[jira] [Work logged] (WW-5423) Query Parameters in Multipart Requests not working in v7 M6
[ https://issues.apache.org/jira/browse/WW-5423?focusedWorklogId=921937=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-921937 ] ASF GitHub Bot logged work on WW-5423: -- Author: ASF GitHub Bot Created on: 04/Jun/24 09:59 Start Date: 04/Jun/24 09:59 Worklog Time Spent: 10m Work Description: sonarcloud[bot] commented on PR #954: URL: https://github.com/apache/struts/pull/954#issuecomment-2147123378 ## [![Quality Gate Failed](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/QualityGateBadge/qg-failed-20px.png 'Quality Gate Failed')](https://sonarcloud.io/dashboard?id=apache_struts=954) **Quality Gate failed** Failed conditions ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/failed-16px.png '') [C Maintainability Rating on New Code](https://sonarcloud.io/dashboard?id=apache_struts=954) (required ≥ A) [See analysis details on SonarCloud](https://sonarcloud.io/dashboard?id=apache_struts=954) ## ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/light_bulb-16px.png '') Catch issues before they fail your Quality Gate with our IDE extension ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/sonarlint-16px.png '') [SonarLint](https://www.sonarsource.com/products/sonarlint/features/connected-mode/?referrer=pull-request) Issue Time Tracking --- Worklog Id: (was: 921937) Time Spent: 20m (was: 10m) > Query Parameters in Multipart Requests not working in v7 M6 > --- > > Key: WW-5423 > URL: https://issues.apache.org/jira/browse/WW-5423 > Project: Struts 2 > Issue Type: Bug >Affects Versions: 7.0.0 >Reporter: Philip Crider >Priority: Major > Fix For: 7.0.0 > > Time Spent: 20m > Remaining Estimate: 0h > > One of the changes in [https://github.com/apache/struts/pull/861] broke query > parameters in multipart requests. Their values are being lost. > This is the old implementation, which returns null if the parameter doesn't > exist. > {code:java} > public String[] getParameterValues(String name) { > List v = params.get(name); > if (v != null && !v.isEmpty()) { > return v.toArray(new String[0]); > } > return null; > } {code} > > And this is the new implementation, which returns an empty array in that case. > {code:java} > public String[] getParameterValues(String name) { > return parameters.getOrDefault(name, Collections.emptyList()) > .toArray(String[]::new); > }{code} > > This method in MultiPartRequestWrapper is expecting null to be returned in > that case. > {code:java} > public String[] getParameterValues(String name) { > return ((multi == null) || (multi.getParameterValues(name) == null)) ? > super.getParameterValues(name) : multi.getParameterValues(name); > }{code} > > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5423) Query Parameters in Multipart Requests not working in v7 M6
[ https://issues.apache.org/jira/browse/WW-5423?focusedWorklogId=921934=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-921934 ] ASF GitHub Bot logged work on WW-5423: -- Author: ASF GitHub Bot Created on: 04/Jun/24 09:52 Start Date: 04/Jun/24 09:52 Worklog Time Spent: 10m Work Description: lukaszlenart opened a new pull request, #954: URL: https://github.com/apache/struts/pull/954 Fixes [WW-5423](https://issues.apache.org/jira/browse/WW-5423) Issue Time Tracking --- Worklog Id: (was: 921934) Remaining Estimate: 0h Time Spent: 10m > Query Parameters in Multipart Requests not working in v7 M6 > --- > > Key: WW-5423 > URL: https://issues.apache.org/jira/browse/WW-5423 > Project: Struts 2 > Issue Type: Bug >Affects Versions: 7.0.0 >Reporter: Philip Crider >Priority: Major > Fix For: 7.0.0 > > Time Spent: 10m > Remaining Estimate: 0h > > One of the changes in [https://github.com/apache/struts/pull/861] broke query > parameters in multipart requests. Their values are being lost. > This is the old implementation, which returns null if the parameter doesn't > exist. > {code:java} > public String[] getParameterValues(String name) { > List v = params.get(name); > if (v != null && !v.isEmpty()) { > return v.toArray(new String[0]); > } > return null; > } {code} > > And this is the new implementation, which returns an empty array in that case. > {code:java} > public String[] getParameterValues(String name) { > return parameters.getOrDefault(name, Collections.emptyList()) > .toArray(String[]::new); > }{code} > > This method in MultiPartRequestWrapper is expecting null to be returned in > that case. > {code:java} > public String[] getParameterValues(String name) { > return ((multi == null) || (multi.getParameterValues(name) == null)) ? > super.getParameterValues(name) : multi.getParameterValues(name); > }{code} > > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5426) Upgrade Apache FreeMarker to version 2.3.33
[ https://issues.apache.org/jira/browse/WW-5426?focusedWorklogId=921681=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-921681 ] ASF GitHub Bot logged work on WW-5426: -- Author: ASF GitHub Bot Created on: 03/Jun/24 05:04 Start Date: 03/Jun/24 05:04 Worklog Time Spent: 10m Work Description: lukaszlenart merged PR #953: URL: https://github.com/apache/struts/pull/953 Issue Time Tracking --- Worklog Id: (was: 921681) Remaining Estimate: 0h Time Spent: 10m > Upgrade Apache FreeMarker to version 2.3.33 > --- > > Key: WW-5426 > URL: https://issues.apache.org/jira/browse/WW-5426 > Project: Struts 2 > Issue Type: Dependency > Components: Core >Reporter: Lukasz Lenart >Priority: Minor > Fix For: 6.5.0 > > Time Spent: 10m > Remaining Estimate: 0h > > The Apache FreeMarker community is pleased to announce the release of > Apache FreeMarker 2.3.33. > Change log: https://freemarker.apache.org/docs/versions_2_3_33.html -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5412) Upgrade to Apache Struts Master 15
[ https://issues.apache.org/jira/browse/WW-5412?focusedWorklogId=921648=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-921648 ] ASF GitHub Bot logged work on WW-5412: -- Author: ASF GitHub Bot Created on: 02/Jun/24 17:19 Start Date: 02/Jun/24 17:19 Worklog Time Spent: 10m Work Description: sonarcloud[bot] commented on PR #948: URL: https://github.com/apache/struts/pull/948#issuecomment-2143950675 ## [![Quality Gate Passed](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/QualityGateBadge/qg-passed-20px.png 'Quality Gate Passed')](https://sonarcloud.io/dashboard?id=apache_struts=948) **Quality Gate passed** Issues ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/passed-16px.png '') [0 New issues](https://sonarcloud.io/project/issues?id=apache_struts=948=false=true) ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/accepted-16px.png '') [0 Accepted issues](https://sonarcloud.io/project/issues?id=apache_struts=948=WONTFIX) Measures ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/passed-16px.png '') [0 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_struts=948=false=true) ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/no-data-16px.png '') No data about Coverage ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/passed-16px.png '') [0.0% Duplication on New Code](https://sonarcloud.io/component_measures?id=apache_struts=948=new_duplicated_lines_density=list) [See analysis details on SonarCloud](https://sonarcloud.io/dashboard?id=apache_struts=948) Issue Time Tracking --- Worklog Id: (was: 921648) Time Spent: 20m (was: 10m) > Upgrade to Apache Struts Master 15 > -- > > Key: WW-5412 > URL: https://issues.apache.org/jira/browse/WW-5412 > Project: Struts 2 > Issue Type: Improvement > Components: Build Management >Reporter: Lukasz Lenart >Assignee: Lukasz Lenart >Priority: Major > Fix For: 6.5.0 > > Time Spent: 20m > Remaining Estimate: 0h > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5412) Upgrade to Apache Struts Master 15
[ https://issues.apache.org/jira/browse/WW-5412?focusedWorklogId=921647=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-921647 ] ASF GitHub Bot logged work on WW-5412: -- Author: ASF GitHub Bot Created on: 02/Jun/24 17:13 Start Date: 02/Jun/24 17:13 Worklog Time Spent: 10m Work Description: lukaszlenart opened a new pull request, #948: URL: https://github.com/apache/struts/pull/948 Closes [WW-5412](https://issues.apache.org/jira/browse/WW-5412) Issue Time Tracking --- Worklog Id: (was: 921647) Remaining Estimate: 0h Time Spent: 10m > Upgrade to Apache Struts Master 15 > -- > > Key: WW-5412 > URL: https://issues.apache.org/jira/browse/WW-5412 > Project: Struts 2 > Issue Type: Improvement > Components: Build Management >Reporter: Lukasz Lenart >Priority: Major > Fix For: 6.5.0 > > Time Spent: 10m > Remaining Estimate: 0h > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5424) ClassCastException with tag "set" when variable name has length=1
[ https://issues.apache.org/jira/browse/WW-5424?focusedWorklogId=921640=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-921640 ] ASF GitHub Bot logged work on WW-5424: -- Author: ASF GitHub Bot Created on: 02/Jun/24 12:00 Start Date: 02/Jun/24 12:00 Worklog Time Spent: 10m Work Description: sonarcloud[bot] commented on PR #946: URL: https://github.com/apache/struts/pull/946#issuecomment-2143819643 ## [![Quality Gate Passed](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/QualityGateBadge/qg-passed-20px.png 'Quality Gate Passed')](https://sonarcloud.io/dashboard?id=apache_struts=946) **Quality Gate passed** Issues ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/passed-16px.png '') [0 New issues](https://sonarcloud.io/project/issues?id=apache_struts=946=false=true) ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/accepted-16px.png '') [0 Accepted issues](https://sonarcloud.io/project/issues?id=apache_struts=946=WONTFIX) Measures ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/passed-16px.png '') [0 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_struts=946=false=true) ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/passed-16px.png '') [100.0% Coverage on New Code](https://sonarcloud.io/component_measures?id=apache_struts=946=new_coverage=list) ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/passed-16px.png '') [0.0% Duplication on New Code](https://sonarcloud.io/component_measures?id=apache_struts=946=new_duplicated_lines_density=list) [See analysis details on SonarCloud](https://sonarcloud.io/dashboard?id=apache_struts=946) Issue Time Tracking --- Worklog Id: (was: 921640) Time Spent: 20m (was: 10m) > ClassCastException with tag "set" when variable name has length=1 > - > > Key: WW-5424 > URL: https://issues.apache.org/jira/browse/WW-5424 > Project: Struts 2 > Issue Type: Bug > Components: Core Tags >Affects Versions: 6.4.0 >Reporter: Daniel López >Assignee: Lukasz Lenart >Priority: Major > Fix For: 6.5.0 > > Time Spent: 20m > Remaining Estimate: 0h > > I think it is caused by the refactor of WW-5333 > When the tag "set" is used to define a variable whose name is of length 1, a > java.lang.ClassCastException (class java.lang.Character cannot be cast to > class java.lang.String ) is thrown. > > Test case: > {code:java} > // code placeholder > a = > b = {code} > Expected result: > {code:java} > // code placeholder > a = 1 > b = 2{code} > actual result: > {code:java} > a = 1 > b ={code} > Both "s:set" throws exception when storing the value in page context. Value > of a is retrieved as it is successfully saved in default context > Exception trace > {code:java} > // code placeholder > Error setting value [2] with expression [#attr['b']] > java.lang.ClassCastException: class java.lang.Character cannot be cast to > class java.lang.String (java.lang.Character and java.lang.String are in > module java.base of loader 'bootstrap') > at org.apache.struts2.dispatcher.AttributeMap.put(AttributeMap.java:46) > ~[struts2-core-6.4.0.jar:6.4.0] > at > com.opensymphony.xwork2.ognl.accessor.XWorkMapPropertyAccessor.setProperty(XWorkMapPropertyAccessor.java:130) > ~[struts2-core-6.4.0.jar:6.4.0] > at ognl.OgnlRuntime.setProperty(OgnlRuntime.java:3359) ~[ognl-3.3.4.jar:?] > at ognl.ASTProperty.setValueBody(ASTProperty.java:134) ~[ognl-3.3.4.jar:?] > at ognl.SimpleNode.evaluateSetValueBody(SimpleNode.java:220) > ~[ognl-3.3.4.jar:?] > at ognl.SimpleNode.setValue(SimpleNode.java:308) ~[ognl-3.3.4.jar:?] > at ognl.ASTChain.setValueBody(ASTChain.java:227) ~[ognl-3.3.4.jar:?] > at ognl.SimpleNode.evaluateSetValueBody(SimpleNode.java:220) > ~[ognl-3.3.4.jar:?] > at ognl.SimpleNode.setValue(SimpleNode.java:308) ~[ognl-3.3.4.jar:?] > at ognl.Ognl.setValue(Ognl.java:829) ~[ognl-3.3.4.jar:?] > at com.opensymphony.xwork2.ognl.OgnlUtil.ognlSet(OgnlUtil.java:585) > ~[struts2-core-6.4.0.jar:6.4.0] > at com.opensymphony.xwork2.ognl.OgnlUtil.setValue(OgnlUtil.java:522) > ~[struts2-core-6.4.0.jar:6.4.0] > at > com.opensymphony.xwork2.ognl.OgnlValueStack.trySetValue(OgnlValueStack.java:258) > [struts2-core-6.4.0.jar:6.4.0] > at > com.opensymphony.xwork2.ognl.OgnlValueStack.setValue(OgnlValueStack.java:245) > [struts2-core-6.4.0.jar:6.4.0] > at org.apache.struts2.components.Set.end(Set.java:113) > [struts2-core-6.4.0.jar:6.4.0] > at >
[jira] [Work logged] (WW-5424) ClassCastException with tag "set" when variable name has length=1
[ https://issues.apache.org/jira/browse/WW-5424?focusedWorklogId=921638=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-921638 ] ASF GitHub Bot logged work on WW-5424: -- Author: ASF GitHub Bot Created on: 02/Jun/24 11:54 Start Date: 02/Jun/24 11:54 Worklog Time Spent: 10m Work Description: lukaszlenart opened a new pull request, #946: URL: https://github.com/apache/struts/pull/946 Closes [WW-5424](https://issues.apache.org/jira/browse/WW-5424) Issue Time Tracking --- Worklog Id: (was: 921638) Remaining Estimate: 0h Time Spent: 10m > ClassCastException with tag "set" when variable name has length=1 > - > > Key: WW-5424 > URL: https://issues.apache.org/jira/browse/WW-5424 > Project: Struts 2 > Issue Type: Bug > Components: Core Tags >Affects Versions: 6.4.0 >Reporter: Daniel López >Priority: Major > Fix For: 6.5.0 > > Time Spent: 10m > Remaining Estimate: 0h > > I think it is caused by the refactor of WW-5333 > When the tag "set" is used to define a variable whose name is of length 1, a > java.lang.ClassCastException (class java.lang.Character cannot be cast to > class java.lang.String ) is thrown. > > Test case: > {code:java} > // code placeholder > a = > b = {code} > Expected result: > {code:java} > // code placeholder > a = 1 > b = 2{code} > actual result: > {code:java} > a = 1 > b ={code} > Both "s:set" throws exception when storing the value in page context. Value > of a is retrieved as it is successfully saved in default context > Exception trace > {code:java} > // code placeholder > Error setting value [2] with expression [#attr['b']] > java.lang.ClassCastException: class java.lang.Character cannot be cast to > class java.lang.String (java.lang.Character and java.lang.String are in > module java.base of loader 'bootstrap') > at org.apache.struts2.dispatcher.AttributeMap.put(AttributeMap.java:46) > ~[struts2-core-6.4.0.jar:6.4.0] > at > com.opensymphony.xwork2.ognl.accessor.XWorkMapPropertyAccessor.setProperty(XWorkMapPropertyAccessor.java:130) > ~[struts2-core-6.4.0.jar:6.4.0] > at ognl.OgnlRuntime.setProperty(OgnlRuntime.java:3359) ~[ognl-3.3.4.jar:?] > at ognl.ASTProperty.setValueBody(ASTProperty.java:134) ~[ognl-3.3.4.jar:?] > at ognl.SimpleNode.evaluateSetValueBody(SimpleNode.java:220) > ~[ognl-3.3.4.jar:?] > at ognl.SimpleNode.setValue(SimpleNode.java:308) ~[ognl-3.3.4.jar:?] > at ognl.ASTChain.setValueBody(ASTChain.java:227) ~[ognl-3.3.4.jar:?] > at ognl.SimpleNode.evaluateSetValueBody(SimpleNode.java:220) > ~[ognl-3.3.4.jar:?] > at ognl.SimpleNode.setValue(SimpleNode.java:308) ~[ognl-3.3.4.jar:?] > at ognl.Ognl.setValue(Ognl.java:829) ~[ognl-3.3.4.jar:?] > at com.opensymphony.xwork2.ognl.OgnlUtil.ognlSet(OgnlUtil.java:585) > ~[struts2-core-6.4.0.jar:6.4.0] > at com.opensymphony.xwork2.ognl.OgnlUtil.setValue(OgnlUtil.java:522) > ~[struts2-core-6.4.0.jar:6.4.0] > at > com.opensymphony.xwork2.ognl.OgnlValueStack.trySetValue(OgnlValueStack.java:258) > [struts2-core-6.4.0.jar:6.4.0] > at > com.opensymphony.xwork2.ognl.OgnlValueStack.setValue(OgnlValueStack.java:245) > [struts2-core-6.4.0.jar:6.4.0] > at org.apache.struts2.components.Set.end(Set.java:113) > [struts2-core-6.4.0.jar:6.4.0] > at > org.apache.struts2.views.jsp.ComponentTagSupport.doEndTag(ComponentTagSupport.java:38) > [struts2-core-6.4.0.jar:6.4.0] > {code} > When name is of length 1, the key is created as Character not String, and it > fails when trying to store in a > AttributeMap extends AbstractMap > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5425) Bump jackson.version from 2.16.1 to 2.17.1
[ https://issues.apache.org/jira/browse/WW-5425?focusedWorklogId=921616=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-921616 ] ASF GitHub Bot logged work on WW-5425: -- Author: ASF GitHub Bot Created on: 01/Jun/24 05:05 Start Date: 01/Jun/24 05:05 Worklog Time Spent: 10m Work Description: lukaszlenart merged PR #944: URL: https://github.com/apache/struts/pull/944 Issue Time Tracking --- Worklog Id: (was: 921616) Remaining Estimate: 0h Time Spent: 10m > Bump jackson.version from 2.16.1 to 2.17.1 > -- > > Key: WW-5425 > URL: https://issues.apache.org/jira/browse/WW-5425 > Project: Struts 2 > Issue Type: Dependency > Components: Plugin - JSON >Reporter: Lukasz Lenart >Priority: Minor > Fix For: 6.5.0 > > Time Spent: 10m > Remaining Estimate: 0h > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5388) Upgrade Commons Fileupload to FileUpload Jakarta Servlet 6
[ https://issues.apache.org/jira/browse/WW-5388?focusedWorklogId=920261=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-920261 ] ASF GitHub Bot logged work on WW-5388: -- Author: ASF GitHub Bot Created on: 21/May/24 15:32 Start Date: 21/May/24 15:32 Worklog Time Spent: 10m Work Description: lukaszlenart commented on code in PR #861: URL: https://github.com/apache/struts/pull/861#discussion_r1608537187 ## core/src/main/java/org/apache/struts2/dispatcher/multipart/AbstractMultiPartRequest.java: ## @@ -171,4 +298,109 @@ protected String getCanonicalName(final String originalFileName) { return fileName; } +protected String sanitizeNewlines(String before) { +return before.replaceAll("\\R", "_"); +} + +/* (non-Javadoc) + * @see org.apache.struts2.dispatcher.multipart.MultiPartRequest#getErrors() + */ +public List getErrors() { +return errors; +} + +/* (non-Javadoc) + * @see org.apache.struts2.dispatcher.multipart.MultiPartRequest#getFileParameterNames() + */ +public Enumeration getFileParameterNames() { +return Collections.enumeration(uploadedFiles.keySet()); +} + +/* (non-Javadoc) + * @see org.apache.struts2.dispatcher.multipart.MultiPartRequest#getContentType(java.lang.String) + */ +public String[] getContentType(String fieldName) { +return uploadedFiles.getOrDefault(fieldName, Collections.emptyList()).stream() +.map(UploadedFile::getContentType) +.toArray(String[]::new); +} + +/* (non-Javadoc) + * @see org.apache.struts2.dispatcher.multipart.MultiPartRequest#getFile(java.lang.String) + */ +@SuppressWarnings("unchecked") +public UploadedFile[] getFile(String fieldName) { +return uploadedFiles.getOrDefault(fieldName, Collections.emptyList()) +.toArray(UploadedFile[]::new); +} + +/* (non-Javadoc) + * @see org.apache.struts2.dispatcher.multipart.MultiPartRequest#getFileNames(java.lang.String) + */ +public String[] getFileNames(String fieldName) { +return uploadedFiles.getOrDefault(fieldName, Collections.emptyList()).stream() +.map(file -> getCanonicalName(file.getName())) +.toArray(String[]::new); +} + +/* (non-Javadoc) + * @see org.apache.struts2.dispatcher.multipart.MultiPartRequest#getFilesystemName(java.lang.String) + */ +public String[] getFilesystemName(String fieldName) { +return uploadedFiles.getOrDefault(fieldName, Collections.emptyList()).stream() +.map(UploadedFile::getAbsolutePath) +.toArray(String[]::new); +} + +/* (non-Javadoc) + * @see org.apache.struts2.dispatcher.multipart.MultiPartRequest#getParameter(java.lang.String) + */ +public String getParameter(String name) { +List paramValue = parameters.getOrDefault(name, Collections.emptyList()); +if (!paramValue.isEmpty()) { +return paramValue.get(0); +} + +return null; +} + +/* (non-Javadoc) + * @see org.apache.struts2.dispatcher.multipart.MultiPartRequest#getParameterNames() + */ +public Enumeration getParameterNames() { +return Collections.enumeration(parameters.keySet()); +} + +/* (non-Javadoc) + * @see org.apache.struts2.dispatcher.multipart.MultiPartRequest#getParameterValues(java.lang.String) + */ +public String[] getParameterValues(String name) { +return parameters.getOrDefault(name, Collections.emptyList()) +.toArray(String[]::new); Review Comment: @criderp please register this bug in [JIRA](https://issues.apache.org/jira/browse/WW), thanks! Issue Time Tracking --- Worklog Id: (was: 920261) Time Spent: 11h 20m (was: 11h 10m) > Upgrade Commons Fileupload to FileUpload Jakarta Servlet 6 > -- > > Key: WW-5388 > URL: https://issues.apache.org/jira/browse/WW-5388 > Project: Struts 2 > Issue Type: Improvement > Components: Core >Reporter: Lukasz Lenart >Assignee: Lukasz Lenart >Priority: Major > Fix For: 7.0.0 > > Time Spent: 11h 20m > Remaining Estimate: 0h > > There is a new version of JakartaEE FileUpload > {code:xml} > > org.apache.commons > commons-fileupload2-jakarta-servlet6 > 2.0.0-M2 > > {code} -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5388) Upgrade Commons Fileupload to FileUpload Jakarta Servlet 6
[ https://issues.apache.org/jira/browse/WW-5388?focusedWorklogId=920249=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-920249 ] ASF GitHub Bot logged work on WW-5388: -- Author: ASF GitHub Bot Created on: 21/May/24 15:11 Start Date: 21/May/24 15:11 Worklog Time Spent: 10m Work Description: criderp commented on code in PR #861: URL: https://github.com/apache/struts/pull/861#discussion_r1608506180 ## core/src/main/java/org/apache/struts2/dispatcher/multipart/AbstractMultiPartRequest.java: ## @@ -171,4 +298,109 @@ protected String getCanonicalName(final String originalFileName) { return fileName; } +protected String sanitizeNewlines(String before) { +return before.replaceAll("\\R", "_"); +} + +/* (non-Javadoc) + * @see org.apache.struts2.dispatcher.multipart.MultiPartRequest#getErrors() + */ +public List getErrors() { +return errors; +} + +/* (non-Javadoc) + * @see org.apache.struts2.dispatcher.multipart.MultiPartRequest#getFileParameterNames() + */ +public Enumeration getFileParameterNames() { +return Collections.enumeration(uploadedFiles.keySet()); +} + +/* (non-Javadoc) + * @see org.apache.struts2.dispatcher.multipart.MultiPartRequest#getContentType(java.lang.String) + */ +public String[] getContentType(String fieldName) { +return uploadedFiles.getOrDefault(fieldName, Collections.emptyList()).stream() +.map(UploadedFile::getContentType) +.toArray(String[]::new); +} + +/* (non-Javadoc) + * @see org.apache.struts2.dispatcher.multipart.MultiPartRequest#getFile(java.lang.String) + */ +@SuppressWarnings("unchecked") +public UploadedFile[] getFile(String fieldName) { +return uploadedFiles.getOrDefault(fieldName, Collections.emptyList()) +.toArray(UploadedFile[]::new); +} + +/* (non-Javadoc) + * @see org.apache.struts2.dispatcher.multipart.MultiPartRequest#getFileNames(java.lang.String) + */ +public String[] getFileNames(String fieldName) { +return uploadedFiles.getOrDefault(fieldName, Collections.emptyList()).stream() +.map(file -> getCanonicalName(file.getName())) +.toArray(String[]::new); +} + +/* (non-Javadoc) + * @see org.apache.struts2.dispatcher.multipart.MultiPartRequest#getFilesystemName(java.lang.String) + */ +public String[] getFilesystemName(String fieldName) { +return uploadedFiles.getOrDefault(fieldName, Collections.emptyList()).stream() +.map(UploadedFile::getAbsolutePath) +.toArray(String[]::new); +} + +/* (non-Javadoc) + * @see org.apache.struts2.dispatcher.multipart.MultiPartRequest#getParameter(java.lang.String) + */ +public String getParameter(String name) { +List paramValue = parameters.getOrDefault(name, Collections.emptyList()); +if (!paramValue.isEmpty()) { +return paramValue.get(0); +} + +return null; +} + +/* (non-Javadoc) + * @see org.apache.struts2.dispatcher.multipart.MultiPartRequest#getParameterNames() + */ +public Enumeration getParameterNames() { +return Collections.enumeration(parameters.keySet()); +} + +/* (non-Javadoc) + * @see org.apache.struts2.dispatcher.multipart.MultiPartRequest#getParameterValues(java.lang.String) + */ +public String[] getParameterValues(String name) { +return parameters.getOrDefault(name, Collections.emptyList()) +.toArray(String[]::new); Review Comment: This change broke query parameters in multipart requests. Their values are being lost. The old implementation returned null if the parameter didn't exist, but it now returns an empty array. `MultiPartRequestWrapper::getParameterValues` relies on the fact that it returns null, though, so it's not working correctly anymore. This is the old implementation: ```java public String[] getParameterValues(String name) { List v = params.get(name); if (v != null && !v.isEmpty()) { return v.toArray(new String[0]); } return null; } ``` And this is the `MultiPartRequestWrapper` method that doesn't work correctly after the change: ```java public String[] getParameterValues(String name) { return ((multi == null) || (multi.getParameterValues(name) == null)) ? super.getParameterValues(name) : multi.getParameterValues(name); } ``` Issue Time Tracking --- Worklog Id: (was: 920249) Time Spent: 11h 10m (was: 11h) > Upgrade Commons Fileupload to FileUpload Jakarta Servlet 6 > -- > > Key: WW-5388 > URL:
