(struts) 08/11: WW-5364 fixes automatically populated OGNL allowlist

lukaszlenart Sat, 16 Dec 2023 07:49:21 -0800

This is an automated email from the ASF dual-hosted git repository.

lukaszlenart pushed a commit to branch fix/after-rebase
in repository https://gitbox.apache.org/repos/asf/struts.git


commit 83874c331804ef16f01387074a475c73803e37c2
Author: Lukasz Lenart <lukaszlen...@apache.org>
AuthorDate: Sat Dec 16 16:12:46 2023 +0100

    WW-5364 fixes automatically populated OGNL allowlist
---
 .../ConfigurationProviderOgnlAllowlistTest.java    |  2 +-
 .../util/SecurityMemberAccessInServletsTest.java   | 10 ++---
 .../config/providers/xwork-test-allowlist-2.xml    | 41 ++++++++++++++++++
 .../config/providers/xwork-test-allowlist.xml      | 48 ++++++++++++++++++++++
 4 files changed, 93 insertions(+), 8 deletions(-)

diff --git 
a/core/src/test/java/com/opensymphony/xwork2/config/providers/ConfigurationProviderOgnlAllowlistTest.java
 
b/core/src/test/java/com/opensymphony/xwork2/config/providers/ConfigurationProviderOgnlAllowlistTest.java
index 4fa4aad8b..d2c8bc3fe 100644
--- 
a/core/src/test/java/com/opensymphony/xwork2/config/providers/ConfigurationProviderOgnlAllowlistTest.java
+++ 
b/core/src/test/java/com/opensymphony/xwork2/config/providers/ConfigurationProviderOgnlAllowlistTest.java
@@ -40,7 +40,7 @@ public class ConfigurationProviderOgnlAllowlistTest extends 
XWorkJUnit4TestCase
     }
 
     @Test
-    public void allowlist() throws Exception {
+    public void allowList() throws Exception {
         loadConfigurationProviders(testXml1, testXml2);
         providerAllowlist = container.getInstance(ProviderAllowlist.class);
 
diff --git 
a/core/src/test/java/org/apache/struts2/util/SecurityMemberAccessInServletsTest.java
 
b/core/src/test/java/org/apache/struts2/util/SecurityMemberAccessInServletsTest.java
index 5154a0b92..9d934c36e 100644
--- 
a/core/src/test/java/org/apache/struts2/util/SecurityMemberAccessInServletsTest.java
+++ 
b/core/src/test/java/org/apache/struts2/util/SecurityMemberAccessInServletsTest.java
@@ -19,10 +19,10 @@
 package org.apache.struts2.util;
 
 import com.opensymphony.xwork2.ognl.SecurityMemberAccess;
+import jakarta.servlet.jsp.tagext.TagSupport;
 import org.apache.struts2.StrutsInternalTestCase;
 import org.apache.struts2.views.jsp.ActionTag;
 
-import jakarta.servlet.jsp.tagext.TagSupport;
 import java.lang.reflect.Member;
 import java.util.HashMap;
 import java.util.Map;
@@ -40,9 +40,7 @@ public class SecurityMemberAccessInServletsTest extends 
StrutsInternalTestCase {
         // given
         SecurityMemberAccess sma = new SecurityMemberAccess(true);
 
-        Set<Pattern> excluded = new HashSet<Pattern>();
-        
excluded.add(Pattern.compile("^(?!jakarta\\.servlet\\..+)(jakarta\\..+)"));
-        sma.useExcludedPackageNamePatterns(excluded);
+        
sma.useExcludedPackageNamePatterns("^(?!jakarta\\.servlet\\..+)(jakarta\\..+)");
 
         String propertyName = "value";
         Member member = TagSupport.class.getMethod("doStartTag");
@@ -58,9 +56,7 @@ public class SecurityMemberAccessInServletsTest extends 
StrutsInternalTestCase {
         // given
         SecurityMemberAccess sma = new SecurityMemberAccess(true);
 
-        Set<Pattern> excluded = new HashSet<>();
-        excluded.add(Pattern.compile("^jakarta\\..+"));
-        sma.useExcludedPackageNamePatterns(excluded);
+        sma.useExcludedPackageNamePatterns("^jakarta\\..+");
 
         String propertyName = "value";
         Member member = TagSupport.class.getMethod("doStartTag");
diff --git 
a/core/src/test/resources/com/opensymphony/xwork2/config/providers/xwork-test-allowlist-2.xml
 
b/core/src/test/resources/com/opensymphony/xwork2/config/providers/xwork-test-allowlist-2.xml
new file mode 100644
index 000000000..f5e9b184d
--- /dev/null
+++ 
b/core/src/test/resources/com/opensymphony/xwork2/config/providers/xwork-test-allowlist-2.xml
@@ -0,0 +1,41 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+-->
+<!DOCTYPE struts PUBLIC
+        "-//Apache Software Foundation//DTD Struts Configuration 6.0//EN"
+        "https://struts.apache.org/dtds/struts-6.0.dtd";>
+<struts>
+    <package name="allow2">
+        <result-types>
+            <result-type name="chain" 
class="com.opensymphony.xwork2.ActionChainResult" default="true"/>
+        </result-types>
+
+        <interceptors>
+            <interceptor name="noop" 
class="org.apache.struts2.interceptor.NoOpInterceptor"/>
+        </interceptors>
+
+        <action name="WildCard" class="com.opensymphony.xwork2.ActionSupport">
+            <result name="*" type="chain"/>
+            <interceptor-ref name="noop"/>
+        </action>
+
+    </package>
+</struts>
diff --git 
a/core/src/test/resources/com/opensymphony/xwork2/config/providers/xwork-test-allowlist.xml
 
b/core/src/test/resources/com/opensymphony/xwork2/config/providers/xwork-test-allowlist.xml
new file mode 100644
index 000000000..1de061efd
--- /dev/null
+++ 
b/core/src/test/resources/com/opensymphony/xwork2/config/providers/xwork-test-allowlist.xml
@@ -0,0 +1,48 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+-->
+<!DOCTYPE struts PUBLIC
+        "-//Apache Software Foundation//DTD Struts Configuration 6.0//EN"
+        "https://struts.apache.org/dtds/struts-6.0.dtd";>
+<struts>
+    <package name="allow">
+        <result-types>
+            <result-type name="mock" 
class="com.opensymphony.xwork2.mock.MockResult"/>
+        </result-types>
+
+        <interceptors>
+            <interceptor name="test" 
class="com.opensymphony.xwork2.mock.MockInterceptor">
+                <param name="foo">fooDefault</param>
+            </interceptor>
+
+            <interceptor-stack name="defaultStack">
+                <interceptor-ref name="test"/>
+            </interceptor-stack>
+        </interceptors>
+
+        <action name="Foo" class="com.opensymphony.xwork2.SimpleAction">
+            <param name="foo">18</param>
+            <param name="bar">24</param>
+            <result name="success" type="mock"/>
+            <interceptor-ref name="defaultStack"/>
+        </action>
+    </package>
+</struts>

(struts) 08/11: WW-5364 fixes automatically populated OGNL allowlist

Reply via email to