Repository: struts Updated Branches: refs/heads/master 8f53b6f59 -> 5d999d6ac
add constant to control proxy member access Project: http://git-wip-us.apache.org/repos/asf/struts/repo Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/0d6442ba Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/0d6442ba Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/0d6442ba Branch: refs/heads/master Commit: 0d6442bab5b44d93c4c2e63c5335f0a331333b92 Parents: 4c386c6 Author: Aleksandr Mashchenko <[email protected]> Authored: Thu Jun 22 00:58:41 2017 +0300 Committer: Aleksandr Mashchenko <[email protected]> Committed: Thu Jun 22 00:58:41 2017 +0300 ---------------------------------------------------------------------- .../com/opensymphony/xwork2/ognl/OgnlUtil.java | 12 +++++ .../xwork2/ognl/OgnlValueStack.java | 1 + .../xwork2/ognl/SecurityMemberAccess.java | 7 ++- .../org/apache/struts2/StrutsConstants.java | 2 + .../ognl/SecurityMemberAccessProxyTest.java | 49 ++++++++++++++++++++ .../xwork2/spring/actionContext-xwork.xml | 1 + .../spring/src/main/resources/struts-plugin.xml | 2 + 7 files changed, 73 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/struts/blob/0d6442ba/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java ---------------------------------------------------------------------- diff --git a/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java b/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java index ced8eff..d15977f 100644 --- a/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java +++ b/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java @@ -28,6 +28,7 @@ import ognl.*; import org.apache.commons.lang3.BooleanUtils; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; +import org.apache.struts2.StrutsConstants; import java.beans.BeanInfo; import java.beans.IntrospectionException; @@ -64,6 +65,7 @@ public class OgnlUtil { private Container container; private boolean allowStaticMethodAccess; + private boolean disallowProxyMemberAccess; @Inject public void setXWorkConverter(XWorkConverter conv) { @@ -144,6 +146,15 @@ public class OgnlUtil { this.allowStaticMethodAccess = Boolean.parseBoolean(allowStaticMethodAccess); } + @Inject(value = StrutsConstants.STRUTS_DISALLOW_PROXY_MEMBER_ACCESS, required = false) + public void setDisallowProxyMemberAccess(String disallowProxyMemberAccess) { + this.disallowProxyMemberAccess = Boolean.parseBoolean(disallowProxyMemberAccess); + } + + public boolean isDisallowProxyMemberAccess() { + return disallowProxyMemberAccess; + } + /** * Sets the object's properties using the default type converter, defaulting to not throw * exceptions for problems setting the properties. @@ -679,6 +690,7 @@ public class OgnlUtil { memberAccess.setExcludedClasses(excludedClasses); memberAccess.setExcludedPackageNamePatterns(excludedPackageNamePatterns); memberAccess.setExcludedPackageNames(excludedPackageNames); + memberAccess.setDisallowProxyMemberAccess(disallowProxyMemberAccess); return Ognl.createDefaultContext(root, resolver, defaultConverter, memberAccess); } http://git-wip-us.apache.org/repos/asf/struts/blob/0d6442ba/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlValueStack.java ---------------------------------------------------------------------- diff --git a/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlValueStack.java b/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlValueStack.java index 28bef54..4ea6b44 100644 --- a/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlValueStack.java +++ b/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlValueStack.java @@ -84,6 +84,7 @@ public class OgnlValueStack implements Serializable, ValueStack, ClearableValueS securityMemberAccess.setExcludedClasses(ognlUtil.getExcludedClasses()); securityMemberAccess.setExcludedPackageNamePatterns(ognlUtil.getExcludedPackageNamePatterns()); securityMemberAccess.setExcludedPackageNames(ognlUtil.getExcludedPackageNames()); + securityMemberAccess.setDisallowProxyMemberAccess(ognlUtil.isDisallowProxyMemberAccess()); } protected void setRoot(XWorkConverter xworkConverter, CompoundRootAccessor accessor, CompoundRoot compoundRoot, http://git-wip-us.apache.org/repos/asf/struts/blob/0d6442ba/core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java ---------------------------------------------------------------------- diff --git a/core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java b/core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java index cce09cb..7a84a34 100644 --- a/core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java +++ b/core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java @@ -41,6 +41,7 @@ public class SecurityMemberAccess extends DefaultMemberAccess { private Set<Class<?