[jira] [Work logged] (WW-5415) Struts2 Validator is failing in OGNL with constructor call
[ https://issues.apache.org/jira/browse/WW-5415?focusedWorklogId=919371=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-919371 ] ASF GitHub Bot logged work on WW-5415: -- Author: ASF GitHub Bot Created on: 14/May/24 17:56 Start Date: 14/May/24 17:56 Worklog Time Spent: 10m Work Description: lukaszlenart merged PR #933: URL: https://github.com/apache/struts/pull/933 Issue Time Tracking --- Worklog Id: (was: 919371) Time Spent: 1h (was: 50m) > Struts2 Validator is failing in OGNL with constructor call > -- > > Key: WW-5415 > URL: https://issues.apache.org/jira/browse/WW-5415 > Project: Struts 2 > Issue Type: Bug > Components: Core >Affects Versions: 6.2.0, 6.3.0 >Reporter: Sebastian Götz >Assignee: Lukasz Lenart >Priority: Major > Labels: ognl, security, validation, xml > Fix For: 6.5.0 > > Time Spent: 1h > Remaining Estimate: 0h > > An FieldExpression validator using a constructor call in its OGNL expression > fails. > {code:xml|title=Example validation configuration} > > "http://struts.apache.org/dtds/xwork-validator-1.0.2.dtd;> > > > > > > > > > {code} > When it comes to instantiate the Date object in the above example, the call > fails in com.opensymphony.xwork2.ognl.SecurityMemberAccess.isAccessible(Map, > Object, Member, String). It seems that a constructor call is not handled here > properly. > {code:java} > public boolean isAccessible(Map context, Object target, Member member, String > propertyName) { > LOG.debug("Checking access for [target: {}, member: {}, property: > {}]", target, member, propertyName); > final int memberModifiers = member.getModifiers(); > final Class memberClass = member.getDeclaringClass(); > // target can be null in case of accessing static fields, since OGNL > 3.2.8 > final Class targetClass = Modifier.isStatic(memberModifiers) ? > memberClass : target.getClass(); > if (!memberClass.isAssignableFrom(targetClass)) { > throw new IllegalArgumentException("Target does not match > member!"); > } > {code} > When the method is called, > * {{*target*}} is the class object for {{{}java.util.Date{}}} > * {{*member*}} is a representation of the constructor {{public > java.util.Date()}} > * {{*propertyName*}} is null > * {{*memberModifiers*}} evaluates to 1 > * {{*memberClass*}} to the class object for {{{}java.util.Date{}}} > This causes the if to resolve to {{false}} and throwing the exception. I > cannot see how anyone could call any constructor at all. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5414) AfterInvocation of BackgroundProcess is not called when an exception occurs when using ExecuteAndWaitInterceptor
[ https://issues.apache.org/jira/browse/WW-5414?focusedWorklogId=919370=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-919370 ] ASF GitHub Bot logged work on WW-5414: -- Author: ASF GitHub Bot Created on: 14/May/24 17:55 Start Date: 14/May/24 17:55 Worklog Time Spent: 10m Work Description: lukaszlenart merged PR #932: URL: https://github.com/apache/struts/pull/932 Issue Time Tracking --- Worklog Id: (was: 919370) Time Spent: 1h 50m (was: 1h 40m) > AfterInvocation of BackgroundProcess is not called when an exception occurs > when using ExecuteAndWaitInterceptor > > > Key: WW-5414 > URL: https://issues.apache.org/jira/browse/WW-5414 > Project: Struts 2 > Issue Type: Bug > Components: Core Interceptors >Affects Versions: 2.5.30, 6.3.0 >Reporter: Yukio Suzuki >Assignee: Lukasz Lenart >Priority: Major > Fix For: 6.5.0 > > Time Spent: 1h 50m > Remaining Estimate: 0h > > In my project, we are using Struts2.5.x and recently started using the > ExecuteAndWaitInterceptor. We have extended BackgroundProcess and overridden > the beforeInvocation and afterInvocation methods to perform certain actions > before and after the invocation of an action. However, we are facing a > problem where afterInvocation is not called when an exception occurs. Here is > the relevant code: > > {code:java} > final Thread t = new Thread(new Runnable() { > public void run() { > try { > beforeInvocation(); > result = invocation.invokeActionOnly(); > afterInvocation(); > } catch (Exception e) { > exception = e; > } > > done = true; > } > }); > {code} > In the existing code, the beforeInvocation and afterInvocation methods set > and clear the context, but it seems unintentional that the context is not > cleared when an exception occurs. > {code:java} > protected void beforeInvocation() throws Exception { > ActionContext.setContext(invocation.getInvocationContext()); > } > protected void afterInvocation() throws Exception { > ActionContext.setContext(null); > }{code} > One possible improvement is to modify the code as follows, ensuring that > afterInvocation is called even when an exception occurs: > {code:java} > beforeInvocation(); > try { > result = invocation.invokeActionOnly(); > } finally { > afterInvocation(); > }{code} > Alternatively, if compatibility is a concern, you can add an > afterInvocation(Throwable t) method and modify the code as follows: > {code:java} > beforeInvocation(); > try { > result = invocation.invokeActionOnly(); > } catch (Throwable t) { > afterInvocation(t); > throw t; > } > afterInvocation();{code} > Please consider these modifications to ensure that afterInvocation is called > even when an exception occurs. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5422) I18nInterceptor and invalid locale
[ https://issues.apache.org/jira/browse/WW-5422?focusedWorklogId=919003=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-919003 ] ASF GitHub Bot logged work on WW-5422: -- Author: ASF GitHub Bot Created on: 13/May/24 06:23 Start Date: 13/May/24 06:23 Worklog Time Spent: 10m Work Description: lukaszlenart merged PR #931: URL: https://github.com/apache/struts/pull/931 Issue Time Tracking --- Worklog Id: (was: 919003) Time Spent: 1h 10m (was: 1h) > I18nInterceptor and invalid locale > -- > > Key: WW-5422 > URL: https://issues.apache.org/jira/browse/WW-5422 > Project: Struts 2 > Issue Type: Bug > Components: Core Interceptors >Affects Versions: 6.3.0 >Reporter: Andreas Sachs >Assignee: Lukasz Lenart >Priority: Minor > Fix For: 6.5.0 > > Time Spent: 1h 10m > Remaining Estimate: 0h > > Exception if locale contains trimable characters: > > Eg Request: > request_locale=de%0A > > Code from I18nInterceptor line 187: > > {code:java} > if (localeProvider.isValidLocaleString(localeStr)) { > locale = LocaleUtils.toLocale(localeStr); > }{code} > > isValidLocaleString returns true because localeStr is trimmed inside function > ( > locale = LocaleUtils.toLocale(StringUtils.trimToNull(localeStr)) ) > > but LocaleUtils.toLocale(localeStr) will throw an exception afterwards. > > > > {code:java} > > java.lang.IllegalArgumentException: Invalid locale format: de > at > org.apache.commons.lang3.LocaleUtils.parseLocale(LocaleUtils.java:268) > ~[org.apache.commons-commons-lang3-3.12.0-.jar:3.12.0] > at > org.apache.commons.lang3.LocaleUtils.toLocale(LocaleUtils.java:348) > ~[org.apache.commons-commons-lang3-3.12.0-.jar:3.12.0] > at > org.apache.struts2.interceptor.I18nInterceptor.getLocaleFromParam(I18nInterceptor.java:188) > ~[org.apache.struts-struts2-core-6.3.0.2-.jar:6.3.0.2] > at > org.apache.struts2.interceptor.I18nInterceptor$SessionLocaleHandler.find(I18nInterceptor.java:321) > ~[org.apache.struts-struts2-core-6.3.0.2-.jar:6.3.0.2] > {code} > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5422) I18nInterceptor and invalid locale
[ https://issues.apache.org/jira/browse/WW-5422?focusedWorklogId=919000=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-919000 ] ASF GitHub Bot logged work on WW-5422: -- Author: ASF GitHub Bot Created on: 13/May/24 05:49 Start Date: 13/May/24 05:49 Worklog Time Spent: 10m Work Description: sonarcloud[bot] commented on PR #931: URL: https://github.com/apache/struts/pull/931#issuecomment-2106704457 ## [![Quality Gate Passed](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/QualityGateBadge/qg-passed-20px.png 'Quality Gate Passed')](https://sonarcloud.io/dashboard?id=apache_struts=931) **Quality Gate passed** Issues ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/passed-16px.png '') [1 New issue](https://sonarcloud.io/project/issues?id=apache_struts=931=false=true) ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/accepted-16px.png '') [0 Accepted issues](https://sonarcloud.io/component_measures?id=apache_struts=931=new_accepted_issues=list) Measures ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/passed-16px.png '') [0 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_struts=931=false=true) ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/passed-16px.png '') [84.6% Coverage on New Code](https://sonarcloud.io/component_measures?id=apache_struts=931=new_coverage=list) ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/passed-16px.png '') [1.8% Duplication on New Code](https://sonarcloud.io/component_measures?id=apache_struts=931=new_duplicated_lines_density=list) [See analysis details on SonarCloud](https://sonarcloud.io/dashboard?id=apache_struts=931) Issue Time Tracking --- Worklog Id: (was: 919000) Time Spent: 1h (was: 50m) > I18nInterceptor and invalid locale > -- > > Key: WW-5422 > URL: https://issues.apache.org/jira/browse/WW-5422 > Project: Struts 2 > Issue Type: Bug > Components: Core Interceptors >Affects Versions: 6.3.0 >Reporter: Andreas Sachs >Assignee: Lukasz Lenart >Priority: Minor > Fix For: 6.5.0 > > Time Spent: 1h > Remaining Estimate: 0h > > Exception if locale contains trimable characters: > > Eg Request: > request_locale=de%0A > > Code from I18nInterceptor line 187: > > {code:java} > if (localeProvider.isValidLocaleString(localeStr)) { > locale = LocaleUtils.toLocale(localeStr); > }{code} > > isValidLocaleString returns true because localeStr is trimmed inside function > ( > locale = LocaleUtils.toLocale(StringUtils.trimToNull(localeStr)) ) > > but LocaleUtils.toLocale(localeStr) will throw an exception afterwards. > > > > {code:java} > > java.lang.IllegalArgumentException: Invalid locale format: de > at > org.apache.commons.lang3.LocaleUtils.parseLocale(LocaleUtils.java:268) > ~[org.apache.commons-commons-lang3-3.12.0-.jar:3.12.0] > at > org.apache.commons.lang3.LocaleUtils.toLocale(LocaleUtils.java:348) > ~[org.apache.commons-commons-lang3-3.12.0-.jar:3.12.0] > at > org.apache.struts2.interceptor.I18nInterceptor.getLocaleFromParam(I18nInterceptor.java:188) > ~[org.apache.struts-struts2-core-6.3.0.2-.jar:6.3.0.2] > at > org.apache.struts2.interceptor.I18nInterceptor$SessionLocaleHandler.find(I18nInterceptor.java:321) > ~[org.apache.struts-struts2-core-6.3.0.2-.jar:6.3.0.2] > {code} > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5422) I18nInterceptor and invalid locale
[ https://issues.apache.org/jira/browse/WW-5422?focusedWorklogId=918998=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-918998 ] ASF GitHub Bot logged work on WW-5422: -- Author: ASF GitHub Bot Created on: 13/May/24 05:28 Start Date: 13/May/24 05:28 Worklog Time Spent: 10m Work Description: sonarcloud[bot] commented on PR #931: URL: https://github.com/apache/struts/pull/931#issuecomment-2106684078 ## [![Quality Gate Passed](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/QualityGateBadge/qg-passed-20px.png 'Quality Gate Passed')](https://sonarcloud.io/dashboard?id=apache_struts=931) **Quality Gate passed** Issues ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/passed-16px.png '') [8 New issues](https://sonarcloud.io/project/issues?id=apache_struts=931=false=true) ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/accepted-16px.png '') [0 Accepted issues](https://sonarcloud.io/component_measures?id=apache_struts=931=new_accepted_issues=list) Measures ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/passed-16px.png '') [0 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_struts=931=false=true) ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/passed-16px.png '') [84.6% Coverage on New Code](https://sonarcloud.io/component_measures?id=apache_struts=931=new_coverage=list) ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/passed-16px.png '') [1.8% Duplication on New Code](https://sonarcloud.io/component_measures?id=apache_struts=931=new_duplicated_lines_density=list) [See analysis details on SonarCloud](https://sonarcloud.io/dashboard?id=apache_struts=931) Issue Time Tracking --- Worklog Id: (was: 918998) Time Spent: 50m (was: 40m) > I18nInterceptor and invalid locale > -- > > Key: WW-5422 > URL: https://issues.apache.org/jira/browse/WW-5422 > Project: Struts 2 > Issue Type: Bug > Components: Core Interceptors >Affects Versions: 6.3.0 >Reporter: Andreas Sachs >Assignee: Lukasz Lenart >Priority: Minor > Fix For: 6.5.0 > > Time Spent: 50m > Remaining Estimate: 0h > > Exception if locale contains trimable characters: > > Eg Request: > request_locale=de%0A > > Code from I18nInterceptor line 187: > > {code:java} > if (localeProvider.isValidLocaleString(localeStr)) { > locale = LocaleUtils.toLocale(localeStr); > }{code} > > isValidLocaleString returns true because localeStr is trimmed inside function > ( > locale = LocaleUtils.toLocale(StringUtils.trimToNull(localeStr)) ) > > but LocaleUtils.toLocale(localeStr) will throw an exception afterwards. > > > > {code:java} > > java.lang.IllegalArgumentException: Invalid locale format: de > at > org.apache.commons.lang3.LocaleUtils.parseLocale(LocaleUtils.java:268) > ~[org.apache.commons-commons-lang3-3.12.0-.jar:3.12.0] > at > org.apache.commons.lang3.LocaleUtils.toLocale(LocaleUtils.java:348) > ~[org.apache.commons-commons-lang3-3.12.0-.jar:3.12.0] > at > org.apache.struts2.interceptor.I18nInterceptor.getLocaleFromParam(I18nInterceptor.java:188) > ~[org.apache.struts-struts2-core-6.3.0.2-.jar:6.3.0.2] > at > org.apache.struts2.interceptor.I18nInterceptor$SessionLocaleHandler.find(I18nInterceptor.java:321) > ~[org.apache.struts-struts2-core-6.3.0.2-.jar:6.3.0.2] > {code} > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5422) I18nInterceptor and invalid locale
[ https://issues.apache.org/jira/browse/WW-5422?focusedWorklogId=918997=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-918997 ] ASF GitHub Bot logged work on WW-5422: -- Author: ASF GitHub Bot Created on: 13/May/24 05:17 Start Date: 13/May/24 05:17 Worklog Time Spent: 10m Work Description: sonarcloud[bot] commented on PR #931: URL: https://github.com/apache/struts/pull/931#issuecomment-2106673873 ## [![Quality Gate Failed](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/QualityGateBadge/qg-failed-20px.png 'Quality Gate Failed')](https://sonarcloud.io/dashboard?id=apache_struts=931) **Quality Gate failed** Failed conditions ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/failed-16px.png '') [73.1% Coverage on New Code](https://sonarcloud.io/component_measures?id=apache_struts=931=new_coverage=list) (required ≥ 80%) [See analysis details on SonarCloud](https://sonarcloud.io/dashboard?id=apache_struts=931) Issue Time Tracking --- Worklog Id: (was: 918997) Time Spent: 40m (was: 0.5h) > I18nInterceptor and invalid locale > -- > > Key: WW-5422 > URL: https://issues.apache.org/jira/browse/WW-5422 > Project: Struts 2 > Issue Type: Bug > Components: Core Interceptors >Affects Versions: 6.3.0 >Reporter: Andreas Sachs >Assignee: Lukasz Lenart >Priority: Minor > Fix For: 6.5.0 > > Time Spent: 40m > Remaining Estimate: 0h > > Exception if locale contains trimable characters: > > Eg Request: > request_locale=de%0A > > Code from I18nInterceptor line 187: > > {code:java} > if (localeProvider.isValidLocaleString(localeStr)) { > locale = LocaleUtils.toLocale(localeStr); > }{code} > > isValidLocaleString returns true because localeStr is trimmed inside function > ( > locale = LocaleUtils.toLocale(StringUtils.trimToNull(localeStr)) ) > > but LocaleUtils.toLocale(localeStr) will throw an exception afterwards. > > > > {code:java} > > java.lang.IllegalArgumentException: Invalid locale format: de > at > org.apache.commons.lang3.LocaleUtils.parseLocale(LocaleUtils.java:268) > ~[org.apache.commons-commons-lang3-3.12.0-.jar:3.12.0] > at > org.apache.commons.lang3.LocaleUtils.toLocale(LocaleUtils.java:348) > ~[org.apache.commons-commons-lang3-3.12.0-.jar:3.12.0] > at > org.apache.struts2.interceptor.I18nInterceptor.getLocaleFromParam(I18nInterceptor.java:188) > ~[org.apache.struts-struts2-core-6.3.0.2-.jar:6.3.0.2] > at > org.apache.struts2.interceptor.I18nInterceptor$SessionLocaleHandler.find(I18nInterceptor.java:321) > ~[org.apache.struts-struts2-core-6.3.0.2-.jar:6.3.0.2] > {code} > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5415) Struts2 Validator is failing in OGNL with constructor call
[ https://issues.apache.org/jira/browse/WW-5415?focusedWorklogId=918988=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-918988 ] ASF GitHub Bot logged work on WW-5415: -- Author: ASF GitHub Bot Created on: 13/May/24 02:43 Start Date: 13/May/24 02:43 Worklog Time Spent: 10m Work Description: sonarcloud[bot] commented on PR #933: URL: https://github.com/apache/struts/pull/933#issuecomment-2106534361 ## [![Quality Gate Failed](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/QualityGateBadge/qg-failed-20px.png 'Quality Gate Failed')](https://sonarcloud.io/dashboard?id=apache_struts=933) **Quality Gate failed** Failed conditions ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/failed-16px.png '') [57.1% Coverage on New Code](https://sonarcloud.io/component_measures?id=apache_struts=933=new_coverage=list) (required ≥ 80%) [See analysis details on SonarCloud](https://sonarcloud.io/dashboard?id=apache_struts=933) Issue Time Tracking --- Worklog Id: (was: 918988) Time Spent: 50m (was: 40m) > Struts2 Validator is failing in OGNL with constructor call > -- > > Key: WW-5415 > URL: https://issues.apache.org/jira/browse/WW-5415 > Project: Struts 2 > Issue Type: Bug > Components: Core >Affects Versions: 6.2.0, 6.3.0 >Reporter: Sebastian Götz >Assignee: Lukasz Lenart >Priority: Major > Labels: ognl, security, validation, xml > Fix For: 6.5.0 > > Time Spent: 50m > Remaining Estimate: 0h > > An FieldExpression validator using a constructor call in its OGNL expression > fails. > {code:xml|title=Example validation configuration} > > "http://struts.apache.org/dtds/xwork-validator-1.0.2.dtd;> > > > > > > > > > {code} > When it comes to instantiate the Date object in the above example, the call > fails in com.opensymphony.xwork2.ognl.SecurityMemberAccess.isAccessible(Map, > Object, Member, String). It seems that a constructor call is not handled here > properly. > {code:java} > public boolean isAccessible(Map context, Object target, Member member, String > propertyName) { > LOG.debug("Checking access for [target: {}, member: {}, property: > {}]", target, member, propertyName); > final int memberModifiers = member.getModifiers(); > final Class memberClass = member.getDeclaringClass(); > // target can be null in case of accessing static fields, since OGNL > 3.2.8 > final Class targetClass = Modifier.isStatic(memberModifiers) ? > memberClass : target.getClass(); > if (!memberClass.isAssignableFrom(targetClass)) { > throw new IllegalArgumentException("Target does not match > member!"); > } > {code} > When the method is called, > * {{*target*}} is the class object for {{{}java.util.Date{}}} > * {{*member*}} is a representation of the constructor {{public > java.util.Date()}} > * {{*propertyName*}} is null > * {{*memberModifiers*}} evaluates to 1 > * {{*memberClass*}} to the class object for {{{}java.util.Date{}}} > This causes the if to resolve to {{false}} and throwing the exception. I > cannot see how anyone could call any constructor at all. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5415) Struts2 Validator is failing in OGNL with constructor call
[ https://issues.apache.org/jira/browse/WW-5415?focusedWorklogId=918987=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-918987 ] ASF GitHub Bot logged work on WW-5415: -- Author: ASF GitHub Bot Created on: 13/May/24 02:37 Start Date: 13/May/24 02:37 Worklog Time Spent: 10m Work Description: kusalk commented on code in PR #933: URL: https://github.com/apache/struts/pull/933#discussion_r1597805873 ## core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java: ## @@ -147,7 +147,7 @@ public boolean isAccessible(Map context, Object target, Member member, String pr if (target != null) { // Special case: Target is a Class object but not Class.class if (Class.class.equals(target.getClass()) && !Class.class.equals(target)) { -if (!isStatic(member)) { +if (!isStatic(member) && Arrays.stream(((Class) target).getConstructors()).noneMatch(p -> p.getClass().equals(member.getClass( { Review Comment: Thanks @lukaszlenart for writing the test case - I did indeed overlook the constructor case, I've pushed a commit to this PR with the appropriate fix :) Issue Time Tracking --- Worklog Id: (was: 918987) Time Spent: 40m (was: 0.5h) > Struts2 Validator is failing in OGNL with constructor call > -- > > Key: WW-5415 > URL: https://issues.apache.org/jira/browse/WW-5415 > Project: Struts 2 > Issue Type: Bug > Components: Core >Affects Versions: 6.2.0, 6.3.0 >Reporter: Sebastian Götz >Assignee: Lukasz Lenart >Priority: Major > Labels: ognl, security, validation, xml > Fix For: 6.5.0 > > Time Spent: 40m > Remaining Estimate: 0h > > An FieldExpression validator using a constructor call in its OGNL expression > fails. > {code:xml|title=Example validation configuration} > > "http://struts.apache.org/dtds/xwork-validator-1.0.2.dtd;> > > > > > > > > > {code} > When it comes to instantiate the Date object in the above example, the call > fails in com.opensymphony.xwork2.ognl.SecurityMemberAccess.isAccessible(Map, > Object, Member, String). It seems that a constructor call is not handled here > properly. > {code:java} > public boolean isAccessible(Map context, Object target, Member member, String > propertyName) { > LOG.debug("Checking access for [target: {}, member: {}, property: > {}]", target, member, propertyName); > final int memberModifiers = member.getModifiers(); > final Class memberClass = member.getDeclaringClass(); > // target can be null in case of accessing static fields, since OGNL > 3.2.8 > final Class targetClass = Modifier.isStatic(memberModifiers) ? > memberClass : target.getClass(); > if (!memberClass.isAssignableFrom(targetClass)) { > throw new IllegalArgumentException("Target does not match > member!"); > } > {code} > When the method is called, > * {{*target*}} is the class object for {{{}java.util.Date{}}} > * {{*member*}} is a representation of the constructor {{public > java.util.Date()}} > * {{*propertyName*}} is null > * {{*memberModifiers*}} evaluates to 1 > * {{*memberClass*}} to the class object for {{{}java.util.Date{}}} > This causes the if to resolve to {{false}} and throwing the exception. I > cannot see how anyone could call any constructor at all. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5415) Struts2 Validator is failing in OGNL with constructor call
