kusalk commented on code in PR #1420:
URL: https://github.com/apache/struts/pull/1420#discussion_r2558568860
##########
core/src/test/java/org/apache/struts2/components/UIBeanTest.java:
##########
@@ -487,7 +487,61 @@ public void testSetNullUiStaticContentPath() {
public void testPotentialDoubleEvaluationWarning() {
bean.setName("${someVar}");
- assertNull(bean.name);
+ assertNull(bean.getName());
+ }
+
+ /**
+ * Test that UIBean fields (label, name, value, id) being private doesn't
cause
+ * OGNL security warnings when evaluating getText() expressions.
+ * <p>
+ * This is a regression test for WW-5368 where using getText() with
resource bundle
+ * keys starting with "label" would trigger OGNL SecurityMemberAccess
warnings:
+ * "Access to non-public [protected java.lang.String
org.apache.struts2.components.UIBean.label] is blocked!"
+ * <p>
+ * By changing these fields from protected to private with public getters,
OGNL's
+ * introspection will find the public getter methods instead of attempting
to access
+ * the fields directly, eliminating the false-positive security warnings.
+ */
+ public void testNoOgnlWarningsForProtectedFields() {
Review Comment:
The JavaDoc says this test verifies that no warnings were logged but I don't
see anything verifying that (I'm not sure it's possible to do easily anyway)
##########
core/src/main/java/org/apache/struts2/components/Bean.java:
##########
@@ -95,7 +94,7 @@ public class Bean extends ContextBean {
protected static final Logger LOG = LogManager.getLogger(Bean.class);
protected Object bean;
- protected String name;
+ private String name;
Review Comment:
Having a public getter should already suppress the warning, this could stay
as `protected` but I guess it doesn't really matter either way
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
