[jira] [Work logged] (WW-5340) Introduce optional AST node exclusion list

ASF GitHub Bot (Jira) Thu, 31 Aug 2023 00:41:05 -0700


     [ 
https://issues.apache.org/jira/browse/WW-5340?focusedWorklogId=879291&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-879291
 ]


ASF GitHub Bot logged work on WW-5340:
--------------------------------------

                Author: ASF GitHub Bot
            Created on: 31/Aug/23 07:40
            Start Date: 31/Aug/23 07:40
    Worklog Time Spent: 10m 
      Work Description: github-code-scanning[bot] commented on code in PR #746:
URL: https://github.com/apache/struts/pull/746#discussion_r1311222295


##########
core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java:
##########
@@ -592,58 +582,55 @@
     }
 
     public Object getValue(final String name, final Map<String, Object> 
context, final Object root) throws OgnlException {
-        return compileAndExecute(name, context, tree -> Ognl.getValue(tree, 
context, root));
+        return getValue(name, context, root, null);

Review Comment:
   ## OGNL Expression Language statement with user-controlled input
   
   OGNL Expression Language statement depends on a [user-provided value](1).
   OGNL Expression Language statement depends on a [user-provided value](2).
   OGNL Expression Language statement depends on a [user-provided value](3).
   OGNL Expression Language statement depends on a [user-provided value](4).
   OGNL Expression Language statement depends on a [user-provided value](5).
   OGNL Expression Language statement depends on a [user-provided value](6).
   OGNL Expression Language statement depends on a [user-provided value](7).
   OGNL Expression Language statement depends on a [user-provided value](8).
   OGNL Expression Language statement depends on a [user-provided value](9).
   OGNL Expression Language statement depends on a [user-provided value](10).
   OGNL Expression Language statement depends on a [user-provided value](11).
   OGNL Expression Language statement depends on a [user-provided value](12).
   
   [Show more 
details](https://github.com/apache/struts/security/code-scanning/340)



##########
core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java:
##########
@@ -592,58 +582,55 @@
     }
 
     public Object getValue(final String name, final Map<String, Object> 
context, final Object root) throws OgnlException {
-        return compileAndExecute(name, context, tree -> Ognl.getValue(tree, 
context, root));
+        return getValue(name, context, root, null);
     }
 
     public Object callMethod(final String name, final Map<String, Object> 
context, final Object root) throws OgnlException {
-        return compileAndExecuteMethod(name, context, tree -> 
Ognl.getValue(tree, context, root));
+        return ognlGet(name, context, root, null, context, 
this::checkSimpleMethod);
     }
 
     public Object getValue(final String name, final Map<String, Object> 
context, final Object root, final Class<?> resultType) throws OgnlException {
-        return compileAndExecute(name, context, tree -> Ognl.getValue(tree, 
context, root, resultType));
+        return ognlGet(name, context, root, resultType, context, 
this::checkEnableEvalExpression);
     }
 
-
     public Object compile(String expression) throws OgnlException {
         return compile(expression, null);
     }
 
-    private <T> Object compileAndExecute(String expression, Map<String, 
Object> context, OgnlTask<T> task) throws OgnlException {
-        Object tree;
-        if (enableExpressionCache) {
-            tree = expressionCache.get(expression);
-            if (tree == null) {
-                tree = Ognl.parseExpression(expression);
-                checkEnableEvalExpression(tree, context);
-                expressionCache.putIfAbsent(expression, tree);
-            }
-        } else {
-            tree = Ognl.parseExpression(expression);
-            checkEnableEvalExpression(tree, context);
+    private void ognlSet(String expr, Map<String, Object> context, Object 
root, Object value, Map<String, Object> checkContext, TreeValidator... 
treeValidators) throws OgnlException {
+        Object tree = toTree(expr);
+        for (TreeValidator validator : treeValidators) {
+            validator.validate(tree, checkContext);
         }
+        Ognl.setValue(tree, context, root, value);

Review Comment:
   ## OGNL Expression Language statement with user-controlled input
   
   OGNL Expression Language statement depends on a [user-provided value](1).
   OGNL Expression Language statement depends on a [user-provided value](2).
   OGNL Expression Language statement depends on a [user-provided value](3).
   
