[
https://issues.apache.org/jira/browse/WW-5288?focusedWorklogId=851520&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-851520
]
ASF GitHub Bot logged work on WW-5288:
--------------------------------------
Author: ASF GitHub Bot
Created on: 17/Mar/23 13:59
Start Date: 17/Mar/23 13:59
Worklog Time Spent: 10m
Work Description: lukaszlenart commented on code in PR #664:
URL: https://github.com/apache/struts/pull/664#discussion_r1133057903
##########
core/src/test/java/com/test/ExternalSecurityMemberAccessTest.java:
##########
@@ -0,0 +1,33 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package com.test;
+
+import com.opensymphony.xwork2.ognl.SecurityMemberAccessTest;
+
+/**
+ * Runs the same test suite using a SecurityMemberAccess class that is outside
the
+ * com.opensymphony.xwork2.ognl package.
+ */
+public class ExternalSecurityMemberAccessTest extends SecurityMemberAccessTest
{
+
+ @Override
+ protected void assignNewSma(boolean allowStaticFieldAccess) {
+ sma = new ExternalSecurityMemberAccess(allowStaticFieldAccess);
Review Comment:
Nope :) Yet testing the `MemberAccess` behaviour for different settings
makes sense, this is the last line of defence :)
Issue Time Tracking
-------------------
Worklog Id: (was: 851520)
Time Spent: 1h 50m (was: 1h 40m)
> Make excluded package exemption logic more strict
> -------------------------------------------------
>
> Key: WW-5288
> URL: https://issues.apache.org/jira/browse/WW-5288
> Project: Struts 2
> Issue Type: Improvement
> Components: Core
> Reporter: Kusal Kithul-Godage
> Priority: Minor
> Fix For: 6.2.0
>
> Time Spent: 1h 50m
> Remaining Estimate: 0h
>
> Following on from the discussion in the comments on WW-5268 - exempting
> classes from excluded packages should only be done if unavoidable.
> Given this, I realised we should make the exemption logic more strict to
> prevent incorrect use and inadvertent exempting of more OGNL expressions than
> intended.
> * Currently, the exempted classes also match against superclasses. This is
> unnecessary and we can match against only the specific class.
> * Currently, an exemption against either the target or member class suffices.
> This can be made more strict by requiring an exemption for the class which
> matches the excluded package specifically, which could be either or both.
> * The JavaDoc for the options should be very explicit in what each
> configuration option achieves to prevent incorrect uses.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