[ https://issues.apache.org/jira/browse/WW-5415?focusedWorklogId=918959=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-918959 ] ASF GitHub Bot logged work on WW-5415: -- Author: ASF GitHub Bot Created on: 12/May/24 07:55 Start Date: 12/May/24 07:55 Worklog Time Spent: 10m Work Description: sonarcloud[bot] commented on PR #933: URL: https://github.com/apache/struts/pull/933#issuecomment-2106156152 ## [![Quality Gate Passed](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/QualityGateBadge/qg-passed-20px.png 'Quality Gate Passed')](https://sonarcloud.io/dashboard?id=apache_struts=933) **Quality Gate passed** Issues ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/passed-16px.png '') [0 New issues](https://sonarcloud.io/project/issues?id=apache_struts=933=false=true) ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/accepted-16px.png '') [0 Accepted issues](https://sonarcloud.io/component_measures?id=apache_struts=933=new_accepted_issues=list) Measures ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/passed-16px.png '') [0 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_struts=933=false=true) ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/passed-16px.png '') [80.0% Coverage on New Code](https://sonarcloud.io/component_measures?id=apache_struts=933=new_coverage=list) ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/passed-16px.png '') [0.0% Duplication on New Code](https://sonarcloud.io/component_measures?id=apache_struts=933=new_duplicated_lines_density=list) [See analysis details on SonarCloud](https://sonarcloud.io/dashboard?id=apache_struts=933) Issue Time Tracking --- Worklog Id: (was: 918959) Time Spent: 0.5h (was: 20m) > Struts2 Validator is failing in OGNL with constructor call > -- > > Key: WW-5415 > URL: https://issues.apache.org/jira/browse/WW-5415 > Project: Struts 2 > Issue Type: Bug > Components: Core >Affects Versions: 6.2.0, 6.3.0 >Reporter: Sebastian Götz >Assignee: Lukasz Lenart >Priority: Major > Labels: ognl, security, validation, xml > Fix For: 6.5.0 > > Time Spent: 0.5h > Remaining Estimate: 0h > > An FieldExpression validator using a constructor call in its OGNL expression > fails. > {code:xml|title=Example validation configuration} > > "http://struts.apache.org/dtds/xwork-validator-1.0.2.dtd;> > > > > > > > > > {code} > When it comes to instantiate the Date object in the above example, the call > fails in com.opensymphony.xwork2.ognl.SecurityMemberAccess.isAccessible(Map, > Object, Member, String). It seems that a constructor call is not handled here > properly. > {code:java} > public boolean isAccessible(Map context, Object target, Member member, String > propertyName) { > LOG.debug("Checking access for [target: {}, member: {}, property: > {}]", target, member, propertyName); > final int memberModifiers = member.getModifiers(); > final Class memberClass = member.getDeclaringClass(); > // target can be null in case of accessing static fields, since OGNL > 3.2.8 > final Class targetClass = Modifier.isStatic(memberModifiers) ? > memberClass : target.getClass(); > if (!memberClass.isAssignableFrom(targetClass)) { > throw new IllegalArgumentException("Target does not match > member!"); > } > {code} > When the method is called, > * {{*target*}} is the class object for {{{}java.util.Date{}}} > * {{*member*}} is a representation of the constructor {{public > java.util.Date()}} > * {{*propertyName*}} is null > * {{*memberModifiers*}} evaluates to 1 > * {{*memberClass*}} to the class object for {{{}java.util.Date{}}} > This causes the if to resolve to {{false}} and throwing the exception. I > cannot see how anyone could call any constructor at all. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5415) Struts2 Validator is failing in OGNL with constructor call
[ https://issues.apache.org/jira/browse/WW-5415?focusedWorklogId=918958=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-918958 ] ASF GitHub Bot logged work on WW-5415: -- Author: ASF GitHub Bot Created on: 12/May/24 07:50 Start Date: 12/May/24 07:50 Worklog Time Spent: 10m Work Description: lukaszlenart commented on code in PR #933: URL: https://github.com/apache/struts/pull/933#discussion_r1597574627 ## core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java: ## @@ -147,7 +147,7 @@ public boolean isAccessible(Map context, Object target, Member member, String pr if (target != null) { // Special case: Target is a Class object but not Class.class if (Class.class.equals(target.getClass()) && !Class.class.equals(target)) { -if (!isStatic(member)) { +if (!isStatic(member) && Arrays.stream(((Class) target).getConstructors()).noneMatch(p -> p.getClass().equals(member.getClass( { Review Comment: This is just a temporary solution to express where the problem is, @kusalk I count on your comment :) Issue Time Tracking --- Worklog Id: (was: 918958) Time Spent: 20m (was: 10m) > Struts2 Validator is failing in OGNL with constructor call > -- > > Key: WW-5415 > URL: https://issues.apache.org/jira/browse/WW-5415 > Project: Struts 2 > Issue Type: Bug > Components: Core >Affects Versions: 6.2.0, 6.3.0 >Reporter: Sebastian Götz >Assignee: Lukasz Lenart >Priority: Major > Labels: ognl, security, validation, xml > Fix For: 6.5.0 > > Time Spent: 20m > Remaining Estimate: 0h > > An FieldExpression validator using a constructor call in its OGNL expression > fails. > {code:xml|title=Example validation configuration} > > "http://struts.apache.org/dtds/xwork-validator-1.0.2.dtd;> > > > > > > > > > {code} > When it comes to instantiate the Date object in the above example, the call > fails in com.opensymphony.xwork2.ognl.SecurityMemberAccess.isAccessible(Map, > Object, Member, String). It seems that a constructor call is not handled here > properly. > {code:java} > public boolean isAccessible(Map context, Object target, Member member, String > propertyName) { > LOG.debug("Checking access for [target: {}, member: {}, property: > {}]", target, member, propertyName); > final int memberModifiers = member.getModifiers(); > final Class memberClass = member.getDeclaringClass(); > // target can be null in case of accessing static fields, since OGNL > 3.2.8 > final Class targetClass = Modifier.isStatic(memberModifiers) ? > memberClass : target.getClass(); > if (!memberClass.isAssignableFrom(targetClass)) { > throw new IllegalArgumentException("Target does not match > member!"); > } > {code} > When the method is called, > * {{*target*}} is the class object for {{{}java.util.Date{}}} > * {{*member*}} is a representation of the constructor {{public > java.util.Date()}} > * {{*propertyName*}} is null > * {{*memberModifiers*}} evaluates to 1 > * {{*memberClass*}} to the class object for {{{}java.util.Date{}}} > This causes the if to resolve to {{false}} and throwing the exception. I > cannot see how anyone could call any constructor at all. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5415) Struts2 Validator is failing in OGNL with constructor call
[ https://issues.apache.org/jira/browse/WW-5415?focusedWorklogId=918957=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-918957 ] ASF GitHub Bot logged work on WW-5415: -- Author: ASF GitHub Bot Created on: 12/May/24 07:49 Start Date: 12/May/24 07:49 Worklog Time Spent: 10m Work Description: lukaszlenart opened a new pull request, #933: URL: https://github.com/apache/struts/pull/933 This PR fixes creating instances via OGNL expressions. The breaking change was introduced in #780 or #781 Closes [WW-5415](https://issues.apache.org/jira/browse/WW-5415) Issue Time Tracking --- Worklog Id: (was: 918957) Remaining Estimate: 0h Time Spent: 10m > Struts2 Validator is failing in OGNL with constructor call > -- > > Key: WW-5415 > URL: https://issues.apache.org/jira/browse/WW-5415 > Project: Struts 2 > Issue Type: Bug > Components: Core >Affects Versions: 6.2.0, 6.3.0 >Reporter: Sebastian Götz >Assignee: Lukasz Lenart >Priority: Major > Labels: ognl, security, validation, xml > Fix For: 6.5.0 > > Time Spent: 10m > Remaining Estimate: 0h > > An FieldExpression validator using a constructor call in its OGNL expression > fails. > {code:xml|title=Example validation configuration} > > "http://struts.apache.org/dtds/xwork-validator-1.0.2.dtd;> > > > > > > > > > {code} > When it comes to instantiate the Date object in the above example, the call > fails in com.opensymphony.xwork2.ognl.SecurityMemberAccess.isAccessible(Map, > Object, Member, String). It seems that a constructor call is not handled here > properly. > {code:java} > public boolean isAccessible(Map context, Object target, Member member, String > propertyName) { > LOG.debug("Checking access for [target: {}, member: {}, property: > {}]", target, member, propertyName); > final int memberModifiers = member.getModifiers(); > final Class memberClass = member.getDeclaringClass(); > // target can be null in case of accessing static fields, since OGNL > 3.2.8 > final Class targetClass = Modifier.isStatic(memberModifiers) ? > memberClass : target.getClass(); > if (!memberClass.isAssignableFrom(targetClass)) { > throw new IllegalArgumentException("Target does not match > member!"); > } > {code} > When the method is called, > * {{*target*}} is the class object for {{{}java.util.Date{}}} > * {{*member*}} is a representation of the constructor {{public > java.util.Date()}} > * {{*propertyName*}} is null > * {{*memberModifiers*}} evaluates to 1 > * {{*memberClass*}} to the class object for {{{}java.util.Date{}}} > This causes the if to resolve to {{false}} and throwing the exception. I > cannot see how anyone could call any constructor at all. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5414) AfterInvocation of BackgroundProcess is not called when an exception occurs when using ExecuteAndWaitInterceptor
[ https://issues.apache.org/jira/browse/WW-5414?focusedWorklogId=918914=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-918914 ] ASF GitHub Bot logged work on WW-5414: -- Author: ASF GitHub Bot Created on: 11/May/24 08:31 Start Date: 11/May/24 08:31 Worklog Time Spent: 10m Work Description: sonarcloud[bot] commented on PR #932: URL: https://github.com/apache/struts/pull/932#issuecomment-2105634058 ## [![Quality Gate Passed](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/QualityGateBadge/qg-passed-20px.png 'Quality Gate Passed')](https://sonarcloud.io/dashboard?id=apache_struts=932) **Quality Gate passed** Issues ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/passed-16px.png '') [0 New issues](https://sonarcloud.io/project/issues?id=apache_struts=932=false=true) ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/accepted-16px.png '') [0 Accepted issues](https://sonarcloud.io/component_measures?id=apache_struts=932=new_accepted_issues=list) Measures ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/passed-16px.png '') [0 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_struts=932=false=true) ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/passed-16px.png '') [90.0% Coverage on New Code](https://sonarcloud.io/component_measures?id=apache_struts=932=new_coverage=list) ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/passed-16px.png '') [0.0% Duplication on New Code](https://sonarcloud.io/component_measures?id=apache_struts=932=new_duplicated_lines_density=list) [See analysis details on SonarCloud](https://sonarcloud.io/dashboard?id=apache_struts=932) Issue Time Tracking --- Worklog Id: (was: 918914) Time Spent: 1h 40m (was: 1.5h) > AfterInvocation of BackgroundProcess is not called when an exception occurs > when using ExecuteAndWaitInterceptor > > > Key: WW-5414 > URL: https://issues.apache.org/jira/browse/WW-5414 > Project: Struts 2 > Issue Type: Bug > Components: Core Interceptors >Affects Versions: 2.5.30, 6.3.0 >Reporter: Yukio Suzuki >Assignee: Lukasz Lenart >Priority: Major > Fix For: 6.5.0 > > Time Spent: 1h 40m > Remaining Estimate: 0h > > In my project, we are using Struts2.5.x and recently started using the > ExecuteAndWaitInterceptor. We have extended BackgroundProcess and overridden > the beforeInvocation and afterInvocation methods to perform certain actions > before and after the invocation of an action. However, we are facing a > problem where afterInvocation is not called when an exception occurs. Here is > the relevant code: > > {code:java} > final Thread t = new Thread(new Runnable() { > public void run() { > try { > beforeInvocation(); > result = invocation.invokeActionOnly(); > afterInvocation(); > } catch (Exception e) { > exception = e; > } > > done = true; > } > }); > {code} > In the existing code, the beforeInvocation and afterInvocation methods set > and clear the context, but it seems unintentional that the context is not > cleared when an exception occurs. > {code:java} > protected void beforeInvocation() throws Exception { > ActionContext.setContext(invocation.getInvocationContext()); > } > protected void afterInvocation() throws Exception { > ActionContext.setContext(null); > }{code} > One possible improvement is to modify the code as follows, ensuring that > afterInvocation is called even when an exception occurs: > {code:java} > beforeInvocation(); > try { > result = invocation.invokeActionOnly(); > } finally { > afterInvocation(); > }{code} > Alternatively, if compatibility is a concern, you can add an > afterInvocation(Throwable t) method and modify the code as follows: > {code:java} > beforeInvocation(); > try { > result = invocation.invokeActionOnly(); > } catch (Throwable t) { > afterInvocation(t); > throw t; > } > afterInvocation();{code} > Please consider these modifications to ensure that afterInvocation is called > even when an exception occurs. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5414) AfterInvocation of BackgroundProcess is not called when an exception occurs when using ExecuteAndWaitInterceptor
[ https://issues.apache.org/jira/browse/WW-5414?focusedWorklogId=918913=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-918913 ] ASF GitHub Bot logged work on WW-5414: -- Author: ASF GitHub Bot Created on: 11/May/24 08:18 Start Date: 11/May/24 08:18 Worklog Time Spent: 10m Work Description: sonarcloud[bot] commented on PR #932: URL: https://github.com/apache/struts/pull/932#issuecomment-2105630541 ## [![Quality Gate Passed](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/QualityGateBadge/qg-passed-20px.png 'Quality Gate Passed')](https://sonarcloud.io/dashboard?id=apache_struts=932) **Quality Gate passed** Issues ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/passed-16px.png '') [0 New issues](https://sonarcloud.io/project/issues?id=apache_struts=932=false=true) ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/accepted-16px.png '') [0 Accepted issues](https://sonarcloud.io/component_measures?id=apache_struts=932=new_accepted_issues=list) Measures ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/passed-16px.png '') [0 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_struts=932=false=true) ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/passed-16px.png '') [100.0% Coverage on New Code](https://sonarcloud.io/component_measures?id=apache_struts=932=new_coverage=list) ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/passed-16px.png '') [0.0% Duplication on New Code](https://sonarcloud.io/component_measures?id=apache_struts=932=new_duplicated_lines_density=list) [See analysis details on SonarCloud](https://sonarcloud.io/dashboard?id=apache_struts=932) Issue Time Tracking --- Worklog Id: (was: 918913) Time Spent: 1.5h (was: 1h 20m) > AfterInvocation of BackgroundProcess is not called when an exception occurs > when using ExecuteAndWaitInterceptor > > > Key: WW-5414 > URL: https://issues.apache.org/jira/browse/WW-5414 > Project: Struts 2 > Issue Type: Bug > Components: Core Interceptors >Affects Versions: 2.5.30, 6.3.0 >Reporter: Yukio Suzuki >Assignee: Lukasz Lenart >Priority: Major > Fix For: 6.5.0 > > Time Spent: 1.5h > Remaining Estimate: 0h > > In my project, we are using Struts2.5.x and recently started using the > ExecuteAndWaitInterceptor. We have extended BackgroundProcess and overridden > the beforeInvocation and afterInvocation methods to perform certain actions > before and after the invocation of an action. However, we are facing a > problem where afterInvocation is not called when an exception occurs. Here is > the relevant code: > > {code:java} > final Thread t = new Thread(new Runnable() { > public void run() { > try { > beforeInvocation(); > result = invocation.invokeActionOnly(); > afterInvocation(); > } catch (Exception e) { > exception = e; > } > > done = true; > } > }); > {code} > In the existing code, the beforeInvocation and afterInvocation methods set > and clear the context, but it seems unintentional that the context is not > cleared when an exception occurs. > {code:java} > protected void beforeInvocation() throws Exception { > ActionContext.setContext(invocation.getInvocationContext()); > } > protected void afterInvocation() throws Exception { > ActionContext.setContext(null); > }{code} > One possible improvement is to modify the code as follows, ensuring that > afterInvocation is called even when an exception occurs: > {code:java} > beforeInvocation(); > try { > result = invocation.invokeActionOnly(); > } finally { > afterInvocation(); > }{code} > Alternatively, if compatibility is a concern, you can add an > afterInvocation(Throwable t) method and modify the code as follows: > {code:java} > beforeInvocation(); > try { > result = invocation.invokeActionOnly(); > } catch (Throwable t) { > afterInvocation(t); > throw t; > } > afterInvocation();{code} > Please consider these modifications to ensure that afterInvocation is called > even when an exception occurs. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5414) AfterInvocation of BackgroundProcess is not called when an exception occurs when using ExecuteAndWaitInterceptor
[ https://issues.apache.org/jira/browse/WW-5414?focusedWorklogId=918912=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-918912 ] ASF GitHub Bot logged work on WW-5414: -- Author: ASF GitHub Bot Created on: 11/May/24 08:18 Start Date: 11/May/24 08:18 Worklog Time Spent: 10m Work Description: lukaszlenart commented on code in PR #932: URL: https://github.com/apache/struts/pull/932#discussion_r1597396861 ## core/src/main/java/org/apache/struts2/interceptor/exec/StrutsBackgroundProcess.java: ## @@ -61,11 +66,17 @@ public BackgroundProcess prepare() { try { beforeInvocation(); result = invocation.invokeActionOnly(); -afterInvocation(); } catch (Exception e) { +LOG.warn("Exception during invokeActionOnly() execution", e); exception = e; } finally { - done = true; +try { +afterInvocation(); +} catch (Exception ex) { +exception = ex; Review Comment: Right, let's keep it simple, I will set `exception` only if wasn't already set Issue Time Tracking --- Worklog Id: (was: 918912) Time Spent: 1h 20m (was: 1h 10m) > AfterInvocation of BackgroundProcess is not called when an exception occurs > when using ExecuteAndWaitInterceptor > > > Key: WW-5414 > URL: https://issues.apache.org/jira/browse/WW-5414 > Project: Struts 2 > Issue Type: Bug > Components: Core Interceptors >Affects Versions: 2.5.30, 6.3.0 >Reporter: Yukio Suzuki >Assignee: Lukasz Lenart >Priority: Major > Fix For: 6.5.0 > > Time Spent: 1h 20m > Remaining Estimate: 0h > > In my project, we are using Struts2.5.x and recently started using the > ExecuteAndWaitInterceptor. We have extended BackgroundProcess and overridden > the beforeInvocation and afterInvocation methods to perform certain actions > before and after the invocation of an action. However, we are facing a > problem where afterInvocation is not called when an exception occurs. Here is > the relevant code: > > {code:java} > final Thread t = new Thread(new Runnable() { > public void run() { > try { > beforeInvocation(); > result = invocation.invokeActionOnly(); > afterInvocation(); > } catch (Exception e) { > exception = e; > } > > done = true; > } > }); > {code} > In the existing code, the beforeInvocation and afterInvocation methods set > and clear the context, but it seems unintentional that the context is not > cleared when an exception occurs. > {code:java} > protected void beforeInvocation() throws Exception { > ActionContext.setContext(invocation.getInvocationContext()); > } > protected void afterInvocation() throws Exception { > ActionContext.setContext(null); > }{code} > One possible improvement is to modify the code as follows, ensuring that > afterInvocation is called even when an exception occurs: > {code:java} > beforeInvocation(); > try { > result = invocation.invokeActionOnly(); > } finally { > afterInvocation(); > }{code} > Alternatively, if compatibility is a concern, you can add an > afterInvocation(Throwable t) method and modify the code as follows: > {code:java} > beforeInvocation(); > try { > result = invocation.invokeActionOnly(); > } catch (Throwable t) { > afterInvocation(t); > throw t; > } > afterInvocation();{code} > Please consider these modifications to ensure that afterInvocation is called > even when an exception occurs. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5414) AfterInvocation of BackgroundProcess is not called when an exception occurs when using ExecuteAndWaitInterceptor
[ https://issues.apache.org/jira/browse/WW-5414?focusedWorklogId=918911=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-918911 ] ASF GitHub Bot logged work on WW-5414: -- Author: ASF GitHub Bot Created on: 11/May/24 08:07 Start Date: 11/May/24 08:07 Worklog Time Spent: 10m Work Description: kusalk commented on code in PR #932: URL: https://github.com/apache/struts/pull/932#discussion_r1597395216 ## core/src/main/java/org/apache/struts2/interceptor/exec/StrutsBackgroundProcess.java: ## @@ -61,11 +66,17 @@ public BackgroundProcess prepare() { try { beforeInvocation(); result = invocation.invokeActionOnly(); -afterInvocation(); } catch (Exception e) { +LOG.warn("Exception during invokeActionOnly() execution", e); exception = e; } finally { - done = true; +try { +afterInvocation(); +} catch (Exception ex) { +exception = ex; Review Comment: If we're only going to record one, the first one is probably more relevant - I'll let you make the call Issue Time Tracking --- Worklog Id: (was: 918911) Time Spent: 1h 10m (was: 1h) > AfterInvocation of BackgroundProcess is not called when an exception occurs > when using ExecuteAndWaitInterceptor > > > Key: WW-5414 > URL: https://issues.apache.org/jira/browse/WW-5414 > Project: Struts 2 > Issue Type: Bug > Components: Core Interceptors >Affects Versions: 2.5.30, 6.3.0 >Reporter: Yukio Suzuki >Assignee: Lukasz Lenart >Priority: Major > Fix For: 6.5.0 > > Time Spent: 1h 10m > Remaining Estimate: 0h > > In my project, we are using Struts2.5.x and recently started using the > ExecuteAndWaitInterceptor. We have extended BackgroundProcess and overridden > the beforeInvocation and afterInvocation methods to perform certain actions > before and after the invocation of an action. However, we are facing a > problem where afterInvocation is not called when an exception occurs. Here is > the relevant code: > > {code:java} > final Thread t = new Thread(new Runnable() { > public void run() { > try { > beforeInvocation(); > result = invocation.invokeActionOnly(); > afterInvocation(); > } catch (Exception e) { > exception = e; > } > > done = true; > } > }); > {code} > In the existing code, the beforeInvocation and afterInvocation methods set > and clear the context, but it seems unintentional that the context is not > cleared when an exception occurs. > {code:java} > protected void beforeInvocation() throws Exception { > ActionContext.setContext(invocation.getInvocationContext()); > } > protected void afterInvocation() throws Exception { > ActionContext.setContext(null); > }{code} > One possible improvement is to modify the code as follows, ensuring that > afterInvocation is called even when an exception occurs: > {code:java} > beforeInvocation(); > try { > result = invocation.invokeActionOnly(); > } finally { > afterInvocation(); > }{code} > Alternatively, if compatibility is a concern, you can add an > afterInvocation(Throwable t) method and modify the code as follows: > {code:java} > beforeInvocation(); > try { > result = invocation.invokeActionOnly(); > } catch (Throwable t) { > afterInvocation(t); > throw t; > } > afterInvocation();{code} > Please consider these modifications to ensure that afterInvocation is called > even when an exception occurs. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5414) AfterInvocation of BackgroundProcess is not called when an exception occurs when using ExecuteAndWaitInterceptor
[ https://issues.apache.org/jira/browse/WW-5414?focusedWorklogId=918910=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-918910 ] ASF GitHub Bot logged work on WW-5414: -- Author: ASF GitHub Bot Created on: 11/May/24 08:05 Start Date: 11/May/24 08:05 Worklog Time Spent: 10m Work Description: lukaszlenart commented on code in PR #932: URL: https://github.com/apache/struts/pull/932#discussion_r1597394691 ## core/src/main/java/org/apache/struts2/interceptor/exec/StrutsBackgroundProcess.java: ## @@ -61,11 +66,17 @@ public BackgroundProcess prepare() { try { beforeInvocation(); result = invocation.invokeActionOnly(); -afterInvocation(); } catch (Exception e) { +LOG.warn("Exception during invokeActionOnly() execution", e); exception = e; } finally { - done = true; +try { +afterInvocation(); +} catch (Exception ex) { +exception = ex; Review Comment: Yeah, I know, I thought about adding additional `afterException` and maybe `beforeException` fields to keep this information Issue Time Tracking --- Worklog Id: (was: 918910) Time Spent: 1h (was: 50m) > AfterInvocation of BackgroundProcess is not called when an exception occurs > when using ExecuteAndWaitInterceptor > > > Key: WW-5414 > URL: https://issues.apache.org/jira/browse/WW-5414 > Project: Struts 2 > Issue Type: Bug > Components: Core Interceptors >Affects Versions: 2.5.30, 6.3.0 >Reporter: Yukio Suzuki >Assignee: Lukasz Lenart >Priority: Major > Fix For: 6.5.0 > > Time Spent: 1h > Remaining Estimate: 0h > > In my project, we are using Struts2.5.x and recently started using the > ExecuteAndWaitInterceptor. We have extended BackgroundProcess and overridden > the beforeInvocation and afterInvocation methods to perform certain actions > before and after the invocation of an action. However, we are facing a > problem where afterInvocation is not called when an exception occurs. Here is > the relevant code: > > {code:java} > final Thread t = new Thread(new Runnable() { > public void run() { > try { > beforeInvocation(); > result = invocation.invokeActionOnly(); > afterInvocation(); > } catch (Exception e) { > exception = e; > } > > done = true; > } > }); > {code} > In the existing code, the beforeInvocation and afterInvocation methods set > and clear the context, but it seems unintentional that the context is not > cleared when an exception occurs. > {code:java} > protected void beforeInvocation() throws Exception { > ActionContext.setContext(invocation.getInvocationContext()); > } > protected void afterInvocation() throws Exception { > ActionContext.setContext(null); > }{code} > One possible improvement is to modify the code as follows, ensuring that > afterInvocation is called even when an exception occurs: > {code:java} > beforeInvocation(); > try { > result = invocation.invokeActionOnly(); > } finally { > afterInvocation(); > }{code} > Alternatively, if compatibility is a concern, you can add an > afterInvocation(Throwable t) method and modify the code as follows: > {code:java} > beforeInvocation(); > try { > result = invocation.invokeActionOnly(); > } catch (Throwable t) { > afterInvocation(t); > throw t; > } > afterInvocation();{code} > Please consider these modifications to ensure that afterInvocation is called > even when an exception occurs. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5414) AfterInvocation of BackgroundProcess is not called when an exception occurs when using ExecuteAndWaitInterceptor