>> excludedClasses = Collections.emptySet(); private Set<Pattern> excludedPackageNamePatterns = Collections.emptySet(); private Set<String> excludedPackageNames = Collections.emptySet(); + private boolean disallowProxyMemberAccess; public SecurityMemberAccess(boolean method) { super(false); @@ -85,7 +86,7 @@ public class SecurityMemberAccess extends DefaultMemberAccess { return false; } - if (ProxyUtil.isProxyMember(member, target)) { + if (disallowProxyMemberAccess && ProxyUtil.isProxyMember(member, target)) { LOG.warn("Access to proxy [{}] is blocked!", member); return false; } @@ -212,4 +213,8 @@ public class SecurityMemberAccess extends DefaultMemberAccess { public void setExcludedPackageNames(Set<String> excludedPackageNames) { this.excludedPackageNames = excludedPackageNames; } + + public void setDisallowProxyMemberAccess(boolean disallowProxyMemberAccess) { + this.disallowProxyMemberAccess = disallowProxyMemberAccess; + } } http://git-wip-us.apache.org/repos/asf/struts/blob/0d6442ba/core/src/main/java/org/apache/struts2/StrutsConstants.java ---------------------------------------------------------------------- diff --git a/core/src/main/java/org/apache/struts2/StrutsConstants.java b/core/src/main/java/org/apache/struts2/StrutsConstants.java index 87902cc..0cc7172 100644 --- a/core/src/main/java/org/apache/struts2/StrutsConstants.java +++ b/core/src/main/java/org/apache/struts2/StrutsConstants.java @@ -325,4 +325,6 @@ public final class StrutsConstants { public static final String STRUTS_TEXT_PROVIDER_FACTORY = "struts.textProviderFactory"; public static final String STRUTS_LOCALIZED_TEXT_PROVIDER = "struts.localizedTextProvider"; + + public static final String STRUTS_DISALLOW_PROXY_MEMBER_ACCESS = "struts.disallowProxyMemberAccess"; } http://git-wip-us.apache.org/repos/asf/struts/blob/0d6442ba/core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessProxyTest.java ---------------------------------------------------------------------- diff --git a/core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessProxyTest.java b/core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessProxyTest.java new file mode 100644 index 0000000..ceda2e0 --- /dev/null +++ b/core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessProxyTest.java @@ -0,0 +1,49 @@ +package com.opensymphony.xwork2.ognl; + +import java.lang.reflect.Member; +import java.util.HashMap; +import java.util.Map; + +import com.opensymphony.xwork2.ActionProxy; +import com.opensymphony.xwork2.XWorkTestCase; +import com.opensymphony.xwork2.config.providers.XmlConfigurationProvider; + +public class SecurityMemberAccessProxyTest extends XWorkTestCase { + private Map<String, Object> context; + + @Override + public void setUp() throws Exception { + super.setUp(); + + context = new HashMap<>(); + // Set up XWork + XmlConfigurationProvider provider = new XmlConfigurationProvider("com/opensymphony/xwork2/spring/actionContext-xwork.xml"); + container.inject(provider); + loadConfigurationProviders(provider); + } + + public void testProxyAccessIsBlocked() throws Exception { + ActionProxy proxy = actionProxyFactory.createActionProxy(null, + "chaintoAOPedTestSubBeanAction", null, context); + + SecurityMemberAccess sma = new SecurityMemberAccess(false); + sma.setDisallowProxyMemberAccess(true); + + Member member = proxy.getAction().getClass().getMethod("isExposeProxy"); + + boolean accessible = sma.isAccessible(context, proxy.getAction(), member, ""); + assertFalse(accessible); + } + + public void testProxyAccessIsAccessible() throws Exception { + ActionProxy proxy = actionProxyFactory.createActionProxy(null, + "chaintoAOPedTestSubBeanAction", null, context); + + SecurityMemberAccess sma = new SecurityMemberAccess(false); + + Member member = proxy.getAction().getClass().getMethod("isExposeProxy"); + + boolean accessible = sma.isAccessible(context, proxy.getAction(), member, ""); + assertTrue(accessible); + } +} http://git-wip-us.apache.org/repos/asf/struts/blob/0d6442ba/core/src/test/resources/com/opensymphony/xwork2/spring/actionContext-xwork.xml ---------------------------------------------------------------------- diff --git a/core/src/test/resources/com/opensymphony/xwork2/spring/actionContext-xwork.xml b/core/src/test/resources/com/opensymphony/xwork2/spring/actionContext-xwork.xml index 4457d15..0eb8c9a 100644 --- a/core/src/test/resources/com/opensymphony/xwork2/spring/actionContext-xwork.xml +++ b/core/src/test/resources/com/opensymphony/xwork2/spring/actionContext-xwork.xml @@ -2,6 +2,7 @@ <xwork> <bean type="com.opensymphony.xwork2.ObjectFactory" class="com.opensymphony.xwork2.spring.SpringObjectFactory" /> <constant name="applicationContextPath" value="com/opensymphony/xwork2/spring/actionContext-spring.xml" /> + <constant name="struts.disallowProxyMemberAccess" value="true" /> <package name="default"> <result-types> <result-type name="null" class="com.opensymphony.xwork2.mock.MockResult" default="true"/> http://git-wip-us.apache.org/repos/asf/struts/blob/0d6442ba/plugins/spring/src/main/resources/struts-plugin.xml ---------------------------------------------------------------------- diff --git a/plugins/spring/src/main/resources/struts-plugin.xml b/plugins/spring/src/main/resources/struts-plugin.xml index eb50772..cc13bca 100644 --- a/plugins/spring/src/main/resources/struts-plugin.xml +++ b/plugins/spring/src/main/resources/struts-plugin.xml @@ -35,6 +35,8 @@ <constant name="struts.class.reloading.acceptClasses" value="" /> <constant name="struts.class.reloading.reloadConfig" value="false" /> + <constant name="struts.disallowProxyMemberAccess" value="true" /> + <package name="spring-default"> <interceptors> <interceptor name="autowiring" class="com.opensymphony.xwork2.spring.interceptor.ActionAutowiringInterceptor"/>
