[Security] Migrate struts file upload actions from FileUploadInterceptor to ActionFileUploadInterceptor

[LiamStanziani]

Summary

The Struts 2 defaultStack in 6.8.0 includes both the old FileUploadInterceptor and the new ActionFileUploadInterceptor. Actions that don't implement UploadedFilesAware fall back to the old vulnerable interceptor, leaving a critical CVE (path traversal via file upload) unmitigated.

Problem

• The old FileUploadInterceptor injects uploaded files via OGNL parameter setters — this is the vulnerable code path
• The new ActionFileUploadInterceptor only processes files for actions implementing UploadedFilesAware — otherwise it skips entirely
• All 30 file upload 2Action classes currently use the old File setter pattern, meaning the vulnerable interceptor handles every upload

Confirmed via runtime stack trace analysis — FileUploadInterceptor.intercept() is active in the call chain for all upload actions.

Solution

1. Implement UploadedFilesAware on all 30 upload 2Action classes
2. Use withUploadedFiles(List<UploadedFile>) callback to receive files via the secure ActionFileUploadInterceptor
3. Use PathValidationUtils.toFile() helper for safe UploadedFile → File extraction
4. Remove explicit fileUpload interceptor refs from struts.xml action mappings
5. Pass allowedTypes/allowedExtensions via actionFileUpload params where needed

Affected Actions (30 files)

Billing, case management, document management, eforms, encounters, forms, HRM, MCEDT, labs, login, reports, traceability — all 2Action classes with file upload functionality.

References

• ActionFileUploadInterceptor docs: https://struts.apache.org/core-developers/action-file-upload-interceptor
• Struts 2.5 → 6.0 migration: https://cwiki.apache.org/confluence/display/WW/Struts+2.5+to+6.0.0+migration

[LiamStanziani]

Closed by: #2393