[ https://issues.apache.org/jira/browse/WW-5414?focusedWorklogId=918909=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-918909 ] ASF GitHub Bot logged work on WW-5414: -- Author: ASF GitHub Bot Created on: 11/May/24 08:05 Start Date: 11/May/24 08:05 Worklog Time Spent: 10m Work Description: lukaszlenart commented on code in PR #932: URL: https://github.com/apache/struts/pull/932#discussion_r1597394691 ## core/src/main/java/org/apache/struts2/interceptor/exec/StrutsBackgroundProcess.java: ## @@ -61,11 +66,17 @@ public BackgroundProcess prepare() { try { beforeInvocation(); result = invocation.invokeActionOnly(); -afterInvocation(); } catch (Exception e) { +LOG.warn("Exception during invokeActionOnly() execution", e); exception = e; } finally { - done = true; +try { +afterInvocation(); +} catch (Exception ex) { +exception = ex; Review Comment: Yeah, I know, after adding additional `afterException` and maybe `beforeException` fields to keep this information Issue Time Tracking --- Worklog Id: (was: 918909) Time Spent: 50m (was: 40m) > AfterInvocation of BackgroundProcess is not called when an exception occurs > when using ExecuteAndWaitInterceptor > > > Key: WW-5414 > URL: https://issues.apache.org/jira/browse/WW-5414 > Project: Struts 2 > Issue Type: Bug > Components: Core Interceptors >Affects Versions: 2.5.30, 6.3.0 >Reporter: Yukio Suzuki >Assignee: Lukasz Lenart >Priority: Major > Fix For: 6.5.0 > > Time Spent: 50m > Remaining Estimate: 0h > > In my project, we are using Struts2.5.x and recently started using the > ExecuteAndWaitInterceptor. We have extended BackgroundProcess and overridden > the beforeInvocation and afterInvocation methods to perform certain actions > before and after the invocation of an action. However, we are facing a > problem where afterInvocation is not called when an exception occurs. Here is > the relevant code: > > {code:java} > final Thread t = new Thread(new Runnable() { > public void run() { > try { > beforeInvocation(); > result = invocation.invokeActionOnly(); > afterInvocation(); > } catch (Exception e) { > exception = e; > } > > done = true; > } > }); > {code} > In the existing code, the beforeInvocation and afterInvocation methods set > and clear the context, but it seems unintentional that the context is not > cleared when an exception occurs. > {code:java} > protected void beforeInvocation() throws Exception { > ActionContext.setContext(invocation.getInvocationContext()); > } > protected void afterInvocation() throws Exception { > ActionContext.setContext(null); > }{code} > One possible improvement is to modify the code as follows, ensuring that > afterInvocation is called even when an exception occurs: > {code:java} > beforeInvocation(); > try { > result = invocation.invokeActionOnly(); > } finally { > afterInvocation(); > }{code} > Alternatively, if compatibility is a concern, you can add an > afterInvocation(Throwable t) method and modify the code as follows: > {code:java} > beforeInvocation(); > try { > result = invocation.invokeActionOnly(); > } catch (Throwable t) { > afterInvocation(t); > throw t; > } > afterInvocation();{code} > Please consider these modifications to ensure that afterInvocation is called > even when an exception occurs. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5414) AfterInvocation of BackgroundProcess is not called when an exception occurs when using ExecuteAndWaitInterceptor
[ https://issues.apache.org/jira/browse/WW-5414?focusedWorklogId=918908=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-918908 ] ASF GitHub Bot logged work on WW-5414: -- Author: ASF GitHub Bot Created on: 11/May/24 08:00 Start Date: 11/May/24 08:00 Worklog Time Spent: 10m Work Description: kusalk commented on code in PR #932: URL: https://github.com/apache/struts/pull/932#discussion_r1597393073 ## core/src/main/java/org/apache/struts2/interceptor/exec/StrutsBackgroundProcess.java: ## @@ -61,11 +66,17 @@ public BackgroundProcess prepare() { try { beforeInvocation(); result = invocation.invokeActionOnly(); -afterInvocation(); } catch (Exception e) { +LOG.warn("Exception during invokeActionOnly() execution", e); exception = e; } finally { - done = true; +try { +afterInvocation(); +} catch (Exception ex) { +exception = ex; Review Comment: Hmm what if `beforeInvocation()` already threw an exception, do we want to overwrite that? Issue Time Tracking --- Worklog Id: (was: 918908) Time Spent: 40m (was: 0.5h) > AfterInvocation of BackgroundProcess is not called when an exception occurs > when using ExecuteAndWaitInterceptor > > > Key: WW-5414 > URL: https://issues.apache.org/jira/browse/WW-5414 > Project: Struts 2 > Issue Type: Bug > Components: Core Interceptors >Affects Versions: 2.5.30, 6.3.0 >Reporter: Yukio Suzuki >Assignee: Lukasz Lenart >Priority: Major > Fix For: 6.5.0 > > Time Spent: 40m > Remaining Estimate: 0h > > In my project, we are using Struts2.5.x and recently started using the > ExecuteAndWaitInterceptor. We have extended BackgroundProcess and overridden > the beforeInvocation and afterInvocation methods to perform certain actions > before and after the invocation of an action. However, we are facing a > problem where afterInvocation is not called when an exception occurs. Here is > the relevant code: > > {code:java} > final Thread t = new Thread(new Runnable() { > public void run() { > try { > beforeInvocation(); > result = invocation.invokeActionOnly(); > afterInvocation(); > } catch (Exception e) { > exception = e; > } > > done = true; > } > }); > {code} > In the existing code, the beforeInvocation and afterInvocation methods set > and clear the context, but it seems unintentional that the context is not > cleared when an exception occurs. > {code:java} > protected void beforeInvocation() throws Exception { > ActionContext.setContext(invocation.getInvocationContext()); > } > protected void afterInvocation() throws Exception { > ActionContext.setContext(null); > }{code} > One possible improvement is to modify the code as follows, ensuring that > afterInvocation is called even when an exception occurs: > {code:java} > beforeInvocation(); > try { > result = invocation.invokeActionOnly(); > } finally { > afterInvocation(); > }{code} > Alternatively, if compatibility is a concern, you can add an > afterInvocation(Throwable t) method and modify the code as follows: > {code:java} > beforeInvocation(); > try { > result = invocation.invokeActionOnly(); > } catch (Throwable t) { > afterInvocation(t); > throw t; > } > afterInvocation();{code} > Please consider these modifications to ensure that afterInvocation is called > even when an exception occurs. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5414) AfterInvocation of BackgroundProcess is not called when an exception occurs when using ExecuteAndWaitInterceptor
[ https://issues.apache.org/jira/browse/WW-5414?focusedWorklogId=918905=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-918905 ] ASF GitHub Bot logged work on WW-5414: -- Author: ASF GitHub Bot Created on: 11/May/24 07:40 Start Date: 11/May/24 07:40 Worklog Time Spent: 10m Work Description: sonarcloud[bot] commented on PR #932: URL: https://github.com/apache/struts/pull/932#issuecomment-2105617974 ## [![Quality Gate Passed](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/QualityGateBadge/qg-passed-20px.png 'Quality Gate Passed')](https://sonarcloud.io/dashboard?id=apache_struts=932) **Quality Gate passed** Issues ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/passed-16px.png '') [3 New issues](https://sonarcloud.io/project/issues?id=apache_struts=932=false=true) ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/accepted-16px.png '') [0 Accepted issues](https://sonarcloud.io/component_measures?id=apache_struts=932=new_accepted_issues=list) Measures ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/passed-16px.png '') [0 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_struts=932=false=true) ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/passed-16px.png '') [100.0% Coverage on New Code](https://sonarcloud.io/component_measures?id=apache_struts=932=new_coverage=list) ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/passed-16px.png '') [0.0% Duplication on New Code](https://sonarcloud.io/component_measures?id=apache_struts=932=new_duplicated_lines_density=list) [See analysis details on SonarCloud](https://sonarcloud.io/dashboard?id=apache_struts=932) Issue Time Tracking --- Worklog Id: (was: 918905) Time Spent: 0.5h (was: 20m) > AfterInvocation of BackgroundProcess is not called when an exception occurs > when using ExecuteAndWaitInterceptor > > > Key: WW-5414 > URL: https://issues.apache.org/jira/browse/WW-5414 > Project: Struts 2 > Issue Type: Bug > Components: Core Interceptors >Affects Versions: 2.5.30, 6.3.0 >Reporter: Yukio Suzuki >Assignee: Lukasz Lenart >Priority: Major > Fix For: 6.5.0 > > Time Spent: 0.5h > Remaining Estimate: 0h > > In my project, we are using Struts2.5.x and recently started using the > ExecuteAndWaitInterceptor. We have extended BackgroundProcess and overridden > the beforeInvocation and afterInvocation methods to perform certain actions > before and after the invocation of an action. However, we are facing a > problem where afterInvocation is not called when an exception occurs. Here is > the relevant code: > > {code:java} > final Thread t = new Thread(new Runnable() { > public void run() { > try { > beforeInvocation(); > result = invocation.invokeActionOnly(); > afterInvocation(); > } catch (Exception e) { > exception = e; > } > > done = true; > } > }); > {code} > In the existing code, the beforeInvocation and afterInvocation methods set > and clear the context, but it seems unintentional that the context is not > cleared when an exception occurs. > {code:java} > protected void beforeInvocation() throws Exception { > ActionContext.setContext(invocation.getInvocationContext()); > } > protected void afterInvocation() throws Exception { > ActionContext.setContext(null); > }{code} > One possible improvement is to modify the code as follows, ensuring that > afterInvocation is called even when an exception occurs: > {code:java} > beforeInvocation(); > try { > result = invocation.invokeActionOnly(); > } finally { > afterInvocation(); > }{code} > Alternatively, if compatibility is a concern, you can add an > afterInvocation(Throwable t) method and modify the code as follows: > {code:java} > beforeInvocation(); > try { > result = invocation.invokeActionOnly(); > } catch (Throwable t) { > afterInvocation(t); > throw t; > } > afterInvocation();{code} > Please consider these modifications to ensure that afterInvocation is called > even when an exception occurs. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5414) AfterInvocation of BackgroundProcess is not called when an exception occurs when using ExecuteAndWaitInterceptor
[ https://issues.apache.org/jira/browse/WW-5414?focusedWorklogId=918904=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-918904 ] ASF GitHub Bot logged work on WW-5414: -- Author: ASF GitHub Bot Created on: 11/May/24 06:31 Start Date: 11/May/24 06:31 Worklog Time Spent: 10m Work Description: sonarcloud[bot] commented on PR #932: URL: https://github.com/apache/struts/pull/932#issuecomment-2105593190 ## [![Quality Gate Failed](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/QualityGateBadge/qg-failed-20px.png 'Quality Gate Failed')](https://sonarcloud.io/dashboard?id=apache_struts=932) **Quality Gate failed** Failed conditions ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/failed-16px.png '') [60.0% Coverage on New Code](https://sonarcloud.io/component_measures?id=apache_struts=932=new_coverage=list) (required ≥ 80%) [See analysis details on SonarCloud](https://sonarcloud.io/dashboard?id=apache_struts=932) Issue Time Tracking --- Worklog Id: (was: 918904) Time Spent: 20m (was: 10m) > AfterInvocation of BackgroundProcess is not called when an exception occurs > when using ExecuteAndWaitInterceptor > > > Key: WW-5414 > URL: https://issues.apache.org/jira/browse/WW-5414 > Project: Struts 2 > Issue Type: Bug > Components: Core Interceptors >Affects Versions: 2.5.30, 6.3.0 >Reporter: Yukio Suzuki >Assignee: Lukasz Lenart >Priority: Major > Fix For: 6.5.0 > > Time Spent: 20m > Remaining Estimate: 0h > > In my project, we are using Struts2.5.x and recently started using the > ExecuteAndWaitInterceptor. We have extended BackgroundProcess and overridden > the beforeInvocation and afterInvocation methods to perform certain actions > before and after the invocation of an action. However, we are facing a > problem where afterInvocation is not called when an exception occurs. Here is > the relevant code: > > {code:java} > final Thread t = new Thread(new Runnable() { > public void run() { > try { > beforeInvocation(); > result = invocation.invokeActionOnly(); > afterInvocation(); > } catch (Exception e) { > exception = e; > } > > done = true; > } > }); > {code} > In the existing code, the beforeInvocation and afterInvocation methods set > and clear the context, but it seems unintentional that the context is not > cleared when an exception occurs. > {code:java} > protected void beforeInvocation() throws Exception { > ActionContext.setContext(invocation.getInvocationContext()); > } > protected void afterInvocation() throws Exception { > ActionContext.setContext(null); > }{code} > One possible improvement is to modify the code as follows, ensuring that > afterInvocation is called even when an exception occurs: > {code:java} > beforeInvocation(); > try { > result = invocation.invokeActionOnly(); > } finally { > afterInvocation(); > }{code} > Alternatively, if compatibility is a concern, you can add an > afterInvocation(Throwable t) method and modify the code as follows: > {code:java} > beforeInvocation(); > try { > result = invocation.invokeActionOnly(); > } catch (Throwable t) { > afterInvocation(t); > throw t; > } > afterInvocation();{code} > Please consider these modifications to ensure that afterInvocation is called > even when an exception occurs. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5414) AfterInvocation of BackgroundProcess is not called when an exception occurs when using ExecuteAndWaitInterceptor
[ https://issues.apache.org/jira/browse/WW-5414?focusedWorklogId=918903=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-918903 ] ASF GitHub Bot logged work on WW-5414: -- Author: ASF GitHub Bot Created on: 11/May/24 06:24 Start Date: 11/May/24 06:24 Worklog Time Spent: 10m Work Description: lukaszlenart opened a new pull request, #932: URL: https://github.com/apache/struts/pull/932 Close [WW-5414](https://issues.apache.org/jira/browse/WW-5414) Issue Time Tracking --- Worklog Id: (was: 918903) Remaining Estimate: 0h Time Spent: 10m > AfterInvocation of BackgroundProcess is not called when an exception occurs > when using ExecuteAndWaitInterceptor > > > Key: WW-5414 > URL: https://issues.apache.org/jira/browse/WW-5414 > Project: Struts 2 > Issue Type: Bug > Components: Core Interceptors >Affects Versions: 2.5.30, 6.3.0 >Reporter: Yukio Suzuki >Priority: Major > Fix For: 6.5.0 > > Time Spent: 10m > Remaining Estimate: 0h > > In my project, we are using Struts2.5.x and recently started using the > ExecuteAndWaitInterceptor. We have extended BackgroundProcess and overridden > the beforeInvocation and afterInvocation methods to perform certain actions > before and after the invocation of an action. However, we are facing a > problem where afterInvocation is not called when an exception occurs. Here is > the relevant code: > > {code:java} > final Thread t = new Thread(new Runnable() { > public void run() { > try { > beforeInvocation(); > result = invocation.invokeActionOnly(); > afterInvocation(); > } catch (Exception e) { > exception = e; > } > > done = true; > } > }); > {code} > In the existing code, the beforeInvocation and afterInvocation methods set > and clear the context, but it seems unintentional that the context is not > cleared when an exception occurs. > {code:java} > protected void beforeInvocation() throws Exception { > ActionContext.setContext(invocation.getInvocationContext()); > } > protected void afterInvocation() throws Exception { > ActionContext.setContext(null); > }{code} > One possible improvement is to modify the code as follows, ensuring that > afterInvocation is called even when an exception occurs: > {code:java} > beforeInvocation(); > try { > result = invocation.invokeActionOnly(); > } finally { > afterInvocation(); > }{code} > Alternatively, if compatibility is a concern, you can add an > afterInvocation(Throwable t) method and modify the code as follows: > {code:java} > beforeInvocation(); > try { > result = invocation.invokeActionOnly(); > } catch (Throwable t) { > afterInvocation(t); > throw t; > } > afterInvocation();{code} > Please consider these modifications to ensure that afterInvocation is called > even when an exception occurs. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5422) I18nInterceptor and invalid locale
[ https://issues.apache.org/jira/browse/WW-5422?focusedWorklogId=918902=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-918902 ] ASF GitHub Bot logged work on WW-5422: -- Author: ASF GitHub Bot Created on: 11/May/24 06:05 Start Date: 11/May/24 06:05 Worklog Time Spent: 10m Work Description: sonarcloud[bot] commented on PR #931: URL: https://github.com/apache/struts/pull/931#issuecomment-2105584154 ## [![Quality Gate Failed](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/QualityGateBadge/qg-failed-20px.png 'Quality Gate Failed')](https://sonarcloud.io/dashboard?id=apache_struts=931) **Quality Gate failed** Failed conditions ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/failed-16px.png '') [66.7% Coverage on New Code](https://sonarcloud.io/component_measures?id=apache_struts=931=new_coverage=list) (required ≥ 80%) ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/failed-16px.png '') [8.5% Duplication on New Code](https://sonarcloud.io/component_measures?id=apache_struts=931=new_duplicated_lines_density=list) (required ≤ 3%) [See analysis details on SonarCloud](https://sonarcloud.io/dashboard?id=apache_struts=931) Issue Time Tracking --- Worklog Id: (was: 918902) Time Spent: 0.5h (was: 20m) > I18nInterceptor and invalid locale > -- > > Key: WW-5422 > URL: https://issues.apache.org/jira/browse/WW-5422 > Project: Struts 2 > Issue Type: Bug > Components: Core Interceptors >Affects Versions: 6.3.0 >Reporter: Andreas Sachs >Assignee: Lukasz Lenart >Priority: Minor > Fix For: 6.5.0 > > Time Spent: 0.5h > Remaining Estimate: 0h > > Exception if locale contains trimable characters: > > Eg Request: > request_locale=de%0A > > Code from I18nInterceptor line 187: > > {code:java} > if (localeProvider.isValidLocaleString(localeStr)) { > locale = LocaleUtils.toLocale(localeStr); > }{code} > > isValidLocaleString returns true because localeStr is trimmed inside function > ( > locale = LocaleUtils.toLocale(StringUtils.trimToNull(localeStr)) ) > > but LocaleUtils.toLocale(localeStr) will throw an exception afterwards. > > > > {code:java} > > java.lang.IllegalArgumentException: Invalid locale format: de > at > org.apache.commons.lang3.LocaleUtils.parseLocale(LocaleUtils.java:268) > ~[org.apache.commons-commons-lang3-3.12.0-.jar:3.12.0] > at > org.apache.commons.lang3.LocaleUtils.toLocale(LocaleUtils.java:348) > ~[org.apache.commons-commons-lang3-3.12.0-.jar:3.12.0] > at > org.apache.struts2.interceptor.I18nInterceptor.getLocaleFromParam(I18nInterceptor.java:188) > ~[org.apache.struts-struts2-core-6.3.0.2-.jar:6.3.0.2] > at > org.apache.struts2.interceptor.I18nInterceptor$SessionLocaleHandler.find(I18nInterceptor.java:321) > ~[org.apache.struts-struts2-core-6.3.0.2-.jar:6.3.0.2] > {code} > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5422) I18nInterceptor and invalid locale
[ https://issues.apache.org/jira/browse/WW-5422?focusedWorklogId=918899=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-918899 ] ASF GitHub Bot logged work on WW-5422: -- Author: ASF GitHub Bot Created on: 11/May/24 05:30 Start Date: 11/May/24 05:30 Worklog Time Spent: 10m Work Description: sonarcloud[bot] commented on PR #931: URL: https://github.com/apache/struts/pull/931#issuecomment-2105570159 ## [![Quality Gate Failed](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/QualityGateBadge/qg-failed-20px.png 'Quality Gate Failed')](https://sonarcloud.io/dashboard?id=apache_struts=931) **Quality Gate failed** Failed conditions ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/failed-16px.png '') [66.7% Coverage on New Code](https://sonarcloud.io/component_measures?id=apache_struts=931=new_coverage=list) (required ≥ 80%) ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/failed-16px.png '') [9.8% Duplication on New Code](https://sonarcloud.io/component_measures?id=apache_struts=931=new_duplicated_lines_density=list) (required ≤ 3%) [See analysis details on SonarCloud](https://sonarcloud.io/dashboard?id=apache_struts=931) Issue Time Tracking --- Worklog Id: (was: 918899) Time Spent: 20m (was: 10m) > I18nInterceptor and invalid locale > -- > > Key: WW-5422 > URL: https://issues.apache.org/jira/browse/WW-5422 > Project: Struts 2 > Issue Type: Bug > Components: Core Interceptors >Affects Versions: 6.3.0 >Reporter: Andreas Sachs >Assignee: Lukasz Lenart >Priority: Minor > Fix For: 6.5.0 > > Time Spent: 20m > Remaining Estimate: 0h > > Exception if locale contains trimable characters: > > Eg Request: > request_locale=de%0A > > Code from I18nInterceptor line 187: > > {code:java} > if (localeProvider.isValidLocaleString(localeStr)) { > locale = LocaleUtils.toLocale(localeStr); > }{code} > > isValidLocaleString returns true because localeStr is trimmed inside function > ( > locale = LocaleUtils.toLocale(StringUtils.trimToNull(localeStr)) ) > > but LocaleUtils.toLocale(localeStr) will throw an exception afterwards. > > > > {code:java} > > java.lang.IllegalArgumentException: Invalid locale format: de > at > org.apache.commons.lang3.LocaleUtils.parseLocale(LocaleUtils.java:268) > ~[org.apache.commons-commons-lang3-3.12.0-.jar:3.12.0] > at > org.apache.commons.lang3.LocaleUtils.toLocale(LocaleUtils.java:348) > ~[org.apache.commons-commons-lang3-3.12.0-.jar:3.12.0] > at > org.apache.struts2.interceptor.I18nInterceptor.getLocaleFromParam(I18nInterceptor.java:188) > ~[org.apache.struts-struts2-core-6.3.0.2-.jar:6.3.0.2] > at > org.apache.struts2.interceptor.I18nInterceptor$SessionLocaleHandler.find(I18nInterceptor.java:321) > ~[org.apache.struts-struts2-core-6.3.0.2-.jar:6.3.0.2] > {code} > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5422) I18nInterceptor and invalid locale
[ https://issues.apache.org/jira/browse/WW-5422?focusedWorklogId=918898=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-918898 ] ASF GitHub Bot logged work on WW-5422: -- Author: ASF GitHub Bot Created on: 11/May/24 05:24 Start Date: 11/May/24 05:24 Worklog Time Spent: 10m Work Description: lukaszlenart opened a new pull request, #931: URL: https://github.com/apache/struts/pull/931 Fixes issue with trimable locale string Closes [WW-5422](https://issues.apache.org/jira/browse/WW-5422) Issue Time Tracking --- Worklog Id: (was: 918898) Remaining Estimate: 0h Time Spent: 10m > I18nInterceptor and invalid locale > -- > > Key: WW-5422 > URL: https://issues.apache.org/jira/browse/WW-5422 > Project: Struts 2 > Issue Type: Bug > Components: Core Interceptors >Affects Versions: 6.3.0 >Reporter: Andreas Sachs >Priority: Minor > Fix For: 6.5.0 > > Time Spent: 10m > Remaining Estimate: 0h > > Exception if locale contains trimable characters: > > Eg Request: > request_locale=de%0A > > Code from I18nInterceptor line 187: > > {code:java} > if (localeProvider.isValidLocaleString(localeStr)) { > locale = LocaleUtils.toLocale(localeStr); > }{code} > > isValidLocaleString returns true because localeStr is trimmed inside function > ( > locale = LocaleUtils.toLocale(StringUtils.trimToNull(localeStr)) ) > > but LocaleUtils.toLocale(localeStr) will throw an exception afterwards. > > > > {code:java} > > java.lang.IllegalArgumentException: Invalid locale format: de > at > org.apache.commons.lang3.LocaleUtils.parseLocale(LocaleUtils.java:268) > ~[org.apache.commons-commons-lang3-3.12.0-.jar:3.12.0] > at > org.apache.commons.lang3.LocaleUtils.toLocale(LocaleUtils.java:348) > ~[org.apache.commons-commons-lang3-3.12.0-.jar:3.12.0] > at > org.apache.struts2.interceptor.I18nInterceptor.getLocaleFromParam(I18nInterceptor.java:188) > ~[org.apache.struts-struts2-core-6.3.0.2-.jar:6.3.0.2] > at > org.apache.struts2.interceptor.I18nInterceptor$SessionLocaleHandler.find(I18nInterceptor.java:321) > ~[org.apache.struts-struts2-core-6.3.0.2-.jar:6.3.0.2] > {code} > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5400) CSP interceptor only allows very limited configuration