   [Show more 
details](https://github.com/apache/struts/security/code-scanning/341)



##########
core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java:
##########
@@ -592,58 +582,55 @@
     }
 
     public Object getValue(final String name, final Map<String, Object> 
context, final Object root) throws OgnlException {
-        return compileAndExecute(name, context, tree -> Ognl.getValue(tree, 
context, root));
+        return getValue(name, context, root, null);
     }
 
     public Object callMethod(final String name, final Map<String, Object> 
context, final Object root) throws OgnlException {
-        return compileAndExecuteMethod(name, context, tree -> 
Ognl.getValue(tree, context, root));
+        return ognlGet(name, context, root, null, context, 
this::checkSimpleMethod);
     }
 
     public Object getValue(final String name, final Map<String, Object> 
context, final Object root, final Class<?> resultType) throws OgnlException {
-        return compileAndExecute(name, context, tree -> Ognl.getValue(tree, 
context, root, resultType));
+        return ognlGet(name, context, root, resultType, context, 
this::checkEnableEvalExpression);
     }
 
-
     public Object compile(String expression) throws OgnlException {
         return compile(expression, null);
     }
 
-    private <T> Object compileAndExecute(String expression, Map<String, 
Object> context, OgnlTask<T> task) throws OgnlException {
-        Object tree;
-        if (enableExpressionCache) {
-            tree = expressionCache.get(expression);
-            if (tree == null) {
-                tree = Ognl.parseExpression(expression);
-                checkEnableEvalExpression(tree, context);
-                expressionCache.putIfAbsent(expression, tree);
-            }
-        } else {
-            tree = Ognl.parseExpression(expression);
-            checkEnableEvalExpression(tree, context);
+    private void ognlSet(String expr, Map<String, Object> context, Object 
root, Object value, Map<String, Object> checkContext, TreeValidator... 
treeValidators) throws OgnlException {
+        Object tree = toTree(expr);
+        for (TreeValidator validator : treeValidators) {
+            validator.validate(tree, checkContext);
         }
+        Ognl.setValue(tree, context, root, value);
+    }
 
-        return task.execute(tree);
+    private <T> T ognlGet(String expr, Map<String, Object> context, Object 
root, Class<T> resultType, Map<String, Object> checkContext, TreeValidator... 
treeValidators) throws OgnlException {
+        Object tree = toTree(expr);
+        for (TreeValidator validator : treeValidators) {
+            validator.validate(tree, checkContext);
+        }
+        return (T) Ognl.getValue(tree, context, root, resultType);

Review Comment:
   ## OGNL Expression Language statement with user-controlled input
   
   OGNL Expression Language statement depends on a [user-provided value](1).
   OGNL Expression Language statement depends on a [user-provided value](2).
   OGNL Expression Language statement depends on a [user-provided value](3).
   OGNL Expression Language statement depends on a [user-provided value](4).
   OGNL Expression Language statement depends on a [user-provided value](5).
   OGNL Expression Language statement depends on a [user-provided value](6).
   OGNL Expression Language statement depends on a [user-provided value](7).
   OGNL Expression Language statement depends on a [user-provided value](8).
   OGNL Expression Language statement depends on a [user-provided value](9).
   OGNL Expression Language statement depends on a [user-provided value](10).
   OGNL Expression Language statement depends on a [user-provided value](11).
   OGNL Expression Language statement depends on a [user-provided value](12).
   
   [Show more 
details](https://github.com/apache/struts/security/code-scanning/342)





Issue Time Tracking
-------------------

    Worklog Id:     (was: 879291)
    Time Spent: 40m  (was: 0.5h)

> Introduce optional AST node exclusion list
> ------------------------------------------
>
>                 Key: WW-5340
>                 URL: https://issues.apache.org/jira/browse/WW-5340
>             Project: Struts 2
>          Issue Type: Improvement
>          Components: Core
>            Reporter: Kusal Kithul-Godage
>            Priority: Minor
>             Fix For: 6.4.0
>
>          Time Spent: 40m
>  Remaining Estimate: 0h
>
> Enhance security by implementing an optional exclusion list (in struts.xml) 
> where applications can specify AST nodes that are not required in their 
> applications or are known to carry higher security risk.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Work logged] (WW-5340) Introduce optional AST node exclusion list

Reply via email to