[jira] [Work logged] (WW-5288) Make excluded package exemption logic more strict

[ASF GitHub Bot (Jira)]

     [ 
https://issues.apache.org/jira/browse/WW-5288?focusedWorklogId=848502&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-848502
 ]

ASF GitHub Bot logged work on WW-5288:
--------------------------------------

                Author: ASF GitHub Bot
            Created on: 02/Mar/23 04:10
            Start Date: 02/Mar/23 04:10
    Worklog Time Spent: 10m 
      Work Description: kusalk commented on code in PR #664:
URL: https://github.com/apache/struts/pull/664#discussion_r1122578610


##########
core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java:
##########
@@ -95,6 +96,12 @@ public boolean isAccessible(Map context, Object target, 
Member member, String pr
         LOG.debug("Checking access for [target: {}, member: {}, property: 
{}]", target, member, propertyName);
 
         final int memberModifiers = member.getModifiers();
+        final Class<?> memberClass = member.getDeclaringClass();
+        // target can be null in case of accessing static fields, since OGNL 
3.2.8
+        final Class<?> targetClass = Modifier.isStatic(memberModifiers) ? 
memberClass : target.getClass();
+        if (!memberClass.isAssignableFrom(targetClass)) {

Review Comment:
   Added some validation here and in `#isPackageExcluded` to ensure unit tests 
made sense





Issue Time Tracking
-------------------

    Worklog Id:     (was: 848502)
    Time Spent: 50m  (was: 40m)

> Make excluded package exemption logic more strict
> -------------------------------------------------
>
>                 Key: WW-5288
>                 URL: https://issues.apache.org/jira/browse/WW-5288
>             Project: Struts 2
>          Issue Type: Improvement
>          Components: Core
>            Reporter: Kusal Kithul-Godage
>            Priority: Minor
>             Fix For: 6.2.0
>
>          Time Spent: 50m
>  Remaining Estimate: 0h
>
> Following on from the discussion in the comments on WW-5268 - exempting 
> classes from excluded packages should only be done if unavoidable.
> Given this, I realised we should make the exemption logic more strict to 
> prevent incorrect use and inadvertent exempting of more OGNL expressions than 
> intended.
> * Currently, the exempted classes also match against superclasses. This is 
> unnecessary and we can match against only the specific class.
> * Currently, an exemption against either the target or member class suffices. 
> This can be made more strict by requiring an exemption for the class which 
> matches the excluded package specifically, which could be either or both.
> * The JavaDoc for the options should be very explicit in what each 
> configuration option achieves to prevent incorrect uses.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)