[ https://issues.apache.org/jira/browse/WW-5400?focusedWorklogId=918896=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-918896 ] ASF GitHub Bot logged work on WW-5400: -- Author: ASF GitHub Bot Created on: 11/May/24 04:36 Start Date: 11/May/24 04:36 Worklog Time Spent: 10m Work Description: lukaszlenart merged PR #913: URL: https://github.com/apache/struts/pull/913 Issue Time Tracking --- Worklog Id: (was: 918896) Time Spent: 1.5h (was: 1h 20m) > CSP interceptor only allows very limited configuration > -- > > Key: WW-5400 > URL: https://issues.apache.org/jira/browse/WW-5400 > Project: Struts 2 > Issue Type: Improvement > Components: Core Interceptors >Affects Versions: 6.3.0 >Reporter: Erica Kane >Priority: Major > Fix For: 6.5.0 > > Time Spent: 1.5h > Remaining Estimate: 0h > > I have been trying to implement CSP on our website. The CSP interceptor > provides an elegant solution with the and tags. However, > I want to set my own base-uri. And perhaps make some other changes to the CSP > headers. > But these values are not accessible. Only the report-only and report-uri can > be changed. Even if one is willing to work at the Action level and implement > a new interface for all of them, I can't change the base-uri. I've seen > people on Stack Overflow disable it for this reason. I want to use it, but > could someone please explain how to set the base-uri globally? If not, I will > likely have to make my own. > P.S. I will update the documentation page. Nowhere in the description of the > interceptor does it mention the script and link tags, and without those, it > is useless! -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5419) Autoloading of tiles.xml fails in Struts-6.4.0
[ https://issues.apache.org/jira/browse/WW-5419?focusedWorklogId=917859=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-917859 ] ASF GitHub Bot logged work on WW-5419: -- Author: ASF GitHub Bot Created on: 06/May/24 16:20 Start Date: 06/May/24 16:20 Worklog Time Spent: 10m Work Description: lukaszlenart merged PR #920: URL: https://github.com/apache/struts/pull/920 Issue Time Tracking --- Worklog Id: (was: 917859) Time Spent: 1h 40m (was: 1.5h) > Autoloading of tiles.xml fails in Struts-6.4.0 > -- > > Key: WW-5419 > URL: https://issues.apache.org/jira/browse/WW-5419 > Project: Struts 2 > Issue Type: Bug > Components: Plugin - Tiles >Affects Versions: 6.4.0 >Reporter: Markus Fischer >Assignee: Lukasz Lenart >Priority: Blocker > Fix For: 6.5.0 > > Time Spent: 1h 40m > Remaining Estimate: 0h > > Starting in 6.4.0 a tiles definition in {{/WEB-INF/tiles.xml}} is not found > automatically anymore. The problem arises only, if the definition in web.xml > contains no param section: > {code:xml} > > > org.apache.struts2.tiles.StrutsTilesListener > > {code} > > The workaround is to specify the specific location: > {code:xml} > > > org.apache.struts2.tiles.StrutsTilesListener > > > > org.apache.tiles.definition.DefinitionsFactory.DEFINITIONS_CONFIG > > /WEB-INF/tiles.xml > > > {code} > > The issue has been introduced by this > [change|https://github.com/apache/struts/pull/896/commits/c7ae614824b4c158b9998575294d94fe9a746c41] -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5420) Upgrade commons-text to ver. 1.12.0
[ https://issues.apache.org/jira/browse/WW-5420?focusedWorklogId=916792=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-916792 ] ASF GitHub Bot logged work on WW-5420: -- Author: ASF GitHub Bot Created on: 29/Apr/24 04:24 Start Date: 29/Apr/24 04:24 Worklog Time Spent: 10m Work Description: lukaszlenart merged PR #924: URL: https://github.com/apache/struts/pull/924 Issue Time Tracking --- Worklog Id: (was: 916792) Time Spent: 0.5h (was: 20m) > Upgrade commons-text to ver. 1.12.0 > --- > > Key: WW-5420 > URL: https://issues.apache.org/jira/browse/WW-5420 > Project: Struts 2 > Issue Type: Dependency > Components: Core >Reporter: Lukasz Lenart >Priority: Trivial > Fix For: 6.5.0 > > Time Spent: 0.5h > Remaining Estimate: 0h > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5421) Upgrade ASM to version 9.7
[ https://issues.apache.org/jira/browse/WW-5421?focusedWorklogId=916791=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-916791 ] ASF GitHub Bot logged work on WW-5421: -- Author: ASF GitHub Bot Created on: 29/Apr/24 04:23 Start Date: 29/Apr/24 04:23 Worklog Time Spent: 10m Work Description: lukaszlenart merged PR #907: URL: https://github.com/apache/struts/pull/907 Issue Time Tracking --- Worklog Id: (was: 916791) Remaining Estimate: 0h Time Spent: 10m > Upgrade ASM to version 9.7 > -- > > Key: WW-5421 > URL: https://issues.apache.org/jira/browse/WW-5421 > Project: Struts 2 > Issue Type: Dependency > Components: Core >Reporter: Lukasz Lenart >Priority: Minor > Fix For: 6.5.0 > > Time Spent: 10m > Remaining Estimate: 0h > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5400) CSP interceptor only allows very limited configuration
[ https://issues.apache.org/jira/browse/WW-5400?focusedWorklogId=916761=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-916761 ] ASF GitHub Bot logged work on WW-5400: -- Author: ASF GitHub Bot Created on: 28/Apr/24 14:41 Start Date: 28/Apr/24 14:41 Worklog Time Spent: 10m Work Description: lukaszlenart commented on code in PR #913: URL: https://github.com/apache/struts/pull/913#discussion_r1582193457 ## core/src/main/java/org/apache/struts2/interceptor/csp/CspInterceptor.java: ## @@ -54,8 +57,24 @@ public String intercept(ActionInvocation invocation) throws Exception { LOG.trace("Using CspSettings provided by the action: {}", action); applySettings(invocation, ((CspSettingsAware) action).getCspSettings()); } else { -LOG.trace("Using DefaultCspSettings with action: {}", action); -applySettings(invocation, new DefaultCspSettings()); +LOG.trace("Using {} with action: {}", defaultCspSettingsClassName, action); + +// if the defaultCspSettingsClassName is not a real class, throw an exception +try { +Class.forName(defaultCspSettingsClassName, false, Thread.currentThread().getContextClassLoader()); +} +catch (ClassNotFoundException e) { +throw new IllegalArgumentException("The defaultCspSettingsClassName must be a real class."); +} + +// if defaultCspSettingsClassName does not implement CspSettings, throw an exception +if (!CspSettings.class.isAssignableFrom(Class.forName(defaultCspSettingsClassName))) { +throw new IllegalArgumentException("The defaultCspSettingsClassName must implement CspSettings."); +} + +CspSettings cspSettings = (CspSettings) Class.forName(defaultCspSettingsClassName) +.getDeclaredConstructor().newInstance(); +applySettings(invocation, cspSettings); Review Comment: I wonder if we can move this code into `init()` method of the interceptor as right now a new instance is created per each invocation Issue Time Tracking --- Worklog Id: (was: 916761) Time Spent: 1h 20m (was: 1h 10m) > CSP interceptor only allows very limited configuration > -- > > Key: WW-5400 > URL: https://issues.apache.org/jira/browse/WW-5400 > Project: Struts 2 > Issue Type: Improvement > Components: Core Interceptors >Affects Versions: 6.3.0 >Reporter: Erica Kane >Priority: Major > Fix For: 6.5.0 > > Time Spent: 1h 20m > Remaining Estimate: 0h > > I have been trying to implement CSP on our website. The CSP interceptor > provides an elegant solution with the and tags. However, > I want to set my own base-uri. And perhaps make some other changes to the CSP > headers. > But these values are not accessible. Only the report-only and report-uri can > be changed. Even if one is willing to work at the Action level and implement > a new interface for all of them, I can't change the base-uri. I've seen > people on Stack Overflow disable it for this reason. I want to use it, but > could someone please explain how to set the base-uri globally? If not, I will > likely have to make my own. > P.S. I will update the documentation page. Nowhere in the description of the > interceptor does it mention the script and link tags, and without those, it > is useless! -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5420) Upgrade commons-text to ver. 1.12.0
[ https://issues.apache.org/jira/browse/WW-5420?focusedWorklogId=916324=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-916324 ] ASF GitHub Bot logged work on WW-5420: -- Author: ASF GitHub Bot Created on: 25/Apr/24 06:33 Start Date: 25/Apr/24 06:33 Worklog Time Spent: 10m Work Description: sonarcloud[bot] commented on PR #924: URL: https://github.com/apache/struts/pull/924#issuecomment-2076467620 ## [![Quality Gate Failed](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/QualityGateBadge/qg-failed-20px.png 'Quality Gate Failed')](https://sonarcloud.io/dashboard?id=apache_struts=924) **Quality Gate failed** Failed conditions ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/failed-16px.png '') [8 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_struts=924=false=true) ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/failed-16px.png '') [28.6% Coverage on New Code](https://sonarcloud.io/component_measures?id=apache_struts=924=new_coverage=list) (required ≥ 80%) ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/failed-16px.png '') [4.0% Duplication on New Code](https://sonarcloud.io/component_measures?id=apache_struts=924=new_duplicated_lines_density=list) (required ≤ 3%) ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/failed-16px.png '') [E Security Rating on New Code](https://sonarcloud.io/dashboard?id=apache_struts=924) (required ≥ A) ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/failed-16px.png '') [E Reliability Rating on New Code](https://sonarcloud.io/dashboard?id=apache_struts=924) (required ≥ A) [See analysis details on SonarCloud](https://sonarcloud.io/dashboard?id=apache_struts=924) ## ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/light_bulb-16px.png '') Catch issues before they fail your Quality Gate with our IDE extension ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/sonarlint-16px.png '') [SonarLint](https://www.sonarsource.com/products/sonarlint/features/connected-mode/?referrer=pull-request) Issue Time Tracking --- Worklog Id: (was: 916324) Time Spent: 20m (was: 10m) > Upgrade commons-text to ver. 1.12.0 > --- > > Key: WW-5420 > URL: https://issues.apache.org/jira/browse/WW-5420 > Project: Struts 2 > Issue Type: Dependency > Components: Core >Reporter: Lukasz Lenart >Priority: Trivial > Fix For: 6.5.0 > > Time Spent: 20m > Remaining Estimate: 0h > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5420) Upgrade commons-text to ver. 1.12.0
[ https://issues.apache.org/jira/browse/WW-5420?focusedWorklogId=916323=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-916323 ] ASF GitHub Bot logged work on WW-5420: -- Author: ASF GitHub Bot Created on: 25/Apr/24 06:25 Start Date: 25/Apr/24 06:25 Worklog Time Spent: 10m Work Description: lukaszlenart opened a new pull request, #924: URL: https://github.com/apache/struts/pull/924 Closes [WW-5420](https://issues.apache.org/jira/browse/WW-5420) Issue Time Tracking --- Worklog Id: (was: 916323) Remaining Estimate: 0h Time Spent: 10m > Upgrade commons-text to ver. 1.12.0 > --- > > Key: WW-5420 > URL: https://issues.apache.org/jira/browse/WW-5420 > Project: Struts 2 > Issue Type: Dependency > Components: Core >Reporter: Lukasz Lenart >Priority: Trivial > Fix For: 6.5.0 > > Time Spent: 10m > Remaining Estimate: 0h > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5353) Implement stronger security defaults in Struts 7.0
[ https://issues.apache.org/jira/browse/WW-5353?focusedWorklogId=916168=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-916168 ] ASF GitHub Bot logged work on WW-5353: -- Author: ASF GitHub Bot Created on: 24/Apr/24 12:34 Start Date: 24/Apr/24 12:34 Worklog Time Spent: 10m Work Description: lukaszlenart commented on PR #919: URL: https://github.com/apache/struts/pull/919#issuecomment-2074844610 I can roll a new Milestone release during the weekend Issue Time Tracking --- Worklog Id: (was: 916168) Time Spent: 1h (was: 50m) > Implement stronger security defaults in Struts 7.0 > -- > > Key: WW-5353 > URL: https://issues.apache.org/jira/browse/WW-5353 > Project: Struts 2 > Issue Type: Improvement >Reporter: Kusal Kithul-Godage >Priority: Major > Fix For: 7.0.0 > > Time Spent: 1h > Remaining Estimate: 0h > > {{struts.ognl.allowStaticFieldAccess=false}} > {{struts.ognl.excludedNodeTypes=}} > {{struts.ognl.expressionMaxLength=150}} > {{struts.disallowDefaultPackageAccess=true}} > {{struts.disallowProxyMemberAccess=true}} > {{struts.parameters.requireAnnotations=true}} > {{struts.ognl.disallowCustomOgnlMap=true}} > {{struts.allowlist.enable=true}} -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5353) Implement stronger security defaults in Struts 7.0
[ https://issues.apache.org/jira/browse/WW-5353?focusedWorklogId=916167=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-916167 ] ASF GitHub Bot logged work on WW-5353: -- Author: ASF GitHub Bot Created on: 24/Apr/24 12:33 Start Date: 24/Apr/24 12:33 Worklog Time Spent: 10m Work Description: kusalk merged PR #919: URL: https://github.com/apache/struts/pull/919 Issue Time Tracking --- Worklog Id: (was: 916167) Time Spent: 50m (was: 40m) > Implement stronger security defaults in Struts 7.0 > -- > > Key: WW-5353 > URL: https://issues.apache.org/jira/browse/WW-5353 > Project: Struts 2 > Issue Type: Improvement >Reporter: Kusal Kithul-Godage >Priority: Major > Fix For: 7.0.0 > > Time Spent: 50m > Remaining Estimate: 0h > > {{struts.ognl.allowStaticFieldAccess=false}} > {{struts.ognl.excludedNodeTypes=}} > {{struts.ognl.expressionMaxLength=150}} > {{struts.disallowDefaultPackageAccess=true}} > {{struts.disallowProxyMemberAccess=true}} > {{struts.parameters.requireAnnotations=true}} > {{struts.ognl.disallowCustomOgnlMap=true}} > {{struts.allowlist.enable=true}} -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5353) Implement stronger security defaults in Struts 7.0
[ https://issues.apache.org/jira/browse/WW-5353?focusedWorklogId=916166=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-916166 ] ASF GitHub Bot logged work on WW-5353: -- Author: ASF GitHub Bot Created on: 24/Apr/24 12:30 Start Date: 24/Apr/24 12:30 Worklog Time Spent: 10m Work Description: kusalk commented on PR #919: URL: https://github.com/apache/struts/pull/919#issuecomment-2074837079 Feedback on the next milestone will be interesting, let's see how we go! Issue Time Tracking --- Worklog Id: (was: 916166) Time Spent: 40m (was: 0.5h) > Implement stronger security defaults in Struts 7.0 > -- > > Key: WW-5353 > URL: https://issues.apache.org/jira/browse/WW-5353 > Project: Struts 2 > Issue Type: Improvement >Reporter: Kusal Kithul-Godage >Priority: Major > Fix For: 7.0.0 > > Time Spent: 40m > Remaining Estimate: 0h > > {{struts.ognl.allowStaticFieldAccess=false}} > {{struts.ognl.excludedNodeTypes=}} > {{struts.ognl.expressionMaxLength=150}} > {{struts.disallowDefaultPackageAccess=true}} > {{struts.disallowProxyMemberAccess=true}} > {{struts.parameters.requireAnnotations=true}} > {{struts.ognl.disallowCustomOgnlMap=true}} > {{struts.allowlist.enable=true}} -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5407) Extend SecurityMemberAccess proxy detection to Hibernate proxies
[ https://issues.apache.org/jira/browse/WW-5407?focusedWorklogId=915950=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-915950 ] ASF GitHub Bot logged work on WW-5407: -- Author: ASF GitHub Bot Created on: 23/Apr/24 05:32 Start Date: 23/Apr/24 05:32 Worklog Time Spent: 10m Work Description: kusalk merged PR #234: URL: https://github.com/apache/struts-site/pull/234 Issue Time Tracking --- Worklog Id: (was: 915950) Time Spent: 2h 50m (was: 2h 40m) > Extend SecurityMemberAccess proxy detection to Hibernate proxies > > > Key: WW-5407 > URL: https://issues.apache.org/jira/browse/WW-5407 > Project: Struts 2 > Issue Type: Improvement > Components: Core >Reporter: Kusal Kithul-Godage >Priority: Minor > Fix For: 6.5.0 > > Time Spent: 2h 50m > Remaining Estimate: 0h > > The current option {{struts.disallowProxyMemberAccess}} does not have any > logic to detect Hibernate proxies which may also present a security risk. > Additionally, the current option only forbids access to members which > originate from a proxy. However, it makes more sense to forbid access to > proxy objects entirely. This is because proxying is often used for sensitive > instances, application beans or Hibernate objects. None of which is safe to > be accessed or manipulated via OGNL. Thus, let's introduce an additional > option {{struts.disallowProxyObjectAccess}} which will offer stronger > protection. > Finally, the caching mechanism in the ProxyUtil class uses an unbounded map, > this can potentially be attacked and lead to a memory leak or DoS. Let's > replace it with a Caffeine cache as we have done previously for the OGNL > expression cache. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5407) Extend SecurityMemberAccess proxy detection to Hibernate proxies
[ https://issues.apache.org/jira/browse/WW-5407?focusedWorklogId=915905=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-915905 ] ASF GitHub Bot logged work on WW-5407: -- Author: ASF GitHub Bot Created on: 22/Apr/24 21:35 Start Date: 22/Apr/24 21:35 Worklog Time Spent: 10m Work Description: asf-ci commented on PR #234: URL: https://github.com/apache/struts-site/pull/234#issuecomment-2070992717 Staged site is ready at https://struts.staged.apache.org/ Issue Time Tracking --- Worklog Id: (was: 915905) Time Spent: 2h 40m (was: 2.5h) > Extend SecurityMemberAccess proxy detection to Hibernate proxies > > > Key: WW-5407 > URL: https://issues.apache.org/jira/browse/WW-5407 > Project: Struts 2 > Issue Type: Improvement > Components: Core >Reporter: Kusal Kithul-Godage >Priority: Minor > Fix For: 6.5.0 > > Time Spent: 2h 40m > Remaining Estimate: 0h > > The current option {{struts.disallowProxyMemberAccess}} does not have any > logic to detect Hibernate proxies which may also present a security risk. > Additionally, the current option only forbids access to members which > originate from a proxy. However, it makes more sense to forbid access to > proxy objects entirely. This is because proxying is often used for sensitive > instances, application beans or Hibernate objects. None of which is safe to > be accessed or manipulated via OGNL. Thus, let's introduce an additional > option {{struts.disallowProxyObjectAccess}} which will offer stronger > protection. > Finally, the caching mechanism in the ProxyUtil class uses an unbounded map, > this can potentially be attacked and lead to a memory leak or DoS. Let's > replace it with a Caffeine cache as we have done previously for the OGNL > expression cache. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5419) Autoloading of tiles.xml fails in Struts-6.4.0
[ https://issues.apache.org/jira/browse/WW-5419?focusedWorklogId=915771=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-915771 ] ASF GitHub Bot logged work on WW-5419: -- Author: ASF GitHub Bot Created on: 22/Apr/24 09:19 Start Date: 22/Apr/24 09:19 Worklog Time Spent: 10m Work Description: gregh3269 commented on PR #920: URL: https://github.com/apache/struts/pull/920#issuecomment-2068902244 Looks ok (for webapp/WEB-INF/*tiles*.xml) Issue Time Tracking --- Worklog Id: (was: 915771) Time Spent: 1.5h (was: 1h 20m) > Autoloading of tiles.xml fails in Struts-6.4.0 > -- > > Key: WW-5419 > URL: https://issues.apache.org/jira/browse/WW-5419 > Project: Struts 2 > Issue Type: Bug > Components: Plugin - Tiles >Affects Versions: 6.4.0 >Reporter: Markus Fischer >Assignee: Lukasz Lenart >Priority: Blocker > Fix For: 6.5.0 > > Time Spent: 1.5h > Remaining Estimate: 0h > > Starting in 6.4.0 a tiles definition in {{/WEB-INF/tiles.xml}} is not found > automatically anymore. The problem arises only, if the definition in web.xml > contains no param section: > {code:xml} > > > org.apache.struts2.tiles.StrutsTilesListener > > {code} > > The workaround is to specify the specific location: > {code:xml} > > > org.apache.struts2.tiles.StrutsTilesListener > > > > org.apache.tiles.definition.DefinitionsFactory.DEFINITIONS_CONFIG > > /WEB-INF/tiles.xml > > > {code} > > The issue has been introduced by this > [change|https://github.com/apache/struts/pull/896/commits/c7ae614824b4c158b9998575294d94fe9a746c41] -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5419) Autoloading of tiles.xml fails in Struts-6.4.0
[ https://issues.apache.org/jira/browse/WW-5419?focusedWorklogId=915741=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-915741 ] ASF GitHub Bot logged work on WW-5419: -- Author: ASF GitHub Bot Created on: 22/Apr/24 04:56 Start Date: 22/Apr/24 04:56 Worklog Time Spent: 10m Work Description: sonarcloud[bot] commented on PR #920: URL: https://github.com/apache/struts/pull/920#issuecomment-2068488890 ## [![Quality Gate Passed](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/QualityGateBadge/qg-passed-20px.png 'Quality Gate Passed')](https://sonarcloud.io/dashboard?id=apache_struts=920) **Quality Gate passed** Issues ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/passed-16px.png '') [2 New issues](https://sonarcloud.io/project/issues?id=apache_struts=920=false=true) ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/accepted-16px.png '') [0 Accepted issues](https://sonarcloud.io/component_measures?id=apache_struts=920=new_accepted_issues=list) Measures ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/passed-16px.png '') [0 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_struts=920=false=true) ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/passed-16px.png '') [100.0% Coverage on New Code](https://sonarcloud.io/component_measures?id=apache_struts=920=new_coverage=list) ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/passed-16px.png '') [0.0% Duplication on New Code](https://sonarcloud.io/component_measures?id=apache_struts=920=new_duplicated_lines_density=list) [See analysis details on SonarCloud](https://sonarcloud.io/dashboard?id=apache_struts=920) Issue Time Tracking --- Worklog Id: (was: 915741) Time Spent: 1h 20m (was: 1h 10m) > Autoloading of tiles.xml fails in Struts-6.4.0 > -- > > Key: WW-5419 > URL: https://issues.apache.org/jira/browse/WW-5419 > Project: Struts 2 > Issue Type: Bug > Components: Plugin - Tiles >Affects Versions: 6.4.0 >Reporter: Markus Fischer >Assignee: Lukasz Lenart >Priority: Blocker > Fix For: 6.5.0 > > Time Spent: 1h 20m > Remaining Estimate: 0h > > Starting in 6.4.0 a tiles definition in {{/WEB-INF/tiles.xml}} is not found > automatically anymore. The problem arises only, if the definition in web.xml > contains no param section: > {code:xml} > > > org.apache.struts2.tiles.StrutsTilesListener > > {code} > > The workaround is to specify the specific location: > {code:xml} > > > org.apache.struts2.tiles.StrutsTilesListener > > > > org.apache.tiles.definition.DefinitionsFactory.DEFINITIONS_CONFIG > > /WEB-INF/tiles.xml > > > {code} > > The issue has been introduced by this > [change|https://github.com/apache/struts/pull/896/commits/c7ae614824b4c158b9998575294d94fe9a746c41] -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5419) Autoloading of tiles.xml fails in Struts-6.4.0
