Home/ Questions/Q 8100795
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-05T22:50:21+00:00

recently I found a function like this in a generic JSR245 portlet class: public

  • 0

recently I found a function like this in a generic JSR245 portlet class:

    public class MyGenericPortlet extends GenericPortlet {
      @Override
      public void processAction(ActionRequest rq, ActionResponse rs) throws PortletException{
        String actParam = rq.getParameter("myAction");

        if( (actParam != null) && (!("").equals(actParam))) {
          try{
            Method m = this.getClass().getMethod(actParam, new Class[]{ActionRequest.class, ActionResponse.class});
                m.invoke(this, new Object[]{rq, rs});
            }
            catch(Exception e){
                setRequestAttribute(rq.getPortletSession(),"error", "Error in method:"+action);
                e.printStackTrace();
            }
        }
        else setRequestAttribute(rq.getPortletSession(),"error", "Error in method:"+action);
      }
    }

How safe is such code? As far as I can see the following problems might occur:

  1. A parameter transmitted from the client is used unchecked to call a function. This allows anyone who can transmit data to the corresponding portlet to call any matching function. on the other hand the function to be called must have a specific interface. Usually such functions are very rare.
  2. A programmer might accidentaly add a function with a corresponding interface. As only public functions seem to be found this is no problem as long as the function is private or protected.
  3. The error message can reveal information about the software to the client. This shouldn’t be a problem as the software itself is Open Source.

Obviously there is some room for programming errors that can be exploited. Are there other unwanted side effects that might occur? How should I (or the developers) judge the risk that comes from this function?

If you think it is safe, I’d like to know why.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The fact that only public methods with a specific signature can be invoked remotely is good. However, it could be made more secure by, for example, requiring a special annotation on action methods. This would indicate the developer specifically intended the method to be an invokable action.

    A realistic scenario where the current implementation could be dangerous is when the developer adds an action that validates that the information in the request is safe, then passes the request and response to another method for actual processing. If an attacker could learn the name of the delegate method, he could invoke it directly, bypassing the parameter safety validation.

    • 0