptor logic.
      Specified by:
      doIntercept in class MethodFilterInterceptor
      Parameters:
      invocation - the action invocation
      Returns:
      the result of invocation
      Throws:
      Exception - in case of any errors
    • retrieveParameters

      protected HttpParameters retrieveParameters(ActionContext actionContext)
      Gets the parameter map to apply from wherever appropriate
      Parameters:
      actionContext - The action context
      Returns:
      The parameter map to apply
    • addParametersToContext

      protected void addParametersToContext(ActionContext ac, Map<String,?> newParams)
      Adds the parameters into context's ParameterMap

      In this class this is a no-op, since the parameters were fetched from the same location. In subclasses both this and retrieveParameters(org.apache.struts2.ActionContext) should be overridden.

      Parameters:
      ac - The action context
      newParams - The parameter map to apply
    • applyParameters

      protected void applyParameters(Object action, ValueStack stack, HttpParameters parameters)
    • batchApplyReflectionContextState

      protected void batchApplyReflectionContextState(Map<String,Object> context, boolean value)
    • toNewStack

      protected ValueStack toNewStack(ValueStack stack)
    • applyMemberAccessProperties

      protected void applyMemberAccessProperties(ValueStack stack)
    • toAcceptableParameters

      protected Map<String,Parameter> toAcceptableParameters(HttpParameters parameters, Object action)
    • initParameterMap

      protected Map<String,Parameter> initParameterMap()
    • initNewHttpParameters

      protected HttpParameters initNewHttpParameters(HttpParameters parameters)
    • applyParametersOnStack

      protected void applyParametersOnStack(ValueStack stack, Map<String,Parameter> parameters, Object action)
    • notifyDeveloperParameterException

      protected void notifyDeveloperParameterException(Object action, String property, String message)
    • isAcceptableParameter

      protected boolean isAcceptableParameter(String name, Object action)
      Checks if name of parameter can be accepted or thrown away
      Parameters:
      name - parameter name
      action - current action
      Returns:
      true if parameter is accepted
    • isAcceptableParameterNameAware

      protected boolean isAcceptableParameterNameAware(String name, Object action)
    • isParameterAnnotatedAndAllowlist

      protected boolean isParameterAnnotatedAndAllowlist(String name, Object action)
      Checks if the Action class member corresponding to a parameter is appropriately annotated with StrutsParameter and OGNL allowlists any necessary classes.

      Note that this logic relies on the use of DefaultAcceptedPatternsChecker.NESTING_CHARS and may also be adversely impacted by the use of custom OGNL property accessors.

    • hasValidAnnotatedMember

      protected boolean hasValidAnnotatedMember(String rootProperty, Object action, long paramDepth)
      Note that we check for a public field last or only if there is no valid, annotated property descriptor. This is because this check is likely to fail more often than not, as the relative use of public fields is low - so we save computation by checking this last.
    • hasValidAnnotatedPropertyDescriptor

      protected boolean hasValidAnnotatedPropertyDescriptor(Object action, PropertyDescriptor propDesc, long paramDepth)
    • allowlistReturnTypeIfParameterized

      protected void allowlistReturnTypeIfParameterized(Method method)
    • allowlistParameterizedTypeArg

      protected void allowlistParameterizedTypeArg(Type genericType)
    • allowlistParamType

      protected void allowlistParamType(Type paramType)
    • allowlistClass

      protected void allowlistClass(Class<?> clazz)
    • hasValidAnnotatedField

      protected boolean hasValidAnnotatedField(Object action, String fieldName, long paramDepth)
    • allowlistFieldIfParameterized

      protected void allowlistFieldIfParameterized(Field field)
    • getPermittedInjectionDepth

      protected int getPermittedInjectionDepth(AnnotatedElement element)
      Returns:
      permitted injection depth where -1 indicates not permitted
    • getParameterAnnotation

      protected StrutsParameter getParameterAnnotation(AnnotatedElement element)
      Annotation retrieval logic. Can be overridden to support extending annotations or some other form of annotation inheritance.
    • getBeanInfo

      protected BeanInfo getBeanInfo(Object action)
    • isAcceptableParameterValue

      protected boolean isAcceptableParameterValue(Parameter param, Object action)
      Checks if parameter value can be accepted or thrown away
      Parameters:
      param - the parameter
      action - current action
      Returns:
      true if parameter is accepted
    • isAcceptableParameterValueAware

      protected boolean isAcceptableParameterValueAware(Parameter param, Object action)
    • getOrderedComparator

      protected Comparator<String> getOrderedComparator()
      Gets an instance of the comparator to use for the ordered sorting. Override this method to customize the ordering of the parameters as they are set to the action.
      Returns:
      A comparator to sort the parameters
    • getParameterLogMap

      protected String getParameterLogMap(HttpParameters parameters)
    • isAcceptableName

      protected boolean isAcceptableName(String name)
      Validates the name passed is: * Within the max length of a parameter name * Is not excluded * Is accepted
      Parameters:
      name - - Name to check
      Returns:
      true if accepted
    • isAcceptableValue

      protected boolean isAcceptableValue(String name, String value)
      Validates: * Value is null/blank * Value is not excluded * Value is accepted
      Parameters:
      name - - Param name (for logging)
      value - - value to check
      Returns:
      true if accepted
    • isWithinLengthLimit

      protected boolean isWithinLengthLimit(String name)
    • isAccepted

      protected boolean isAccepted(String paramName)
    • isExcluded

      protected boolean isExcluded(String paramName)
    • isParamValueExcluded

      protected boolean isParamValueExcluded(String value)
    • isParamValueAccepted

      protected boolean isParamValueAccepted(String value)
    • isOrdered

      public boolean isOrdered()
      Whether to order the parameters or not
      Returns:
      True to order
    • setOrdered

      public void setOrdered(boolean ordered)
      Set whether to order the parameters by object depth or not
      Parameters:
      ordered - True to order them
    • setAcceptParamNames

      public void setAcceptParamNames(String commaDelim)
      Sets a comma-delimited list of regular expressions to match parameters that are allowed in the parameter map (aka whitelist).

      Don't change the default unless you know what you are doing in terms of security implications.

      Parameters:
      commaDelim - A comma-delimited list of regular expressions
    • setExcludeParams

      public void setExcludeParams(String commaDelim)
      Sets a comma-delimited list of regular expressions to match parameters that should be removed from the parameter map.
      Parameters:
      commaDelim - A comma-delimited list of regular expressions
    • setAcceptedValuePatterns

      public void setAcceptedValuePatterns(String commaDelimitedPatterns)
      Sets a comma-delimited list of regular expressions to match values of parameters that should be accepted and included in the parameter map.
      Parameters:
      commaDelimitedPatterns - A comma-delimited set of regular expressions
    • setExcludedValuePatterns

      public void setExcludedValuePatterns(String commaDelimitedPatterns)
      Sets a comma-delimited list of regular expressions to match values of parameters that should be removed from the parameter map.
      Parameters:
      commaDelimitedPatterns - A comma-delimited set of regular expressions