[ https://issues.apache.org/jira/browse/WW-5419?focusedWorklogId=915740=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-915740 ] ASF GitHub Bot logged work on WW-5419: -- Author: ASF GitHub Bot Created on: 22/Apr/24 04:50 Start Date: 22/Apr/24 04:50 Worklog Time Spent: 10m Work Description: lukaszlenart commented on code in PR #920: URL: https://github.com/apache/struts/pull/920#discussion_r1574120929 ## plugins/tiles/src/main/java/org/apache/struts2/tiles/StrutsTilesContainerFactory.java: ## @@ -105,19 +102,8 @@ public class StrutsTilesContainerFactory extends BasicTilesContainerFactory { /** * Default pattern to be used to collect Tiles definitions if user didn't configure any - * - * @deprecated since Struts 6.4.0, use {@link #TILES_DEFAULT_PATTERNS} instead */ -@Deprecated -public static final String TILES_DEFAULT_PATTERN = "/WEB-INF/**/tiles*.xml,classpath*:META-INF/**/tiles*.xml"; - -/** - * Default pattern to be used to collect Tiles definitions if user didn't configure any - */ -public static final Set TILES_DEFAULT_PATTERNS = Collections.unmodifiableSet(new HashSet<>(Arrays.asList( Review Comment: Right, fixed Issue Time Tracking --- Worklog Id: (was: 915740) Time Spent: 1h 10m (was: 1h) > Autoloading of tiles.xml fails in Struts-6.4.0 > -- > > Key: WW-5419 > URL: https://issues.apache.org/jira/browse/WW-5419 > Project: Struts 2 > Issue Type: Bug > Components: Plugin - Tiles >Affects Versions: 6.4.0 >Reporter: Markus Fischer >Assignee: Lukasz Lenart >Priority: Blocker > Fix For: 6.5.0 > > Time Spent: 1h 10m > Remaining Estimate: 0h > > Starting in 6.4.0 a tiles definition in {{/WEB-INF/tiles.xml}} is not found > automatically anymore. The problem arises only, if the definition in web.xml > contains no param section: > {code:xml} > > > org.apache.struts2.tiles.StrutsTilesListener > > {code} > > The workaround is to specify the specific location: > {code:xml} > > > org.apache.struts2.tiles.StrutsTilesListener > > > > org.apache.tiles.definition.DefinitionsFactory.DEFINITIONS_CONFIG > > /WEB-INF/tiles.xml > > > {code} > > The issue has been introduced by this > [change|https://github.com/apache/struts/pull/896/commits/c7ae614824b4c158b9998575294d94fe9a746c41] -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5419) Autoloading of tiles.xml fails in Struts-6.4.0
[ https://issues.apache.org/jira/browse/WW-5419?focusedWorklogId=915738=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-915738 ] ASF GitHub Bot logged work on WW-5419: -- Author: ASF GitHub Bot Created on: 22/Apr/24 04:04 Start Date: 22/Apr/24 04:04 Worklog Time Spent: 10m Work Description: kusalk commented on code in PR #920: URL: https://github.com/apache/struts/pull/920#discussion_r1574096815 ## plugins/tiles/src/main/java/org/apache/struts2/tiles/StrutsTilesContainerFactory.java: ## @@ -105,19 +102,8 @@ public class StrutsTilesContainerFactory extends BasicTilesContainerFactory { /** * Default pattern to be used to collect Tiles definitions if user didn't configure any - * - * @deprecated since Struts 6.4.0, use {@link #TILES_DEFAULT_PATTERNS} instead */ -@Deprecated -public static final String TILES_DEFAULT_PATTERN = "/WEB-INF/**/tiles*.xml,classpath*:META-INF/**/tiles*.xml"; - -/** - * Default pattern to be used to collect Tiles definitions if user didn't configure any - */ -public static final Set TILES_DEFAULT_PATTERNS = Collections.unmodifiableSet(new HashSet<>(Arrays.asList( Review Comment: Technically you need to deprecate this since it's been released in 6.4.0. But also there's no need to create the set anew each time below. You can just keep this field as is and update the value like so: ```public static final Set TILES_DEFAULT_PATTERNS = TextParseUtil.commaDelimitedStringToSet("*tiles*.xml");``` Issue Time Tracking --- Worklog Id: (was: 915738) Time Spent: 1h (was: 50m) > Autoloading of tiles.xml fails in Struts-6.4.0 > -- > > Key: WW-5419 > URL: https://issues.apache.org/jira/browse/WW-5419 > Project: Struts 2 > Issue Type: Bug > Components: Plugin - Tiles >Affects Versions: 6.4.0 >Reporter: Markus Fischer >Assignee: Lukasz Lenart >Priority: Blocker > Fix For: 6.5.0 > > Time Spent: 1h > Remaining Estimate: 0h > > Starting in 6.4.0 a tiles definition in {{/WEB-INF/tiles.xml}} is not found > automatically anymore. The problem arises only, if the definition in web.xml > contains no param section: > {code:xml} > > > org.apache.struts2.tiles.StrutsTilesListener > > {code} > > The workaround is to specify the specific location: > {code:xml} > > > org.apache.struts2.tiles.StrutsTilesListener > > > > org.apache.tiles.definition.DefinitionsFactory.DEFINITIONS_CONFIG > > /WEB-INF/tiles.xml > > > {code} > > The issue has been introduced by this > [change|https://github.com/apache/struts/pull/896/commits/c7ae614824b4c158b9998575294d94fe9a746c41] -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5419) Autoloading of tiles.xml fails in Struts-6.4.0
[ https://issues.apache.org/jira/browse/WW-5419?focusedWorklogId=915700=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-915700 ] ASF GitHub Bot logged work on WW-5419: -- Author: ASF GitHub Bot Created on: 21/Apr/24 12:17 Start Date: 21/Apr/24 12:17 Worklog Time Spent: 10m Work Description: sonarcloud[bot] commented on PR #920: URL: https://github.com/apache/struts/pull/920#issuecomment-2068023444 ## [![Quality Gate Passed](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/QualityGateBadge/qg-passed-20px.png 'Quality Gate Passed')](https://sonarcloud.io/dashboard?id=apache_struts=920) **Quality Gate passed** Issues ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/passed-16px.png '') [0 New issues](https://sonarcloud.io/project/issues?id=apache_struts=920=false=true) ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/accepted-16px.png '') [0 Accepted issues](https://sonarcloud.io/component_measures?id=apache_struts=920=new_accepted_issues=list) Measures ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/passed-16px.png '') [0 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_struts=920=false=true) ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/passed-16px.png '') [100.0% Coverage on New Code](https://sonarcloud.io/component_measures?id=apache_struts=920=new_coverage=list) ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/passed-16px.png '') [0.0% Duplication on New Code](https://sonarcloud.io/component_measures?id=apache_struts=920=new_duplicated_lines_density=list) [See analysis details on SonarCloud](https://sonarcloud.io/dashboard?id=apache_struts=920) Issue Time Tracking --- Worklog Id: (was: 915700) Time Spent: 50m (was: 40m) > Autoloading of tiles.xml fails in Struts-6.4.0 > -- > > Key: WW-5419 > URL: https://issues.apache.org/jira/browse/WW-5419 > Project: Struts 2 > Issue Type: Bug > Components: Plugin - Tiles >Affects Versions: 6.4.0 >Reporter: Markus Fischer >Assignee: Lukasz Lenart >Priority: Blocker > Fix For: 6.5.0 > > Time Spent: 50m > Remaining Estimate: 0h > > Starting in 6.4.0 a tiles definition in {{/WEB-INF/tiles.xml}} is not found > automatically anymore. The problem arises only, if the definition in web.xml > contains no param section: > {code:xml} > > > org.apache.struts2.tiles.StrutsTilesListener > > {code} > > The workaround is to specify the specific location: > {code:xml} > > > org.apache.struts2.tiles.StrutsTilesListener > > > > org.apache.tiles.definition.DefinitionsFactory.DEFINITIONS_CONFIG > > /WEB-INF/tiles.xml > > > {code} > > The issue has been introduced by this > [change|https://github.com/apache/struts/pull/896/commits/c7ae614824b4c158b9998575294d94fe9a746c41] -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5419) Autoloading of tiles.xml fails in Struts-6.4.0
[ https://issues.apache.org/jira/browse/WW-5419?focusedWorklogId=915699=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-915699 ] ASF GitHub Bot logged work on WW-5419: -- Author: ASF GitHub Bot Created on: 21/Apr/24 11:49 Start Date: 21/Apr/24 11:49 Worklog Time Spent: 10m Work Description: sonarcloud[bot] commented on PR #920: URL: https://github.com/apache/struts/pull/920#issuecomment-2068015616 ## [![Quality Gate Passed](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/QualityGateBadge/qg-passed-20px.png 'Quality Gate Passed')](https://sonarcloud.io/dashboard?id=apache_struts=920) **Quality Gate passed** Issues ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/passed-16px.png '') [1 New issue](https://sonarcloud.io/project/issues?id=apache_struts=920=false=true) ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/accepted-16px.png '') [0 Accepted issues](https://sonarcloud.io/component_measures?id=apache_struts=920=new_accepted_issues=list) Measures ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/passed-16px.png '') [0 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_struts=920=false=true) ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/passed-16px.png '') [100.0% Coverage on New Code](https://sonarcloud.io/component_measures?id=apache_struts=920=new_coverage=list) ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/passed-16px.png '') [0.0% Duplication on New Code](https://sonarcloud.io/component_measures?id=apache_struts=920=new_duplicated_lines_density=list) [See analysis details on SonarCloud](https://sonarcloud.io/dashboard?id=apache_struts=920) Issue Time Tracking --- Worklog Id: (was: 915699) Time Spent: 40m (was: 0.5h) > Autoloading of tiles.xml fails in Struts-6.4.0 > -- > > Key: WW-5419 > URL: https://issues.apache.org/jira/browse/WW-5419 > Project: Struts 2 > Issue Type: Bug > Components: Plugin - Tiles >Affects Versions: 6.4.0 >Reporter: Markus Fischer >Assignee: Lukasz Lenart >Priority: Blocker > Fix For: 6.5.0 > > Time Spent: 40m > Remaining Estimate: 0h > > Starting in 6.4.0 a tiles definition in {{/WEB-INF/tiles.xml}} is not found > automatically anymore. The problem arises only, if the definition in web.xml > contains no param section: > {code:xml} > > > org.apache.struts2.tiles.StrutsTilesListener > > {code} > > The workaround is to specify the specific location: > {code:xml} > > > org.apache.struts2.tiles.StrutsTilesListener > > > > org.apache.tiles.definition.DefinitionsFactory.DEFINITIONS_CONFIG > > /WEB-INF/tiles.xml > > > {code} > > The issue has been introduced by this > [change|https://github.com/apache/struts/pull/896/commits/c7ae614824b4c158b9998575294d94fe9a746c41] -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5419) Autoloading of tiles.xml fails in Struts-6.4.0
[ https://issues.apache.org/jira/browse/WW-5419?focusedWorklogId=915696=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-915696 ] ASF GitHub Bot logged work on WW-5419: -- Author: ASF GitHub Bot Created on: 21/Apr/24 08:51 Start Date: 21/Apr/24 08:51 Worklog Time Spent: 10m Work Description: sonarcloud[bot] commented on PR #920: URL: https://github.com/apache/struts/pull/920#issuecomment-2067965128 ## [![Quality Gate Failed](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/QualityGateBadge/qg-failed-20px.png 'Quality Gate Failed')](https://sonarcloud.io/dashboard?id=apache_struts=920) **Quality Gate failed** Failed conditions ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/failed-16px.png '') [8 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_struts=920=false=true) ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/failed-16px.png '') [28.6% Coverage on New Code](https://sonarcloud.io/component_measures?id=apache_struts=920=new_coverage=list) (required ≥ 80%) ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/failed-16px.png '') [4.0% Duplication on New Code](https://sonarcloud.io/component_measures?id=apache_struts=920=new_duplicated_lines_density=list) (required ≤ 3%) ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/failed-16px.png '') [E Reliability Rating on New Code](https://sonarcloud.io/dashboard?id=apache_struts=920) (required ≥ A) ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/failed-16px.png '') [E Security Rating on New Code](https://sonarcloud.io/dashboard?id=apache_struts=920) (required ≥ A) [See analysis details on SonarCloud](https://sonarcloud.io/dashboard?id=apache_struts=920) ## ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/light_bulb-16px.png '') Catch issues before they fail your Quality Gate with our IDE extension ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/sonarlint-16px.png '') [SonarLint](https://www.sonarsource.com/products/sonarlint/features/connected-mode/?referrer=pull-request) Issue Time Tracking --- Worklog Id: (was: 915696) Time Spent: 0.5h (was: 20m) > Autoloading of tiles.xml fails in Struts-6.4.0 > -- > > Key: WW-5419 > URL: https://issues.apache.org/jira/browse/WW-5419 > Project: Struts 2 > Issue Type: Bug > Components: Plugin - Tiles >Affects Versions: 6.4.0 >Reporter: Markus Fischer >Assignee: Lukasz Lenart >Priority: Blocker > Fix For: 6.5.0 > > Time Spent: 0.5h > Remaining Estimate: 0h > > Starting in 6.4.0 a tiles definition in {{/WEB-INF/tiles.xml}} is not found > automatically anymore. The problem arises only, if the definition in web.xml > contains no param section: > {code:xml} > > > org.apache.struts2.tiles.StrutsTilesListener > > {code} > > The workaround is to specify the specific location: > {code:xml} > > > org.apache.struts2.tiles.StrutsTilesListener > > > > org.apache.tiles.definition.DefinitionsFactory.DEFINITIONS_CONFIG > > /WEB-INF/tiles.xml > > > {code} > > The issue has been introduced by this > [change|https://github.com/apache/struts/pull/896/commits/c7ae614824b4c158b9998575294d94fe9a746c41] -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5419) Autoloading of tiles.xml fails in Struts-6.4.0
[ https://issues.apache.org/jira/browse/WW-5419?focusedWorklogId=915695=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-915695 ] ASF GitHub Bot logged work on WW-5419: -- Author: ASF GitHub Bot Created on: 21/Apr/24 08:44 Start Date: 21/Apr/24 08:44 Worklog Time Spent: 10m Work Description: lukaszlenart commented on PR #920: URL: https://github.com/apache/struts/pull/920#issuecomment-2067963221 /cc: @gregh3269 Issue Time Tracking --- Worklog Id: (was: 915695) Time Spent: 20m (was: 10m) > Autoloading of tiles.xml fails in Struts-6.4.0 > -- > > Key: WW-5419 > URL: https://issues.apache.org/jira/browse/WW-5419 > Project: Struts 2 > Issue Type: Bug > Components: Plugin - Tiles >Affects Versions: 6.4.0 >Reporter: Markus Fischer >Assignee: Lukasz Lenart >Priority: Blocker > Fix For: 6.5.0 > > Time Spent: 20m > Remaining Estimate: 0h > > Starting in 6.4.0 a tiles definition in {{/WEB-INF/tiles.xml}} is not found > automatically anymore. The problem arises only, if the definition in web.xml > contains no param section: > {code:xml} > > > org.apache.struts2.tiles.StrutsTilesListener > > {code} > > The workaround is to specify the specific location: > {code:xml} > > > org.apache.struts2.tiles.StrutsTilesListener > > > > org.apache.tiles.definition.DefinitionsFactory.DEFINITIONS_CONFIG > > /WEB-INF/tiles.xml > > > {code} > > The issue has been introduced by this > [change|https://github.com/apache/struts/pull/896/commits/c7ae614824b4c158b9998575294d94fe9a746c41] -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5419) Autoloading of tiles.xml fails in Struts-6.4.0
[ https://issues.apache.org/jira/browse/WW-5419?focusedWorklogId=915694=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-915694 ] ASF GitHub Bot logged work on WW-5419: -- Author: ASF GitHub Bot Created on: 21/Apr/24 08:43 Start Date: 21/Apr/24 08:43 Worklog Time Spent: 10m Work Description: lukaszlenart opened a new pull request, #920: URL: https://github.com/apache/struts/pull/920 Closes [WW-5419](https://issues.apache.org/jira/browse/WW-5419) Issue Time Tracking --- Worklog Id: (was: 915694) Remaining Estimate: 0h Time Spent: 10m > Autoloading of tiles.xml fails in Struts-6.4.0 > -- > > Key: WW-5419 > URL: https://issues.apache.org/jira/browse/WW-5419 > Project: Struts 2 > Issue Type: Bug > Components: Plugin - Tiles >Affects Versions: 6.4.0 >Reporter: Markus Fischer >Assignee: Lukasz Lenart >Priority: Blocker > Fix For: 6.5.0 > > Time Spent: 10m > Remaining Estimate: 0h > > Starting in 6.4.0 a tiles definition in {{/WEB-INF/tiles.xml}} is not found > automatically anymore. The problem arises only, if the definition in web.xml > contains no param section: > {code:xml} > > > org.apache.struts2.tiles.StrutsTilesListener > > {code} > > The workaround is to specify the specific location: > {code:xml} > > > org.apache.struts2.tiles.StrutsTilesListener > > > > org.apache.tiles.definition.DefinitionsFactory.DEFINITIONS_CONFIG > > /WEB-INF/tiles.xml > > > {code} > > The issue has been introduced by this > [change|https://github.com/apache/struts/pull/896/commits/c7ae614824b4c158b9998575294d94fe9a746c41] -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5407) Extend SecurityMemberAccess proxy detection to Hibernate proxies
[ https://issues.apache.org/jira/browse/WW-5407?focusedWorklogId=915687=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-915687 ] ASF GitHub Bot logged work on WW-5407: -- Author: ASF GitHub Bot Created on: 20/Apr/24 21:38 Start Date: 20/Apr/24 21:38 Worklog Time Spent: 10m Work Description: asf-ci commented on PR #234: URL: https://github.com/apache/struts-site/pull/234#issuecomment-2067788162 Staged site is ready at https://struts.staged.apache.org/ Issue Time Tracking --- Worklog Id: (was: 915687) Time Spent: 2.5h (was: 2h 20m) > Extend SecurityMemberAccess proxy detection to Hibernate proxies > > > Key: WW-5407 > URL: https://issues.apache.org/jira/browse/WW-5407 > Project: Struts 2 > Issue Type: Improvement > Components: Core >Reporter: Kusal Kithul-Godage >Priority: Minor > Fix For: 6.5.0 > > Time Spent: 2.5h > Remaining Estimate: 0h > > The current option {{struts.disallowProxyMemberAccess}} does not have any > logic to detect Hibernate proxies which may also present a security risk. > Additionally, the current option only forbids access to members which > originate from a proxy. However, it makes more sense to forbid access to > proxy objects entirely. This is because proxying is often used for sensitive > instances, application beans or Hibernate objects. None of which is safe to > be accessed or manipulated via OGNL. Thus, let's introduce an additional > option {{struts.disallowProxyObjectAccess}} which will offer stronger > protection. > Finally, the caching mechanism in the ProxyUtil class uses an unbounded map, > this can potentially be attacked and lead to a memory leak or DoS. Let's > replace it with a Caffeine cache as we have done previously for the OGNL > expression cache. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5353) Implement stronger security defaults in Struts 7.0
[ https://issues.apache.org/jira/browse/WW-5353?focusedWorklogId=915667=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-915667 ] ASF GitHub Bot logged work on WW-5353: -- Author: ASF GitHub Bot Created on: 20/Apr/24 12:39 Start Date: 20/Apr/24 12:39 Worklog Time Spent: 10m Work Description: sonarcloud[bot] commented on PR #919: URL: https://github.com/apache/struts/pull/919#issuecomment-2067661329 ## [![Quality Gate Failed](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/QualityGateBadge/qg-failed-20px.png 'Quality Gate Failed')](https://sonarcloud.io/dashboard?id=apache_struts=919) **Quality Gate failed** Failed conditions ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/failed-16px.png '') [76.9% Coverage on New Code](https://sonarcloud.io/component_measures?id=apache_struts=919=new_coverage=list) (required ≥ 80%) ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/failed-16px.png '') [C Reliability Rating on New Code](https://sonarcloud.io/dashboard?id=apache_struts=919) (required ≥ A) [See analysis details on SonarCloud](https://sonarcloud.io/dashboard?id=apache_struts=919) ## ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/light_bulb-16px.png '') Catch issues before they fail your Quality Gate with our IDE extension ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/sonarlint-16px.png '') [SonarLint](https://www.sonarsource.com/products/sonarlint/features/connected-mode/?referrer=pull-request) Issue Time Tracking --- Worklog Id: (was: 915667) Time Spent: 0.5h (was: 20m) > Implement stronger security defaults in Struts 7.0 > -- > > Key: WW-5353 > URL: https://issues.apache.org/jira/browse/WW-5353 > Project: Struts 2 > Issue Type: Improvement >Reporter: Kusal Kithul-Godage >Priority: Major > Fix For: 7.0.0 > > Time Spent: 0.5h > Remaining Estimate: 0h > > {{struts.ognl.allowStaticFieldAccess=false}} > {{struts.ognl.excludedNodeTypes=}} > {{struts.ognl.expressionMaxLength=150}} > {{struts.disallowDefaultPackageAccess=true}} > {{struts.disallowProxyMemberAccess=true}} > {{struts.parameters.requireAnnotations=true}} > {{struts.ognl.disallowCustomOgnlMap=true}} > {{struts.allowlist.enable=true}} -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5353) Implement stronger security defaults in Struts 7.0
[ https://issues.apache.org/jira/browse/WW-5353?focusedWorklogId=915663=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-915663 ] ASF GitHub Bot logged work on WW-5353: -- Author: ASF GitHub Bot Created on: 20/Apr/24 12:00 Start Date: 20/Apr/24 12:00 Worklog Time Spent: 10m Work Description: kusalk commented on code in PR #919: URL: https://github.com/apache/struts/pull/919#discussion_r1573262299 ## core/src/main/java/org/apache/struts2/util/StrutsTestCaseHelper.java: ## @@ -22,23 +22,26 @@ import com.opensymphony.xwork2.inject.Container; import com.opensymphony.xwork2.util.ValueStack; import com.opensymphony.xwork2.util.ValueStackFactory; -import org.apache.struts2.dispatcher.Dispatcher; -import org.apache.struts2.dispatcher.DispatcherErrorHandler; - import jakarta.servlet.ServletContext; import jakarta.servlet.http.HttpServletRequest; import jakarta.servlet.http.HttpServletResponse; +import org.apache.struts2.dispatcher.Dispatcher; +import org.apache.struts2.dispatcher.DispatcherErrorHandler; + +import java.util.HashMap; import java.util.Map; -import static java.util.Collections.emptyMap; +import static org.apache.struts2.StrutsConstants.STRUTS_ALLOWLIST_ENABLE; /** * Generic test setup methods to be used with any unit testing framework. */ public class StrutsTestCaseHelper { public static Dispatcher initDispatcher(ServletContext ctx, Map params) { -Dispatcher du = new DispatcherWrapper(ctx, params != null ? params : emptyMap()); +var finalParams = new HashMap<>(params); +finalParams.putIfAbsent(STRUTS_ALLOWLIST_ENABLE, "false"); Review Comment: I think it makes sense to keep the allowlist disabled for unit tests as the auto-allowlisting is only effective in production applications Issue Time Tracking --- Worklog Id: (was: 915663) Time Spent: 20m (was: 10m) > Implement stronger security defaults in Struts 7.0 > -- > > Key: WW-5353 > URL: https://issues.apache.org/jira/browse/WW-5353 > Project: Struts 2 > Issue Type: Improvement >Reporter: Kusal Kithul-Godage >Priority: Major > Fix For: 7.0.0 > > Time Spent: 20m > Remaining Estimate: 0h > > {{struts.ognl.allowStaticFieldAccess=false}} > {{struts.ognl.excludedNodeTypes=}} > {{struts.ognl.expressionMaxLength=150}} > {{struts.disallowDefaultPackageAccess=true}} > {{struts.disallowProxyMemberAccess=true}} > {{struts.parameters.requireAnnotations=true}} > {{struts.ognl.disallowCustomOgnlMap=true}} > {{struts.allowlist.enable=true}} -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5353) Implement stronger security defaults in Struts 7.0
[ https://issues.apache.org/jira/browse/WW-5353?focusedWorklogId=915660=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-915660 ] ASF GitHub Bot logged work on WW-5353: -- Author: ASF GitHub Bot Created on: 20/Apr/24 11:09 Start Date: 20/Apr/24 11:09 Worklog Time Spent: 10m Work Description: kusalk opened a new pull request, #919: URL: https://github.com/apache/struts/pull/919 WW-5353 -- Issue Time Tracking --- Worklog Id: (was: 915660) Remaining Estimate: 0h Time Spent: 10m > Implement stronger security defaults in Struts 7.0 > -- > > Key: WW-5353 > URL: https://issues.apache.org/jira/browse/WW-5353 > Project: Struts 2 > Issue Type: Improvement >Reporter: Kusal Kithul-Godage >Priority: Major > Fix For: 7.0.0 > > Time Spent: 10m > Remaining Estimate: 0h > > {{struts.ognl.allowStaticFieldAccess=false}} > {{struts.ognl.excludedNodeTypes=}} > {{struts.ognl.expressionMaxLength=150}} > {{struts.disallowDefaultPackageAccess=true}} > {{struts.disallowProxyMemberAccess=true}} > {{struts.parameters.requireAnnotations=true}} > {{struts.ognl.disallowCustomOgnlMap=true}} > {{struts.allowlist.enable=true}} -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5418) Patch Struts security bugs
[ https://issues.apache.org/jira/browse/WW-5418?focusedWorklogId=915657=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-915657 ] ASF GitHub Bot logged work on WW-5418: -- Author: ASF GitHub Bot Created on: 20/Apr/24 10:01 Start Date: 20/Apr/24 10:01 Worklog Time Spent: 10m Work Description: kusalk merged PR #916: URL: https://github.com/apache/struts/pull/916 Issue Time Tracking --- Worklog Id: (was: 915657) Time Spent: 40m (was: 0.5h) > Patch Struts security bugs > -- > > Key: WW-5418 > URL: https://issues.apache.org/jira/browse/WW-5418 > Project: Struts 2 > Issue Type: Bug > Components: Core >Reporter: Kusal Kithul-Godage >Priority: Critical > Labels: security > Fix For: 6.5.0 > > Time Spent: 40m > Remaining Estimate: 0h > > This change includes: > - Forbid accessign enums > - Exclude Tomcat Jasper classes -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5417) Patch OGNL security bugs
[ https://issues.apache.org/jira/browse/WW-5417?focusedWorklogId=915480=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-915480 ] ASF GitHub Bot logged work on WW-5417: -- Author: ASF GitHub Bot Created on: 19/Apr/24 07:47 Start Date: 19/Apr/24 07:47 Worklog Time Spent: 10m Work Description: kusalk merged PR #915: URL: https://github.com/apache/struts/pull/915 Issue Time Tracking --- Worklog Id: (was: 915480) Time Spent: 1h 50m (was: 1h 40m) > Patch OGNL security bugs > > > Key: WW-5417 > URL: https://issues.apache.org/jira/browse/WW-5417 > Project: Struts 2 > Issue Type: Bug > Components: Core >Reporter: Kusal Kithul-Godage >Priority: Major > Fix For: 6.5.0 > > Time Spent: 1h 50m > Remaining Estimate: 0h > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5409) Introduce final attribute to package elements which makes them unextendable
