[jira] [Updated] (WW-5415) Struts2 Validator is failing in OGNL with constructor call

Wed, 17 Apr 2024 01:56:09 -0700 


     [ 
https://issues.apache.org/jira/browse/WW-5415?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Lukasz Lenart updated WW-5415:
------------------------------
    Description: 
An FieldExpression validator using a constructor call in its OGNL expression 
fails.
{code:xml|title=Example validation configuration}
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE validators PUBLIC "-//Apache Struts//XWork Validator 1.0.2//EN" 
"http://struts.apache.org/dtds/xwork-validator-1.0.2.dtd";>
<validators>
    <field name="employee.birthday">
        <field-validator type="fieldexpression">
            <param name="expression"><![CDATA[
                ( employee.birthday == null || employee.birthday.before(new 
java.util.Date()))
            ]]></param>
            <message key="errors_birthday" />
        </field-validator>
    </field>
</validators>
{code}

When it comes to instantiate the Date object in the above example, the call 
fails in com.opensymphony.xwork2.ognl.SecurityMemberAccess.isAccessible(Map, 
Object, Member, String). It seems that a constructor call is not handled here 
properly.

{code:java}
public boolean isAccessible(Map context, Object target, Member member, String 
propertyName) {
        LOG.debug("Checking access for [target: {}, member: {}, property: {}]", 
target, member, propertyName);

        final int memberModifiers = member.getModifiers();
        final Class<?> memberClass = member.getDeclaringClass();
        // target can be null in case of accessing static fields, since OGNL 
3.2.8
        final Class<?> targetClass = Modifier.isStatic(memberModifiers) ? 
memberClass : target.getClass();
        if (!memberClass.isAssignableFrom(targetClass)) {
            throw new IllegalArgumentException("Target does not match member!");
        }
{code}

When the method is called,
 * {{*target*}} is the class object for {{{}java.util.Date{}}}
 * {{*member*}} is a representation of the constructor {{public 
java.util.Date()}}
 * {{*propertyName*}} is null
 * {{*memberModifiers*}} evaluates to 1
 * {{*memberClass*}} to the class object for {{{}java.util.Date{}}}

This causes the if to resolve to {{false}} and throwing the exception. I cannot 
see how anyone could call any constructor at all.

  was:
An FieldExpression validator using a constructor call in its OGNL expression 
fails.
{code:java|title=Example validation configuration}
Unable to find source-code formatter for language: code panel. Available 
languages are: actionscript, ada, applescript, bash, c, c#, c++, cpp, css, 
erlang, go, groovy, haskell, html, java, javascript, js, json, lua, none, nyan, 
objc, perl, php, python, r, rainbow, ruby, scala, sh, sql, swift, visualbasic, 
xml, yaml<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE validators PUBLIC "-//Apache Struts//XWork Validator 1.0.2//EN" 
"http://struts.apache.org/dtds/xwork-validator-1.0.2.dtd";>
<validators>
    <field name="employee.birthday">
        <field-validator type="fieldexpression">
            <param name="expression"><![CDATA[
                ( employee.birthday == null || employee.birthday.before(new 
java.util.Date()))
            ]]></param>
            <message key="errors_birthday" />
        </field-validator>
    </field>
</validators> {code}
 

When it comes to instantiate the Date object in the above example, the call 
fails in com.opensymphony.xwork2.ognl.SecurityMemberAccess.isAccessible(Map, 
Object, Member, String). It seems that a constructor call is not handled here 
properly.
{code:java}
public boolean isAccessible(Map context, Object target, Member member, String 
propertyName) {
        LOG.debug("Checking access for [target: {}, member: {}, property: {}]", 
target, member, propertyName);

        final int memberModifiers = member.getModifiers();
        final Class<?> memberClass = member.getDeclaringClass();
        // target can be null in case of accessing static fields, since OGNL 
3.2.8
        final Class<?> targetClass = Modifier.isStatic(memberModifiers) ? 
memberClass : target.getClass();
        if (!memberClass.isAssignableFrom(targetClass)) {
            throw new IllegalArgumentException("Target does not match member!");
        }
{code}
When the method is called,
 * {{*target*}} is the class object for {{{}java.util.Date{}}}
 * {{*member*}} is a representation of the constructor {{public 
java.util.Date()}}
 * {{*propertyName*}} is null
 * {{*memberModifiers*}} evaluates to 1
 * {{*memberClass*}} to the class object for {{{}java.util.Date{}}}

This causes the if to resolve to {{false}} and throwing the exception. I cannot 
see how anyone could call any constructor at all.


> Struts2 Validator is failing in OGNL with constructor call
> ----------------------------------------------------------
>
>                 Key: WW-5415
>                 URL: https://issues.apache.org/jira/browse/WW-5415
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Core
>    Affects Versions: 6.2.0, 6.3.0
>            Reporter: Sebastian Götz
>            Priority: Major
>              Labels: ognl, security, validation, xml
>             Fix For: 6.5.0
>
>
> An FieldExpression validator using a constructor call in its OGNL expression 
> fails.
> {code:xml|title=Example validation configuration}
> <?xml version="1.0" encoding="UTF-8"?>
> <!DOCTYPE validators PUBLIC "-//Apache Struts//XWork Validator 1.0.2//EN" 
> "http://struts.apache.org/dtds/xwork-validator-1.0.2.dtd";>
> <validators>
>     <field name="employee.birthday">
>         <field-validator type="fieldexpression">
>             <param name="expression"><![CDATA[
>                 ( employee.birthday == null || employee.birthday.before(new 
> java.util.Date()))
>             ]]></param>
>             <message key="errors_birthday" />
>         </field-validator>
>     </field>
> </validators>
> {code}
> When it comes to instantiate the Date object in the above example, the call 
> fails in com.opensymphony.xwork2.ognl.SecurityMemberAccess.isAccessible(Map, 
> Object, Member, String). It seems that a constructor call is not handled here 
> properly.
> {code:java}
> public boolean isAccessible(Map context, Object target, Member member, String 
> propertyName) {
>         LOG.debug("Checking access for [target: {}, member: {}, property: 
> {}]", target, member, propertyName);
>         final int memberModifiers = member.getModifiers();
>         final Class<?> memberClass = member.getDeclaringClass();
>         // target can be null in case of accessing static fields, since OGNL 
> 3.2.8
>         final Class<?> targetClass = Modifier.isStatic(memberModifiers) ? 
> memberClass : target.getClass();
>         if (!memberClass.isAssignableFrom(targetClass)) {
>             throw new IllegalArgumentException("Target does not match 
> member!");
>         }
> {code}
> When the method is called,
>  * {{*target*}} is the class object for {{{}java.util.Date{}}}
>  * {{*member*}} is a representation of the constructor {{public 
> java.util.Date()}}
>  * {{*propertyName*}} is null
>  * {{*memberModifiers*}} evaluates to 1
>  * {{*memberClass*}} to the class object for {{{}java.util.Date{}}}
> This causes the if to resolve to {{false}} and throwing the exception. I 
> cannot see how anyone could call any constructor at all.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to