Skip to content

6.7: WW-5528 Ensure multipart upload illegal characters reported as error #1215

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Feb 9, 2025
Merged

6.7: WW-5528 Ensure multipart upload illegal characters reported as error #1215

merged 1 commit into from
Feb 9, 2025
+68 −59

Conversation

kusalk
Copy link
Member

@kusalk kusalk commented Feb 6, 2025

WW-5528

Cherry-pick #1213

@kusalk kusalk force-pushed the WW-5528-multipart-illegal-char-errors-67 branch from e16d24b to 9775cbc Compare February 6, 2025 07:56
github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 6, 2025
View reviewed changes
core/src/main/java/org/apache/struts2/dispatcher/multipart/AbstractMultiPartRequest.java

if (isExcluded(fileName)) {
String normalizedFileName = normalizeSpace(fileName);
LOG.debug("File name [{}] is not accepted", normalizedFileName);

Check notice

Code scanning / SonarCloud

Logging should not be vulnerable to injection attacks Low

Change this code to not log user-controlled data. See more on SonarQube Cloud
@kusalk kusalk marked this pull request as ready for review February 6, 2025 09:42
@kusalk kusalk requested a review from lukaszlenart February 6, 2025 09:42
@kusalk kusalk force-pushed the WW-5528-multipart-illegal-char-errors-67 branch from 9775cbc to 9753a30 Compare February 7, 2025 01:39
@kusalk kusalk changed the title WW-5528 Ensure multipart upload illegal characters reported as error 6.7: WW-5528 Ensure multipart upload illegal characters reported as error Feb 7, 2025
@kusalk kusalk force-pushed the WW-5528-multipart-illegal-char-errors-67 branch from 9753a30 to fe3dd6b Compare February 7, 2025 01:40
@sonarqubecloud SonarQubeCloud
Copy link

sonarqubecloud bot commented Feb 7, 2025

Quality Gate Failed Quality Gate failed

Failed conditions
22 Security Hotspots
42.2% Coverage on New Code (required ≥ 80%)
3.4% Duplication on New Code (required ≤ 3%)
E Security Rating on New Code (required ≥ A)
E Reliability Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE

github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 7, 2025
View reviewed changes
core/src/main/java/org/apache/struts2/dispatcher/multipart/AbstractMultiPartRequest.java
protected boolean isInvalidInput(String fieldName) {
if (isExcluded(fieldName)) {
String normalizedFieldName = normalizeSpace(fieldName);
LOG.debug("Form field [{}] is rejected!", normalizedFieldName);

Check notice

Code scanning / SonarCloud

Logging should not be vulnerable to injection attacks Low

Change this code to not log user-controlled data. See more on SonarQube Cloud
core/src/main/java/org/apache/struts2/dispatcher/multipart/JakartaMultiPartRequest.java
@@ -154,10 +142,10 @@

protected void processNormalFormField(FileItem item, String charset) throws UnsupportedEncodingException {
try {
LOG.debug("Item is a normal form field");
String fieldName = item.getFieldName();
LOG.debug("Item: {} is a normal form field", normalizeSpace(fieldName));

Check notice

Code scanning / SonarCloud

Logging should not be vulnerable to injection attacks Low

Change this code to not log user-controlled data. See more on SonarQube Cloud
@lukaszlenart lukaszlenart added this to the 6.7.2 milestone Feb 9, 2025
@kusalk kusalk merged commit 58f37ba into release/struts-6-7-x Feb 9, 2025
9 of 10 checks passed
@kusalk kusalk deleted the WW-5528-multipart-illegal-char-errors-67 branch February 9, 2025 12:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lukaszlenart lukaszlenart lukaszlenart approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
6.7.4
Development

Successfully merging this pull request may close these issues.
2 participants
@kusalk @lukaszlenart