[ https://issues.apache.org/jira/browse/WW-5409?focusedWorklogId=915479=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-915479 ] ASF GitHub Bot logged work on WW-5409: -- Author: ASF GitHub Bot Created on: 19/Apr/24 07:47 Start Date: 19/Apr/24 07:47 Worklog Time Spent: 10m Work Description: kusalk merged PR #914: URL: https://github.com/apache/struts/pull/914 Issue Time Tracking --- Worklog Id: (was: 915479) Time Spent: 1h 10m (was: 1h) > Introduce final attribute to package elements which makes them unextendable > --- > > Key: WW-5409 > URL: https://issues.apache.org/jira/browse/WW-5409 > Project: Struts 2 > Issue Type: Improvement > Components: Core >Reporter: Kusal Kithul-Godage >Priority: Minor > Fix For: 6.5.0 > > Time Spent: 1h 10m > Remaining Estimate: 0h > > Extending packages is a very useful capability of Struts but there are some > quirks, that if a developer is not aware of, can lead to critical > vulnerabilities. > One such misunderstood quirk is the {{default-interceptor-ref}} element. > Take the following package: > {code:xml} > > > > > > {code} > If it is extended by another package like so: > {code:xml} > > > > > > {code} > The second package will inherit Action1, however it will behave very > differently in Package2, because it is no longer subject to the same > interceptors. The {{default-interceptor-ref}} value from the first package > does not apply to any action in the extending package, not even the ones > defined in the inherited one. > This is not immediately obvious to many developers, especially those not very > familiar with Struts. They could simply have extended the package to obtain > access to other elements such as results or result-types. > One potential mitigation against this developer error is to mark potentially > sensitive packages as 'final' to prevent certain Actions from being inherited > by other packages. > This would look like the following: > {code:xml} > > > > > > {code} > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5418) Patch Struts security bugs
[ https://issues.apache.org/jira/browse/WW-5418?focusedWorklogId=915455=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-915455 ] ASF GitHub Bot logged work on WW-5418: -- Author: ASF GitHub Bot Created on: 19/Apr/24 06:14 Start Date: 19/Apr/24 06:14 Worklog Time Spent: 10m Work Description: kusalk commented on PR #916: URL: https://github.com/apache/struts/pull/916#issuecomment-2065832941 It is indeed - but I think the security benefits should come first in this scenario Issue Time Tracking --- Worklog Id: (was: 915455) Time Spent: 0.5h (was: 20m) > Patch Struts security bugs > -- > > Key: WW-5418 > URL: https://issues.apache.org/jira/browse/WW-5418 > Project: Struts 2 > Issue Type: Bug > Components: Core >Reporter: Kusal Kithul-Godage >Priority: Major > Fix For: 6.5.0 > > Time Spent: 0.5h > Remaining Estimate: 0h > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5417) Patch OGNL security bugs
[ https://issues.apache.org/jira/browse/WW-5417?focusedWorklogId=915441=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-915441 ] ASF GitHub Bot logged work on WW-5417: -- Author: ASF GitHub Bot Created on: 19/Apr/24 04:59 Start Date: 19/Apr/24 04:59 Worklog Time Spent: 10m Work Description: jefferyxhy commented on code in PR #915: URL: https://github.com/apache/struts/pull/915#discussion_r1571794179 ## pom.xml: ## @@ -112,7 +112,7 @@ 9.6 2.16.1 2.23.1 -3.3.4 +3.3.5 Review Comment: @lukaszlenart updated with 3.3.5. Thanks Issue Time Tracking --- Worklog Id: (was: 915441) Time Spent: 1.5h (was: 1h 20m) > Patch OGNL security bugs > > > Key: WW-5417 > URL: https://issues.apache.org/jira/browse/WW-5417 > Project: Struts 2 > Issue Type: Bug > Components: Core >Reporter: Kusal Kithul-Godage >Priority: Major > Fix For: 6.5.0 > > Time Spent: 1.5h > Remaining Estimate: 0h > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5417) Patch OGNL security bugs
[ https://issues.apache.org/jira/browse/WW-5417?focusedWorklogId=915442=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-915442 ] ASF GitHub Bot logged work on WW-5417: -- Author: ASF GitHub Bot Created on: 19/Apr/24 04:59 Start Date: 19/Apr/24 04:59 Worklog Time Spent: 10m Work Description: jefferyxhy commented on code in PR #915: URL: https://github.com/apache/struts/pull/915#discussion_r1571794402 ## pom.xml: ## @@ -112,7 +112,7 @@ 9.6 2.16.1 2.23.1 -3.3.4 +3.3.4-atlassian-1 Review Comment: Updated. Thanks Issue Time Tracking --- Worklog Id: (was: 915442) Time Spent: 1h 40m (was: 1.5h) > Patch OGNL security bugs > > > Key: WW-5417 > URL: https://issues.apache.org/jira/browse/WW-5417 > Project: Struts 2 > Issue Type: Bug > Components: Core >Reporter: Kusal Kithul-Godage >Priority: Major > Fix For: 6.5.0 > > Time Spent: 1h 40m > Remaining Estimate: 0h > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5417) Patch OGNL security bugs
[ https://issues.apache.org/jira/browse/WW-5417?focusedWorklogId=915438=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-915438 ] ASF GitHub Bot logged work on WW-5417: -- Author: ASF GitHub Bot Created on: 19/Apr/24 04:55 Start Date: 19/Apr/24 04:55 Worklog Time Spent: 10m Work Description: lukaszlenart commented on code in PR #915: URL: https://github.com/apache/struts/pull/915#discussion_r1571790904 ## pom.xml: ## @@ -112,7 +112,7 @@ 9.6 2.16.1 2.23.1 -3.3.4 +3.3.4-atlassian-1 Review Comment: Try you to use 3.3.5 verision Issue Time Tracking --- Worklog Id: (was: 915438) Time Spent: 1h 20m (was: 1h 10m) > Patch OGNL security bugs > > > Key: WW-5417 > URL: https://issues.apache.org/jira/browse/WW-5417 > Project: Struts 2 > Issue Type: Bug > Components: Core >Reporter: Kusal Kithul-Godage >Priority: Major > Fix For: 6.5.0 > > Time Spent: 1h 20m > Remaining Estimate: 0h > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5406) Action excluded patterns are not updated following a configuration reload
[ https://issues.apache.org/jira/browse/WW-5406?focusedWorklogId=915415=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-915415 ] ASF GitHub Bot logged work on WW-5406: -- Author: ASF GitHub Bot Created on: 18/Apr/24 22:37 Start Date: 18/Apr/24 22:37 Worklog Time Spent: 10m Work Description: kusalk merged PR #917: URL: https://github.com/apache/struts/pull/917 Issue Time Tracking --- Worklog Id: (was: 915415) Time Spent: 2h 50m (was: 2h 40m) > Action excluded patterns are not updated following a configuration reload > - > > Key: WW-5406 > URL: https://issues.apache.org/jira/browse/WW-5406 > Project: Struts 2 > Issue Type: Bug > Components: Core >Reporter: Kusal Kithul-Godage >Priority: Minor > Fix For: 6.5.0 > > Time Spent: 2h 50m > Remaining Estimate: 0h > > If {{struts.action.excludePattern}} or > {{struts.action.excludePattern.separator}} are updated during runtime, the > changes are not reflected in the application behaviour due to these constants > only being read exactly once. This is not consistent with all other > configuration which is re-injected following a configuration reload. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5406) Action excluded patterns are not updated following a configuration reload
[ https://issues.apache.org/jira/browse/WW-5406?focusedWorklogId=915303=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-915303 ] ASF GitHub Bot logged work on WW-5406: -- Author: ASF GitHub Bot Created on: 18/Apr/24 12:35 Start Date: 18/Apr/24 12:35 Worklog Time Spent: 10m Work Description: sonarcloud[bot] commented on PR #917: URL: https://github.com/apache/struts/pull/917#issuecomment-2063764420 ## [![Quality Gate Passed](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/QualityGateBadge/qg-passed-20px.png 'Quality Gate Passed')](https://sonarcloud.io/dashboard?id=apache_struts=917) **Quality Gate passed** Issues ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/passed-16px.png '') [0 New issues](https://sonarcloud.io/project/issues?id=apache_struts=917=false=true) ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/accepted-16px.png '') [0 Accepted issues](https://sonarcloud.io/component_measures?id=apache_struts=917=new_accepted_issues=list) Measures ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/passed-16px.png '') [0 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_struts=917=false=true) ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/passed-16px.png '') [94.1% Coverage on New Code](https://sonarcloud.io/component_measures?id=apache_struts=917=new_coverage=list) ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/passed-16px.png '') [0.0% Duplication on New Code](https://sonarcloud.io/component_measures?id=apache_struts=917=new_duplicated_lines_density=list) [See analysis details on SonarCloud](https://sonarcloud.io/dashboard?id=apache_struts=917) Issue Time Tracking --- Worklog Id: (was: 915303) Time Spent: 2h 40m (was: 2.5h) > Action excluded patterns are not updated following a configuration reload > - > > Key: WW-5406 > URL: https://issues.apache.org/jira/browse/WW-5406 > Project: Struts 2 > Issue Type: Bug > Components: Core >Reporter: Kusal Kithul-Godage >Priority: Minor > Fix For: 6.5.0 > > Time Spent: 2h 40m > Remaining Estimate: 0h > > If {{struts.action.excludePattern}} or > {{struts.action.excludePattern.separator}} are updated during runtime, the > changes are not reflected in the application behaviour due to these constants > only being read exactly once. This is not consistent with all other > configuration which is re-injected following a configuration reload. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5406) Action excluded patterns are not updated following a configuration reload
[ https://issues.apache.org/jira/browse/WW-5406?focusedWorklogId=915302=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-915302 ] ASF GitHub Bot logged work on WW-5406: -- Author: ASF GitHub Bot Created on: 18/Apr/24 12:30 Start Date: 18/Apr/24 12:30 Worklog Time Spent: 10m Work Description: kusalk opened a new pull request, #917: URL: https://github.com/apache/struts/pull/917 WW-5406 -- Fixing a minor bug I introduced with #910 Issue Time Tracking --- Worklog Id: (was: 915302) Time Spent: 2.5h (was: 2h 20m) > Action excluded patterns are not updated following a configuration reload > - > > Key: WW-5406 > URL: https://issues.apache.org/jira/browse/WW-5406 > Project: Struts 2 > Issue Type: Bug > Components: Core >Reporter: Kusal Kithul-Godage >Priority: Minor > Fix For: 6.5.0 > > Time Spent: 2.5h > Remaining Estimate: 0h > > If {{struts.action.excludePattern}} or > {{struts.action.excludePattern.separator}} are updated during runtime, the > changes are not reflected in the application behaviour due to these constants > only being read exactly once. This is not consistent with all other > configuration which is re-injected following a configuration reload. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5417) Patch OGNL security bugs
[ https://issues.apache.org/jira/browse/WW-5417?focusedWorklogId=915219=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-915219 ] ASF GitHub Bot logged work on WW-5417: -- Author: ASF GitHub Bot Created on: 18/Apr/24 01:24 Start Date: 18/Apr/24 01:24 Worklog Time Spent: 10m Work Description: kusalk commented on PR #915: URL: https://github.com/apache/struts/pull/915#issuecomment-2062827501 The builds are failing as the Atlassian forked release is not on the Central repo, it is only available on [our repo](https://packages.atlassian.com/maven-external/ognl/ognl/3.3.4-atlassian-1/). Anyway, this PR is just preparing for the merge and release of the corresponding OGNL PR (https://github.com/orphan-oss/ognl/pull/264) Issue Time Tracking --- Worklog Id: (was: 915219) Time Spent: 1h 10m (was: 1h) > Patch OGNL security bugs > > > Key: WW-5417 > URL: https://issues.apache.org/jira/browse/WW-5417 > Project: Struts 2 > Issue Type: Bug > Components: Core >Reporter: Kusal Kithul-Godage >Priority: Major > Fix For: 6.5.0 > > Time Spent: 1h 10m > Remaining Estimate: 0h > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5418) Patch Struts security bugs
[ https://issues.apache.org/jira/browse/WW-5418?focusedWorklogId=915217=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-915217 ] ASF GitHub Bot logged work on WW-5418: -- Author: ASF GitHub Bot Created on: 18/Apr/24 01:20 Start Date: 18/Apr/24 01:20 Worklog Time Spent: 10m Work Description: sonarcloud[bot] commented on PR #916: URL: https://github.com/apache/struts/pull/916#issuecomment-2062821751 ## [![Quality Gate Passed](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/QualityGateBadge/qg-passed-20px.png 'Quality Gate Passed')](https://sonarcloud.io/dashboard?id=apache_struts=916) **Quality Gate passed** Issues ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/passed-16px.png '') [0 New issues](https://sonarcloud.io/project/issues?id=apache_struts=916=false=true) ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/accepted-16px.png '') [0 Accepted issues](https://sonarcloud.io/component_measures?id=apache_struts=916=new_accepted_issues=list) Measures ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/passed-16px.png '') [0 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_struts=916=false=true) ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/no-data-16px.png '') No data about Coverage ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/passed-16px.png '') [0.0% Duplication on New Code](https://sonarcloud.io/component_measures?id=apache_struts=916=new_duplicated_lines_density=list) [See analysis details on SonarCloud](https://sonarcloud.io/dashboard?id=apache_struts=916) Issue Time Tracking --- Worklog Id: (was: 915217) Time Spent: 20m (was: 10m) > Patch Struts security bugs > -- > > Key: WW-5418 > URL: https://issues.apache.org/jira/browse/WW-5418 > Project: Struts 2 > Issue Type: Bug > Components: Core >Reporter: Kusal Kithul-Godage >Priority: Major > Fix For: 6.5.0 > > Time Spent: 20m > Remaining Estimate: 0h > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5417) Patch OGNL security bugs
[ https://issues.apache.org/jira/browse/WW-5417?focusedWorklogId=915218=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-915218 ] ASF GitHub Bot logged work on WW-5417: -- Author: ASF GitHub Bot Created on: 18/Apr/24 01:20 Start Date: 18/Apr/24 01:20 Worklog Time Spent: 10m Work Description: kusalk commented on PR #915: URL: https://github.com/apache/struts/pull/915#issuecomment-2062822004 Remaining tests are variations for full coverage and to prevent regressions Issue Time Tracking --- Worklog Id: (was: 915218) Time Spent: 1h (was: 50m) > Patch OGNL security bugs > > > Key: WW-5417 > URL: https://issues.apache.org/jira/browse/WW-5417 > Project: Struts 2 > Issue Type: Bug > Components: Core >Reporter: Kusal Kithul-Godage >Priority: Major > Fix For: 6.5.0 > > Time Spent: 1h > Remaining Estimate: 0h > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5417) Patch OGNL security bugs
[ https://issues.apache.org/jira/browse/WW-5417?focusedWorklogId=915216=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-915216 ] ASF GitHub Bot logged work on WW-5417: -- Author: ASF GitHub Bot Created on: 18/Apr/24 01:20 Start Date: 18/Apr/24 01:20 Worklog Time Spent: 10m Work Description: kusalk commented on code in PR #915: URL: https://github.com/apache/struts/pull/915#discussion_r1569763288 ## core/src/test/java/org/apache/struts2/ognl/OgnlSetPossiblePropertyTest.java: ## @@ -0,0 +1,240 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.struts2.ognl; + +import com.opensymphony.xwork2.XWorkTestCase; +import com.opensymphony.xwork2.ognl.OgnlValueStack; +import com.opensymphony.xwork2.util.ValueStackFactory; +import ognl.OgnlRuntime; +import org.apache.struts2.StrutsConstants; + +import java.lang.reflect.Method; +import java.util.HashMap; +import java.util.Map; + +import static org.junit.Assert.assertNotEquals; + +public class OgnlSetPossiblePropertyTest extends XWorkTestCase { +private OgnlValueStack vs; + +public T setUpClass(Class holderClass) throws Exception { +Map properties = new HashMap<>(); +properties.put(StrutsConstants.STRUTS_EXCLUDED_CLASSES, holderClass.getName() + "$ExcludedField"); +loadButSet(properties); +vs = (OgnlValueStack) container.getInstance(ValueStackFactory.class).createValueStack(); + +T nonExcludedHolder = holderClass.getDeclaredConstructor().newInstance(); +vs.push(nonExcludedHolder); + +return nonExcludedHolder; +} + +public void testSetFieldValueDontAssignWhenHolderClassAndFieldClassHaveOnlyPublicFields() throws Exception { +/* Case: to test setFieldValue without having set method + * + * NonExcludedHolder class + * - field: public + * ExcludeField class + * - field: public + */ +HolderWithPublicField holder = setUpClass(HolderWithPublicField.class); +vs.setValue("excludedField.excludedFieldString", "EXPLOITED"); + +assertNotEquals("EXPLOITED", holder.excludedField.excludedFieldString); +} + +public void testSetMethodValueDontAssignWhenHolderAndFieldClassWithPublicMethodsAndPrivateFields() throws Exception { +/* Case: to test setMethodValue, so to make fields as private + * + * NonExcludedHolder class + * - field: private + * - method: public + * ExcludeField class + * - field: private + * - method: public + */ +HolderWithPublicMethod holder = setUpClass(HolderWithPublicMethod.class); +vs.setValue("excludedField.excludedFieldString", "EXPLOITED"); + +assertNotEquals("EXPLOITED", holder.excludedField.excludedFieldString); +} + +public void testSetFieldValueDontAssignWhenHolderClassWithGetMethodAndFieldClassWithPublicField() throws Exception { +/* Case: to test setFieldValue when holder get method is public and field class set method is private so fallback to set field + * + * NonExcludedHolder class + * - field: private + * - method: public + * ExcludeField class + * - field: public + * - method: private + */ +HolderWhoseFieldWithPrivateMethod holder = setUpClass(HolderWhoseFieldWithPrivateMethod.class); +vs.setValue("excludedField.excludedFieldString", "EXPLOITED"); + +assertNotEquals("EXPLOITED", holder.excludedField.excludedFieldString); +} + +public void testSetMethodValueDontAssignWhenHolderClassWithGetMethodAndFieldClassWithPublicMethod() throws Exception { +/* Case: to test setMethodValue when holder get method is public and field class field is private so only call to set method + * + * NonExcludedHolder class + * - field: private + * - method: public + * ExcludeField class + * - field: private + * - method: public + */ +HolderWhoseFieldWithPublicMethod
[jira] [Work logged] (WW-5417) Patch OGNL security bugs
[ https://issues.apache.org/jira/browse/WW-5417?focusedWorklogId=915215=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-915215 ] ASF GitHub Bot logged work on WW-5417: -- Author: ASF GitHub Bot Created on: 18/Apr/24 01:19 Start Date: 18/Apr/24 01:19 Worklog Time Spent: 10m Work Description: kusalk commented on code in PR #915: URL: https://github.com/apache/struts/pull/915#discussion_r1569762650 ## core/src/test/java/org/apache/struts2/ognl/OgnlSetPossiblePropertyTest.java: ## @@ -0,0 +1,240 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.struts2.ognl; + +import com.opensymphony.xwork2.XWorkTestCase; +import com.opensymphony.xwork2.ognl.OgnlValueStack; +import com.opensymphony.xwork2.util.ValueStackFactory; +import ognl.OgnlRuntime; +import org.apache.struts2.StrutsConstants; + +import java.lang.reflect.Method; +import java.util.HashMap; +import java.util.Map; + +import static org.junit.Assert.assertNotEquals; + +public class OgnlSetPossiblePropertyTest extends XWorkTestCase { +private OgnlValueStack vs; + +public T setUpClass(Class holderClass) throws Exception { +Map properties = new HashMap<>(); +properties.put(StrutsConstants.STRUTS_EXCLUDED_CLASSES, holderClass.getName() + "$ExcludedField"); +loadButSet(properties); +vs = (OgnlValueStack) container.getInstance(ValueStackFactory.class).createValueStack(); + +T nonExcludedHolder = holderClass.getDeclaredConstructor().newInstance(); +vs.push(nonExcludedHolder); + +return nonExcludedHolder; +} + +public void testSetFieldValueDontAssignWhenHolderClassAndFieldClassHaveOnlyPublicFields() throws Exception { +/* Case: to test setFieldValue without having set method + * + * NonExcludedHolder class + * - field: public + * ExcludeField class + * - field: public + */ +HolderWithPublicField holder = setUpClass(HolderWithPublicField.class); +vs.setValue("excludedField.excludedFieldString", "EXPLOITED"); + +assertNotEquals("EXPLOITED", holder.excludedField.excludedFieldString); +} + +public void testSetMethodValueDontAssignWhenHolderAndFieldClassWithPublicMethodsAndPrivateFields() throws Exception { +/* Case: to test setMethodValue, so to make fields as private + * + * NonExcludedHolder class + * - field: private + * - method: public + * ExcludeField class + * - field: private + * - method: public + */ +HolderWithPublicMethod holder = setUpClass(HolderWithPublicMethod.class); +vs.setValue("excludedField.excludedFieldString", "EXPLOITED"); + +assertNotEquals("EXPLOITED", holder.excludedField.excludedFieldString); +} + +public void testSetFieldValueDontAssignWhenHolderClassWithGetMethodAndFieldClassWithPublicField() throws Exception { +/* Case: to test setFieldValue when holder get method is public and field class set method is private so fallback to set field + * + * NonExcludedHolder class + * - field: private + * - method: public + * ExcludeField class + * - field: public + * - method: private + */ +HolderWhoseFieldWithPrivateMethod holder = setUpClass(HolderWhoseFieldWithPrivateMethod.class); +vs.setValue("excludedField.excludedFieldString", "EXPLOITED"); + +assertNotEquals("EXPLOITED", holder.excludedField.excludedFieldString); +} + +public void testSetMethodValueDontAssignWhenHolderClassWithGetMethodAndFieldClassWithPublicMethod() throws Exception { +/* Case: to test setMethodValue when holder get method is public and field class field is private so only call to set method + * + * NonExcludedHolder class + * - field: private + * - method: public + * ExcludeField class + * - field: private + * - method: public + */ +HolderWhoseFieldWithPublicMethod
[jira] [Work logged] (WW-5417) Patch OGNL security bugs
[ https://issues.apache.org/jira/browse/WW-5417?focusedWorklogId=915214=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-915214 ] ASF GitHub Bot logged work on WW-5417: -- Author: ASF GitHub Bot Created on: 18/Apr/24 01:15 Start Date: 18/Apr/24 01:15 Worklog Time Spent: 10m Work Description: jefferyxhy commented on code in PR #915: URL: https://github.com/apache/struts/pull/915#discussion_r1569753380 ## pom.xml: ## @@ -112,7 +112,7 @@ 9.6 2.16.1 2.23.1 -3.3.4 +3.3.4-atlassian-1 Review Comment: To be replaced with 3.3.5 once released [OGNL patch PR](https://github.com/orphan-oss/ognl/pull/264) Issue Time Tracking --- Worklog Id: (was: 915214) Time Spent: 0.5h (was: 20m) > Patch OGNL security bugs > > > Key: WW-5417 > URL: https://issues.apache.org/jira/browse/WW-5417 > Project: Struts 2 > Issue Type: Bug > Components: Core >Reporter: Kusal Kithul-Godage >Priority: Major > Fix For: 6.5.0 > > Time Spent: 0.5h > Remaining Estimate: 0h > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5418) Patch Struts security bugs
[ https://issues.apache.org/jira/browse/WW-5418?focusedWorklogId=915213=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-915213 ] ASF GitHub Bot logged work on WW-5418: -- Author: ASF GitHub Bot Created on: 18/Apr/24 01:14 Start Date: 18/Apr/24 01:14 Worklog Time Spent: 10m Work Description: kusalk opened a new pull request, #916: URL: https://github.com/apache/struts/pull/916 WW-5418 -- Issue Time Tracking --- Worklog Id: (was: 915213) Remaining Estimate: 0h Time Spent: 10m > Patch Struts security bugs > -- > > Key: WW-5418 > URL: https://issues.apache.org/jira/browse/WW-5418 > Project: Struts 2 > Issue Type: Bug > Components: Core >Reporter: Kusal Kithul-Godage >Priority: Major > Fix For: 6.5.0 > > Time Spent: 10m > Remaining Estimate: 0h > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5417) Patch OGNL security bugs
[ https://issues.apache.org/jira/browse/WW-5417?focusedWorklogId=915212=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-915212 ] ASF GitHub Bot logged work on WW-5417: -- Author: ASF GitHub Bot Created on: 18/Apr/24 01:08 Start Date: 18/Apr/24 01:08 Worklog Time Spent: 10m Work Description: jefferyxhy commented on code in PR #915: URL: https://github.com/apache/struts/pull/915#discussion_r1569753380 ## pom.xml: ## @@ -112,7 +112,7 @@ 9.6 2.16.1 2.23.1 -3.3.4 +3.3.4-atlassian-1 Review Comment: To be replaced with 3.3.5 once released [OGNL patch PR](https://github.com/orphan-oss/ognl/pull/263) Issue Time Tracking --- Worklog Id: (was: 915212) Time Spent: 20m (was: 10m) > Patch OGNL security bugs > > > Key: WW-5417 > URL: https://issues.apache.org/jira/browse/WW-5417 > Project: Struts 2 > Issue Type: Bug > Components: Core >Reporter: Kusal Kithul-Godage >Priority: Major > Fix For: 6.5.0 > > Time Spent: 20m > Remaining Estimate: 0h > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5417) Patch OGNL security bugs
