This is an automated email from the ASF dual-hosted git repository. lukaszlenart pushed a commit to branch fix/after-rebase in repository https://gitbox.apache.org/repos/asf/struts.git
commit 83874c331804ef16f01387074a475c73803e37c2 Author: Lukasz Lenart <lukaszlen...@apache.org> AuthorDate: Sat Dec 16 16:12:46 2023 +0100 WW-5364 fixes automatically populated OGNL allowlist --- .../ConfigurationProviderOgnlAllowlistTest.java | 2 +- .../util/SecurityMemberAccessInServletsTest.java | 10 ++--- .../config/providers/xwork-test-allowlist-2.xml | 41 ++++++++++++++++++ .../config/providers/xwork-test-allowlist.xml | 48 ++++++++++++++++++++++ 4 files changed, 93 insertions(+), 8 deletions(-) diff --git a/core/src/test/java/com/opensymphony/xwork2/config/providers/ConfigurationProviderOgnlAllowlistTest.java b/core/src/test/java/com/opensymphony/xwork2/config/providers/ConfigurationProviderOgnlAllowlistTest.java index 4fa4aad8b..d2c8bc3fe 100644 --- a/core/src/test/java/com/opensymphony/xwork2/config/providers/ConfigurationProviderOgnlAllowlistTest.java +++ b/core/src/test/java/com/opensymphony/xwork2/config/providers/ConfigurationProviderOgnlAllowlistTest.java @@ -40,7 +40,7 @@ public class ConfigurationProviderOgnlAllowlistTest extends XWorkJUnit4TestCase } @Test - public void allowlist() throws Exception { + public void allowList() throws Exception { loadConfigurationProviders(testXml1, testXml2); providerAllowlist = container.getInstance(ProviderAllowlist.class); diff --git a/core/src/test/java/org/apache/struts2/util/SecurityMemberAccessInServletsTest.java b/core/src/test/java/org/apache/struts2/util/SecurityMemberAccessInServletsTest.java index 5154a0b92..9d934c36e 100644 --- a/core/src/test/java/org/apache/struts2/util/SecurityMemberAccessInServletsTest.java +++ b/core/src/test/java/org/apache/struts2/util/SecurityMemberAccessInServletsTest.java @@ -19,10 +19,10 @@ package org.apache.struts2.util; import com.opensymphony.xwork2.ognl.SecurityMemberAccess; +import jakarta.servlet.jsp.tagext.TagSupport; import org.apache.struts2.StrutsInternalTestCase; import org.apache.struts2.views.jsp.ActionTag; -import jakarta.servlet.jsp.tagext.TagSupport; import java.lang.reflect.Member; import java.util.HashMap; import java.util.Map; @@ -40,9 +40,7 @@ public class SecurityMemberAccessInServletsTest extends StrutsInternalTestCase { // given SecurityMemberAccess sma = new SecurityMemberAccess(true); - Set<Pattern> excluded = new HashSet<Pattern>(); - excluded.add(Pattern.compile("^(?!jakarta\\.servlet\\..+)(jakarta\\..+)")); - sma.useExcludedPackageNamePatterns(excluded); + sma.useExcludedPackageNamePatterns("^(?!jakarta\\.servlet\\..+)(jakarta\\..+)"); String propertyName = "value"; Member member = TagSupport.class.getMethod("doStartTag"); @@ -58,9 +56,7 @@ public class SecurityMemberAccessInServletsTest extends StrutsInternalTestCase { // given SecurityMemberAccess sma = new SecurityMemberAccess(true); - Set<Pattern> excluded = new HashSet<>(); - excluded.add(Pattern.compile("^jakarta\\..+")); - sma.useExcludedPackageNamePatterns(excluded); + sma.useExcludedPackageNamePatterns("^jakarta\\..+"); String propertyName = "value"; Member member = TagSupport.class.getMethod("doStartTag"); diff --git a/core/src/test/resources/com/opensymphony/xwork2/config/providers/xwork-test-allowlist-2.xml b/core/src/test/resources/com/opensymphony/xwork2/config/providers/xwork-test-allowlist-2.xml new file mode 100644 index 000000000..f5e9b184d --- /dev/null +++ b/core/src/test/resources/com/opensymphony/xwork2/config/providers/xwork-test-allowlist-2.xml @@ -0,0 +1,41 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +--> +<!DOCTYPE struts PUBLIC + "-//Apache Software Foundation//DTD Struts Configuration 6.0//EN" + "https://struts.apache.org/dtds/struts-6.0.dtd"> +<struts> + <package name="allow2"> + <result-types> + <result-type name="chain" class="com.opensymphony.xwork2.ActionChainResult" default="true"/> + </result-types> + + <interceptors> + <interceptor name="noop" class="org.apache.struts2.interceptor.NoOpInterceptor"/> + </interceptors> + + <action name="WildCard" class="com.opensymphony.xwork2.ActionSupport"> + <result name="*" type="chain"/> + <interceptor-ref name="noop"/> + </action> + + </package> +</struts> diff --git a/core/src/test/resources/com/opensymphony/xwork2/config/providers/xwork-test-allowlist.xml b/core/src/test/resources/com/opensymphony/xwork2/config/providers/xwork-test-allowlist.xml new file mode 100644 index 000000000..1de061efd --- /dev/null +++ b/core/src/test/resources/com/opensymphony/xwork2/config/providers/xwork-test-allowlist.xml @@ -0,0 +1,48 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +--> +<!DOCTYPE struts PUBLIC + "-//Apache Software Foundation//DTD Struts Configuration 6.0//EN" + "https://struts.apache.org/dtds/struts-6.0.dtd"> +<struts> + <package name="allow"> + <result-types> + <result-type name="mock" class="com.opensymphony.xwork2.mock.MockResult"/> + </result-types> + + <interceptors> + <interceptor name="test" class="com.opensymphony.xwork2.mock.MockInterceptor"> + <param name="foo">fooDefault</param> + </interceptor> + + <interceptor-stack name="defaultStack"> + <interceptor-ref name="test"/> + </interceptor-stack> + </interceptors> + + <action name="Foo" class="com.opensymphony.xwork2.SimpleAction"> + <param name="foo">18</param> + <param name="bar">24</param> + <result name="success" type="mock"/> + <interceptor-ref name="defaultStack"/> + </action> + </package> +</struts>