Upgrade Struts 2.5.33 to 6.4.0 - Fixes Many Vulnerabilities (#84)

* Bump org.apache.struts:struts2-core from 2.5.33 to 6.4.0 Bumps [org.apache.struts:struts2-core](https://github.com/apache/struts) from 2.5.33 to 6.4.0. - [Release notes](https://github.com/apache/struts/releases) - [Commits](https://github.com/apache/struts/commits) --- updated-dependencies: - dependency-name: org.apache.struts:struts2-core dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> * upgrading struts to fix known vulns --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Josh <ascetik@gmail.com>
factionsecurity · Dec 18, 2024 · d9396b7 · d9396b7
1 parent 5dbfe1f
commit d9396b7
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 6 deletions.
diff --git a/pom.xml b/pom.xml
@@ -133,17 +133,17 @@
 		<dependency>
 			<groupId>org.apache.struts</groupId>
 			<artifactId>struts2-core</artifactId>
-			<version>2.5.33</version>
+			<version>6.7.0</version>
 		</dependency>
 		<dependency>
 			<groupId>org.apache.struts</groupId>
 			<artifactId>struts2-junit-plugin</artifactId>
-			<version>2.5.33</version>
+			<version>6.7.0</version>
 		</dependency>
 		<dependency>
 			<groupId>org.apache.struts</groupId>
 			<artifactId>struts2-convention-plugin</artifactId>
-			<version>2.5.20</version>
+			<version>6.7.0</version>
 		</dependency>
 		<dependency>
 			<groupId>org.springframework.security</groupId>

diff --git a/src/com/fuse/actions/FSActionSupport.java b/src/com/fuse/actions/FSActionSupport.java
@@ -51,7 +51,7 @@
 public class FSActionSupport extends ActionSupport implements SessionAware, ServletRequestAware, ServletResponseAware { 
 
 
-	protected SessionMap<String,Object> JSESSION;  
+	protected SessionMap JSESSION;  
 	protected Map<String,String> COOKIES;
 	public HttpServletRequest request = ServletActionContext.getRequest();
 	public HttpServletResponse response = ServletActionContext.getResponse();

diff --git a/src/struts.xml b/src/struts.xml
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8" ?>
 <!DOCTYPE struts PUBLIC
-	"-//Apache Software Foundation//DTD Struts Configuration 2.3//EN"
-	"http://struts.apache.org/dtds/struts-2.3.dtd">
+	"-//Apache Software Foundation//DTD Struts Configuration 6.0//EN"
+	"https://struts.apache.org/dtds/struts-6.0.dtd">
 <struts>
 
 	<constant name="struts.multipart.maxSize" value="1000000000"/>
@@ -52,6 +52,8 @@
     </package>
      <constant name="struts.convention.default.parent.package" value="default"/>
      <constant name="struts.devMode" value="false" />
+	<constant name="struts.csp.enable" value="false" />
+	<constant name="struts.csp.policy" value="default-src 'self'; script-src 'self'; style-src 'self'" />
 
     <!-- Add packages here -->
      <constant name="struts.action.excludePattern" value="/(service|api)/.*"/>