[
https://issues.apache.org/jira/browse/WW-5368?focusedWorklogId=993216&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-993216
]
ASF GitHub Bot logged work on WW-5368:
--------------------------------------
Author: ASF GitHub Bot
Created on: 25/Nov/25 05:19
Start Date: 25/Nov/25 05:19
Worklog Time Spent: 10m
Work Description: kusalk commented on code in PR #1420:
URL: https://github.com/apache/struts/pull/1420#discussion_r2558568860
##########
core/src/test/java/org/apache/struts2/components/UIBeanTest.java:
##########
@@ -487,7 +487,61 @@ public void testSetNullUiStaticContentPath() {
public void testPotentialDoubleEvaluationWarning() {
bean.setName("${someVar}");
- assertNull(bean.name);
+ assertNull(bean.getName());
+ }
+
+ /**
+ * Test that UIBean fields (label, name, value, id) being private doesn't
cause
+ * OGNL security warnings when evaluating getText() expressions.
+ * <p>
+ * This is a regression test for WW-5368 where using getText() with
resource bundle
+ * keys starting with "label" would trigger OGNL SecurityMemberAccess
warnings:
+ * "Access to non-public [protected java.lang.String
org.apache.struts2.components.UIBean.label] is blocked!"
+ * <p>
+ * By changing these fields from protected to private with public getters,
OGNL's
+ * introspection will find the public getter methods instead of attempting
to access
+ * the fields directly, eliminating the false-positive security warnings.
+ */
+ public void testNoOgnlWarningsForProtectedFields() {
Review Comment:
The JavaDoc says this test verifies that no warnings were logged but I don't
see anything verifying that (I'm not sure it's possible to do easily anyway)
##########
core/src/main/java/org/apache/struts2/components/Bean.java:
##########
@@ -95,7 +94,7 @@ public class Bean extends ContextBean {
protected static final Logger LOG = LogManager.getLogger(Bean.class);
protected Object bean;
- protected String name;
+ private String name;
Review Comment:
Having a public getter should already suppress the warning, this could stay
as `protected` but I guess it doesn't really matter either way
Issue Time Tracking
-------------------
Worklog Id: (was: 993216)
Time Spent: 1h 20m (was: 1h 10m)
> Access warning when get resource bundle which its name starts with "label"
> --------------------------------------------------------------------------
>
> Key: WW-5368
> URL: https://issues.apache.org/jira/browse/WW-5368
> Project: Struts 2
> Issue Type: Bug
> Components: Core
> Affects Versions: 6.3.0
> Reporter: Alireza Fattahi
> Assignee: Lukasz Lenart
> Priority: Critical
> Fix For: 7.2.0
>
> Time Spent: 1h 20m
> Remaining Estimate: 0h
>
> The below:
> {code:java}
> <s:select name="reasonOfTransactionCode" list="reasonOfTransactionList"
> listKey="top" listValue="%{getText('label.reasonOfTransaction.'+top)}"/>
> {code}
> generates this warning for each item in the list, so if the
> `reasonOfTransactionList` has seven items I see this error seven time:
> {code:java}
> ognl.SecurityMemberAccess: Access to non-public [protected java.lang.String
> org.apache.struts2.components.UIBean.label] is blocked!
>
> {code}
>
> But this works fine If I just rename resource bundle and removes `label`
> from its name
>
> {code:java}
> <s:select name="reasonOfTransactionCode" list="reasonOfTransactionList"
> listKey="top" listValue="%{getText('reasonOfTransaction.'+top)}"/> {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
