This repository was archived by the owner on May 6, 2025. It is now read-only.
Open
Conversation
- Implement tests for OptionTag to validate XSS protection and HTML escaping. - Create tests for ForwardTag to ensure proper forward handling and error management. - Add tests for MatchTag and NotMatchTag to verify matching logic against request parameters and attributes. - Introduce tests for NotEmptyTag to check for non-empty conditions on various data types. - Develop tests for ModuleUtils to validate module configuration retrieval and selection. - Add tests for ResponseUtils to ensure proper HTML character escaping and URL encoding.
This commit introduces a new XML file, validator-rules.xml, which contains the default pluggable validator definitions for Struts. The file includes various validation rules such as required fields, length checks, data type validations, and more. It also provides associated error messages that can be referenced in the ApplicationResources.properties file. This setup is essential for integrating the Struts Validator into the application.
…revent path traversal Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Fix GHSA-xgrq-qjm7-p99v: validate page parameter in SwitchAction to p…
…revent XSS Apply ResponseUtils.filter() to message content in ErrorsTag.doStartTag() before appending to output buffer. Previously, non-resource ActionMessage keys and resource message arguments were written raw, allowing reflected XSS (CVE-2012-1007). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Fix GHSA-3chx-2h2f-rvq5: XSS in ErrorsTag
…rt handlers to prevent memory exhaustion Add a configurable maxTextFieldSize property (default 256KB) to ControllerConfig. CommonsMultipartRequestHandler.addTextParameter() now checks item.getSize() against the limit and skips oversized fields. MultipartIterator.createTextMultipartElement() tracks bytes read and drains the stream without storing data when the limit is exceeded; getNextElement() recurses past skipped fields so subsequent normal-sized fields are still returned. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Enforce per-text-field size limit in multipart handlers
…eter population to prevent validator bypass Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Fix GHSA-cr42-9px3-5v7x: suppress validatorResults from request parameter population
… to prevent path traversal Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Fix GHSA-6gxc-rr3q-63w6: path traversal via Tiles LOCALE_KEY
… output to prevent CRLF log injection Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Fix GHSA-r7xj-rhwv-rpq5: CRLF log injection in LookupDispatchAction
… instead of setter methods
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…scaping OptionTag now escapes value attribute and text content by default via TagUtils.filter(), matching the existing behavior of OptionsTag and OptionsCollectionTag. A filter attribute (default true) allows opting out if raw HTML output is needed. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Add disallow-doctype-decl and external-entity features to every Digester instantiation in ActionServlet, XmlParser (Tiles), and DigestingPlugIn to prevent XML External Entity attacks on configuration file parsing. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…o prevent XSS field.getKey() was interpolated directly into a JavaScript string literal at JavascriptValidatorTag.java line 499 without escaping, while the adjacent message value was correctly escaped with escapeQuotes(). A field property containing a double-quote could break out of the string context and inject arbitrary JavaScript. Fix wraps field.getKey() with the existing escapeJavascript() method, which backslash-escapes ", ', \, \n, and \r. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…update tests for distinct token validation
…gression test for near-match tokens
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.