[ https://issues.apache.org/jira/browse/WW-5417?focusedWorklogId=915211=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-915211 ] ASF GitHub Bot logged work on WW-5417: -- Author: ASF GitHub Bot Created on: 18/Apr/24 01:06 Start Date: 18/Apr/24 01:06 Worklog Time Spent: 10m Work Description: jefferyxhy opened a new pull request, #915: URL: https://github.com/apache/struts/pull/915 WW-5417 bump the Ognl version to fix the security issue that `ObjectPropertyAccessor#setPossibleProperty` bypass SecurityMemberAccess right check. *** From [Ognl PR](https://github.com/orphan-oss/ognl/pull/263) *** `OgnlRuntime.setFieldValue` doesn't check member access rights via `MemberAccess` interface **Reason** * Investigation shows that `getMethodValue`/ `setMethodValue` / `getFieldValue` are all updated with member access rights check but not `setFieldValue`, which cause `ObjectPropertyAccessor#setPossibleProperty` expose to security vuln. * `ObjectPropertyAccessor#setPossibleProperty` has a fallback mechanism using `getWriteMethod` which also lack member access rights check **Changes/ Solution** * add field member access check to `OgnlRuntime#setFieldValue` that is controlled by parameter `checkAccessAndExistence` * add method member access check to `ObjectPropertyAccessor#setPossibleProperty` code block that uses `OgnlRuntime#getWriteMethod` **Result & Impact** now `ObjectPropertyAccessor#setPossibleProperty` will also check member access rights when fallback to use: * OgnlRuntime.setFieldValue * method invoke that is from OgnlRuntime.getWriteMethod Issue Time Tracking --- Worklog Id: (was: 915211) Remaining Estimate: 0h Time Spent: 10m > Patch OGNL security bugs > > > Key: WW-5417 > URL: https://issues.apache.org/jira/browse/WW-5417 > Project: Struts 2 > Issue Type: Bug > Components: Core >Reporter: Kusal Kithul-Godage >Priority: Major > Fix For: 6.5.0 > > Time Spent: 10m > Remaining Estimate: 0h > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5400) CSP interceptor only allows very limited configuration
[ https://issues.apache.org/jira/browse/WW-5400?focusedWorklogId=914447=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-914447 ] ASF GitHub Bot logged work on WW-5400: -- Author: ASF GitHub Bot Created on: 12/Apr/24 17:42 Start Date: 12/Apr/24 17:42 Worklog Time Spent: 10m Work Description: eschulma commented on code in PR #913: URL: https://github.com/apache/struts/pull/913#discussion_r1562942223 ## core/src/main/java/org/apache/struts2/interceptor/csp/CspSettings.java: ## @@ -56,6 +57,11 @@ public interface CspSettings { */ void setReportUri(String uri); +/** + * Sets the report group where csp violation reports will be sent + */ Review Comment: Done Issue Time Tracking --- Worklog Id: (was: 914447) Time Spent: 1h 10m (was: 1h) > CSP interceptor only allows very limited configuration > -- > > Key: WW-5400 > URL: https://issues.apache.org/jira/browse/WW-5400 > Project: Struts 2 > Issue Type: Improvement > Components: Core Interceptors >Affects Versions: 6.3.0 >Reporter: Erica Kane >Priority: Major > Fix For: 6.5.0 > > Time Spent: 1h 10m > Remaining Estimate: 0h > > I have been trying to implement CSP on our website. The CSP interceptor > provides an elegant solution with the and tags. However, > I want to set my own base-uri. And perhaps make some other changes to the CSP > headers. > But these values are not accessible. Only the report-only and report-uri can > be changed. Even if one is willing to work at the Action level and implement > a new interface for all of them, I can't change the base-uri. I've seen > people on Stack Overflow disable it for this reason. I want to use it, but > could someone please explain how to set the base-uri globally? If not, I will > likely have to make my own. > P.S. I will update the documentation page. Nowhere in the description of the > interceptor does it mention the script and link tags, and without those, it > is useless! -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5400) CSP interceptor only allows very limited configuration
[ https://issues.apache.org/jira/browse/WW-5400?focusedWorklogId=914446=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-914446 ] ASF GitHub Bot logged work on WW-5400: -- Author: ASF GitHub Bot Created on: 12/Apr/24 17:41 Start Date: 12/Apr/24 17:41 Worklog Time Spent: 10m Work Description: eschulma commented on code in PR #913: URL: https://github.com/apache/struts/pull/913#discussion_r1562941786 ## core/src/main/java/org/apache/struts2/interceptor/csp/CspInterceptor.java: ## @@ -124,4 +153,11 @@ public void setPrependServletContext(boolean prependServletContext) { this.prependServletContext = prependServletContext; } -} +/** + * Sets the class name of the default {@link CspSettings} implementation to use when the action does not + * set its own values. If not set, the default is {@link DefaultCspSettings}. + */ Review Comment: Done Issue Time Tracking --- Worklog Id: (was: 914446) Time Spent: 1h (was: 50m) > CSP interceptor only allows very limited configuration > -- > > Key: WW-5400 > URL: https://issues.apache.org/jira/browse/WW-5400 > Project: Struts 2 > Issue Type: Improvement > Components: Core Interceptors >Affects Versions: 6.3.0 >Reporter: Erica Kane >Priority: Major > Fix For: 6.5.0 > > Time Spent: 1h > Remaining Estimate: 0h > > I have been trying to implement CSP on our website. The CSP interceptor > provides an elegant solution with the and tags. However, > I want to set my own base-uri. And perhaps make some other changes to the CSP > headers. > But these values are not accessible. Only the report-only and report-uri can > be changed. Even if one is willing to work at the Action level and implement > a new interface for all of them, I can't change the base-uri. I've seen > people on Stack Overflow disable it for this reason. I want to use it, but > could someone please explain how to set the base-uri globally? If not, I will > likely have to make my own. > P.S. I will update the documentation page. Nowhere in the description of the > interceptor does it mention the script and link tags, and without those, it > is useless! -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5407) Extend SecurityMemberAccess proxy detection to Hibernate proxies
[ https://issues.apache.org/jira/browse/WW-5407?focusedWorklogId=914383=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-914383 ] ASF GitHub Bot logged work on WW-5407: -- Author: ASF GitHub Bot Created on: 12/Apr/24 10:40 Start Date: 12/Apr/24 10:40 Worklog Time Spent: 10m Work Description: asf-ci commented on PR #234: URL: https://github.com/apache/struts-site/pull/234#issuecomment-2051510850 Staged site is ready at https://struts.staged.apache.org/ Issue Time Tracking --- Worklog Id: (was: 914383) Time Spent: 2h 20m (was: 2h 10m) > Extend SecurityMemberAccess proxy detection to Hibernate proxies > > > Key: WW-5407 > URL: https://issues.apache.org/jira/browse/WW-5407 > Project: Struts 2 > Issue Type: Improvement > Components: Core >Reporter: Kusal Kithul-Godage >Priority: Minor > Fix For: 6.5.0 > > Time Spent: 2h 20m > Remaining Estimate: 0h > > The current option {{struts.disallowProxyMemberAccess}} does not have any > logic to detect Hibernate proxies which may also present a security risk. > Additionally, the current option only forbids access to members which > originate from a proxy. However, it makes more sense to forbid access to > proxy objects entirely. This is because proxying is often used for sensitive > instances, application beans or Hibernate objects. None of which is safe to > be accessed or manipulated via OGNL. Thus, let's introduce an additional > option {{struts.disallowProxyObjectAccess}} which will offer stronger > protection. > Finally, the caching mechanism in the ProxyUtil class uses an unbounded map, > this can potentially be attacked and lead to a memory leak or DoS. Let's > replace it with a Caffeine cache as we have done previously for the OGNL > expression cache. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5407) Extend SecurityMemberAccess proxy detection to Hibernate proxies
[ https://issues.apache.org/jira/browse/WW-5407?focusedWorklogId=914381=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-914381 ] ASF GitHub Bot logged work on WW-5407: -- Author: ASF GitHub Bot Created on: 12/Apr/24 10:36 Start Date: 12/Apr/24 10:36 Worklog Time Spent: 10m Work Description: kusalk commented on code in PR #234: URL: https://github.com/apache/struts-site/pull/234#discussion_r1562373763 ## source/security/index.md: ## @@ -433,10 +433,16 @@ with other known dangerous classes or packages in your application. We additionally recommend enabling the following options (enabled by default in 7.0). - * `struts.ognl.allowStaticFieldAccess=false` - static methods are always blocked, but static fields can also optionally be blocked - * `struts.disallowProxyMemberAccess=true` - disallow proxied objects from being used in OGNL expressions as they may present a security risk Review Comment: I think it's best we push developers to use `struts.disallowProxyObjectAccess` rather than `struts.disallowProxyMemberAccess` Issue Time Tracking --- Worklog Id: (was: 914381) Time Spent: 2h 10m (was: 2h) > Extend SecurityMemberAccess proxy detection to Hibernate proxies > > > Key: WW-5407 > URL: https://issues.apache.org/jira/browse/WW-5407 > Project: Struts 2 > Issue Type: Improvement > Components: Core >Reporter: Kusal Kithul-Godage >Priority: Minor > Fix For: 6.5.0 > > Time Spent: 2h 10m > Remaining Estimate: 0h > > The current option {{struts.disallowProxyMemberAccess}} does not have any > logic to detect Hibernate proxies which may also present a security risk. > Additionally, the current option only forbids access to members which > originate from a proxy. However, it makes more sense to forbid access to > proxy objects entirely. This is because proxying is often used for sensitive > instances, application beans or Hibernate objects. None of which is safe to > be accessed or manipulated via OGNL. Thus, let's introduce an additional > option {{struts.disallowProxyObjectAccess}} which will offer stronger > protection. > Finally, the caching mechanism in the ProxyUtil class uses an unbounded map, > this can potentially be attacked and lead to a memory leak or DoS. Let's > replace it with a Caffeine cache as we have done previously for the OGNL > expression cache. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5407) Extend SecurityMemberAccess proxy detection to Hibernate proxies
[ https://issues.apache.org/jira/browse/WW-5407?focusedWorklogId=914380=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-914380 ] ASF GitHub Bot logged work on WW-5407: -- Author: ASF GitHub Bot Created on: 12/Apr/24 10:36 Start Date: 12/Apr/24 10:36 Worklog Time Spent: 10m Work Description: kusalk opened a new pull request, #234: URL: https://github.com/apache/struts-site/pull/234 WW-5407 WW-5408 -- Issue Time Tracking --- Worklog Id: (was: 914380) Time Spent: 2h (was: 1h 50m) > Extend SecurityMemberAccess proxy detection to Hibernate proxies > > > Key: WW-5407 > URL: https://issues.apache.org/jira/browse/WW-5407 > Project: Struts 2 > Issue Type: Improvement > Components: Core >Reporter: Kusal Kithul-Godage >Priority: Minor > Fix For: 6.5.0 > > Time Spent: 2h > Remaining Estimate: 0h > > The current option {{struts.disallowProxyMemberAccess}} does not have any > logic to detect Hibernate proxies which may also present a security risk. > Additionally, the current option only forbids access to members which > originate from a proxy. However, it makes more sense to forbid access to > proxy objects entirely. This is because proxying is often used for sensitive > instances, application beans or Hibernate objects. None of which is safe to > be accessed or manipulated via OGNL. Thus, let's introduce an additional > option {{struts.disallowProxyObjectAccess}} which will offer stronger > protection. > Finally, the caching mechanism in the ProxyUtil class uses an unbounded map, > this can potentially be attacked and lead to a memory leak or DoS. Let's > replace it with a Caffeine cache as we have done previously for the OGNL > expression cache. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5408) Add option to NOT fallback to empty namespace when unresolved
[ https://issues.apache.org/jira/browse/WW-5408?focusedWorklogId=914352=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-914352 ] ASF GitHub Bot logged work on WW-5408: -- Author: ASF GitHub Bot Created on: 12/Apr/24 07:58 Start Date: 12/Apr/24 07:58 Worklog Time Spent: 10m Work Description: kusalk merged PR #912: URL: https://github.com/apache/struts/pull/912 Issue Time Tracking --- Worklog Id: (was: 914352) Time Spent: 1h 40m (was: 1.5h) > Add option to NOT fallback to empty namespace when unresolved > - > > Key: WW-5408 > URL: https://issues.apache.org/jira/browse/WW-5408 > Project: Struts 2 > Issue Type: Improvement > Components: Core >Reporter: Kusal Kithul-Godage >Priority: Minor > Fix For: 6.5.0 > > Time Spent: 1h 40m > Remaining Estimate: 0h > > Currently, when a namespace cannot be resolved from a request URL, it falls > back to the empty namespace. > This effectively allows all Actions which are defined for the empty namespace > to be accessed from an infinite number of endpoints. > For example, you may have an Action defined in the empty namespace, intended > for access at: > {{www.domain.com/login.action}} > However, due to the current fallback behaviour, this Action can actually be > accessed at any non-resolving namespace, eg.: > {{www.domain.com/what/about/this/login.action}} > This behaviour is not usually beneficial and could lead to bugs if a > developer only expects their Action to be accessible at a very specific URL. > Many developers may not be aware of these Action resolving quirks of Struts. > As far as I can tell, there is not currently an option to prevent this > behaviour, so I propose we add one. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5409) Introduce final attribute to package elements which makes them unextendable
[ https://issues.apache.org/jira/browse/WW-5409?focusedWorklogId=914325=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-914325 ] ASF GitHub Bot logged work on WW-5409: -- Author: ASF GitHub Bot Created on: 12/Apr/24 06:06 Start Date: 12/Apr/24 06:06 Worklog Time Spent: 10m Work Description: jefferyxhy commented on code in PR #914: URL: https://github.com/apache/struts/pull/914#discussion_r1562054799 ## core/src/main/java/org/apache/struts2/config/StrutsXmlConfigurationProvider.java: ## @@ -54,6 +54,7 @@ public class StrutsXmlConfigurationProvider extends XmlConfigurationProvider { put("-//Apache Software Foundation//DTD Struts Configuration 2.3//EN", "struts-2.3.dtd"); put("-//Apache Software Foundation//DTD Struts Configuration 2.5//EN", "struts-2.5.dtd"); put("-//Apache Software Foundation//DTD Struts Configuration 6.0//EN", "struts-6.0.dtd"); +put("-//Apache Software Foundation//DTD Struts Configuration 6.5.0//EN", "struts-6.5.0.dtd"); Review Comment: Yeah. It make sense. I've updated the naming accordingly. Thanks. Issue Time Tracking --- Worklog Id: (was: 914325) Time Spent: 1h (was: 50m) > Introduce final attribute to package elements which makes them unextendable > --- > > Key: WW-5409 > URL: https://issues.apache.org/jira/browse/WW-5409 > Project: Struts 2 > Issue Type: Improvement > Components: Core >Reporter: Kusal Kithul-Godage >Priority: Minor > Fix For: 6.5.0 > > Time Spent: 1h > Remaining Estimate: 0h > > Extending packages is a very useful capability of Struts but there are some > quirks, that if a developer is not aware of, can lead to critical > vulnerabilities. > One such misunderstood quirk is the {{default-interceptor-ref}} element. > Take the following package: > {code:xml} > > > > > > {code} > If it is extended by another package like so: > {code:xml} > > > > > > {code} > The second package will inherit Action1, however it will behave very > differently in Package2, because it is no longer subject to the same > interceptors. The {{default-interceptor-ref}} value from the first package > does not apply to any action in the extending package, not even the ones > defined in the inherited one. > This is not immediately obvious to many developers, especially those not very > familiar with Struts. They could simply have extended the package to obtain > access to other elements such as results or result-types. > One potential mitigation against this developer error is to mark potentially > sensitive packages as 'final' to prevent certain Actions from being inherited > by other packages. > This would look like the following: > {code:xml} > > > > > > {code} > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5409) Introduce final attribute to package elements which makes them unextendable
[ https://issues.apache.org/jira/browse/WW-5409?focusedWorklogId=914324=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-914324 ] ASF GitHub Bot logged work on WW-5409: -- Author: ASF GitHub Bot Created on: 12/Apr/24 05:43 Start Date: 12/Apr/24 05:43 Worklog Time Spent: 10m Work Description: lukaszlenart commented on code in PR #914: URL: https://github.com/apache/struts/pull/914#discussion_r1562038780 ## core/src/main/java/org/apache/struts2/config/StrutsXmlConfigurationProvider.java: ## @@ -54,6 +54,7 @@ public class StrutsXmlConfigurationProvider extends XmlConfigurationProvider { put("-//Apache Software Foundation//DTD Struts Configuration 2.3//EN", "struts-2.3.dtd"); put("-//Apache Software Foundation//DTD Struts Configuration 2.5//EN", "struts-2.5.dtd"); put("-//Apache Software Foundation//DTD Struts Configuration 6.0//EN", "struts-6.0.dtd"); +put("-//Apache Software Foundation//DTD Struts Configuration 6.5.0//EN", "struts-6.5.0.dtd"); Review Comment: I would keep two digits pattern as such changes cannot be introduced with `PATCH` version anyway. So instead of ```java put("-//Apache Software Foundation//DTD Struts Configuration 6.5.0//EN", "struts-6.5.0.dtd") ``` use ```java put("-//Apache Software Foundation//DTD Struts Configuration 6.5//EN", "struts-6.5.dtd") ``` and rename the corresponding file. --- What do you think? does it make sense? Issue Time Tracking --- Worklog Id: (was: 914324) Time Spent: 50m (was: 40m) > Introduce final attribute to package elements which makes them unextendable > --- > > Key: WW-5409 > URL: https://issues.apache.org/jira/browse/WW-5409 > Project: Struts 2 > Issue Type: Improvement > Components: Core >Reporter: Kusal Kithul-Godage >Priority: Minor > Fix For: 6.5.0 > > Time Spent: 50m > Remaining Estimate: 0h > > Extending packages is a very useful capability of Struts but there are some > quirks, that if a developer is not aware of, can lead to critical > vulnerabilities. > One such misunderstood quirk is the {{default-interceptor-ref}} element. > Take the following package: > {code:xml} > > > > > > {code} > If it is extended by another package like so: > {code:xml} > > > > > > {code} > The second package will inherit Action1, however it will behave very > differently in Package2, because it is no longer subject to the same > interceptors. The {{default-interceptor-ref}} value from the first package > does not apply to any action in the extending package, not even the ones > defined in the inherited one. > This is not immediately obvious to many developers, especially those not very > familiar with Struts. They could simply have extended the package to obtain > access to other elements such as results or result-types. > One potential mitigation against this developer error is to mark potentially > sensitive packages as 'final' to prevent certain Actions from being inherited > by other packages. > This would look like the following: > {code:xml} > > > > > > {code} > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5400) CSP interceptor only allows very limited configuration
[ https://issues.apache.org/jira/browse/WW-5400?focusedWorklogId=914318=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-914318 ] ASF GitHub Bot logged work on WW-5400: -- Author: ASF GitHub Bot Created on: 12/Apr/24 05:34 Start Date: 12/Apr/24 05:34 Worklog Time Spent: 10m Work Description: lukaszlenart commented on code in PR #913: URL: https://github.com/apache/struts/pull/913#discussion_r1562033229 ## core/src/main/java/org/apache/struts2/interceptor/csp/CspInterceptor.java: ## @@ -124,4 +153,11 @@ public void setPrependServletContext(boolean prependServletContext) { this.prependServletContext = prependServletContext; } -} +/** + * Sets the class name of the default {@link CspSettings} implementation to use when the action does not + * set its own values. If not set, the default is {@link DefaultCspSettings}. + */ +public void setDefaultCspSettingsClassName(String defaultCspSettingsClassName) { +this.defaultCspSettingsClassName = defaultCspSettingsClassName; +} Review Comment: You can use Struts inject mechanism instead of using raw class and creating the instance by yourself. It's all about defining a `` and then annotating the setter with `@Inject("customCspSettings")`. I assume you never played with Struts @Inject, so let's leave it as is and I will change that in the next PR. ## core/src/main/java/org/apache/struts2/interceptor/csp/CspInterceptor.java: ## @@ -124,4 +153,11 @@ public void setPrependServletContext(boolean prependServletContext) { this.prependServletContext = prependServletContext; } -} +/** + * Sets the class name of the default {@link CspSettings} implementation to use when the action does not + * set its own values. If not set, the default is {@link DefaultCspSettings}. + */ Review Comment: Please add `@since Struts 6.5.0` [annotation](https://www.oracle.com/pl/technical-resources/articles/java/javadoc-tool.html#@since) ## core/src/main/java/org/apache/struts2/interceptor/csp/CspSettings.java: ## @@ -56,6 +57,11 @@ public interface CspSettings { */ void setReportUri(String uri); +/** + * Sets the report group where csp violation reports will be sent + */ Review Comment: Could you add [@since Struts 6.5.0](https://www.oracle.com/pl/technical-resources/articles/java/javadoc-tool.html#@since)? Issue Time Tracking --- Worklog Id: (was: 914318) Time Spent: 50m (was: 40m) > CSP interceptor only allows very limited configuration > -- > > Key: WW-5400 > URL: https://issues.apache.org/jira/browse/WW-5400 > Project: Struts 2 > Issue Type: Improvement > Components: Core Interceptors >Affects Versions: 6.3.0 >Reporter: Erica Kane >Priority: Major > Fix For: 6.5.0 > > Time Spent: 50m > Remaining Estimate: 0h > > I have been trying to implement CSP on our website. The CSP interceptor > provides an elegant solution with the and tags. However, > I want to set my own base-uri. And perhaps make some other changes to the CSP > headers. > But these values are not accessible. Only the report-only and report-uri can > be changed. Even if one is willing to work at the Action level and implement > a new interface for all of them, I can't change the base-uri. I've seen > people on Stack Overflow disable it for this reason. I want to use it, but > could someone please explain how to set the base-uri globally? If not, I will > likely have to make my own. > P.S. I will update the documentation page. Nowhere in the description of the > interceptor does it mention the script and link tags, and without those, it > is useless! -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5400) CSP interceptor only allows very limited configuration
[ https://issues.apache.org/jira/browse/WW-5400?focusedWorklogId=914281=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-914281 ] ASF GitHub Bot logged work on WW-5400: -- Author: ASF GitHub Bot Created on: 11/Apr/24 21:01 Start Date: 11/Apr/24 21:01 Worklog Time Spent: 10m Work Description: eschulma commented on PR #913: URL: https://github.com/apache/struts/pull/913#issuecomment-2050535381 Ok all good. Issue Time Tracking --- Worklog Id: (was: 914281) Time Spent: 40m (was: 0.5h) > CSP interceptor only allows very limited configuration > -- > > Key: WW-5400 > URL: https://issues.apache.org/jira/browse/WW-5400 > Project: Struts 2 > Issue Type: Improvement > Components: Core Interceptors >Affects Versions: 6.3.0 >Reporter: Erica Kane >Priority: Major > Fix For: 6.5.0 > > Time Spent: 40m > Remaining Estimate: 0h > > I have been trying to implement CSP on our website. The CSP interceptor > provides an elegant solution with the and tags. However, > I want to set my own base-uri. And perhaps make some other changes to the CSP > headers. > But these values are not accessible. Only the report-only and report-uri can > be changed. Even if one is willing to work at the Action level and implement > a new interface for all of them, I can't change the base-uri. I've seen > people on Stack Overflow disable it for this reason. I want to use it, but > could someone please explain how to set the base-uri globally? If not, I will > likely have to make my own. > P.S. I will update the documentation page. Nowhere in the description of the > interceptor does it mention the script and link tags, and without those, it > is useless! -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5400) CSP interceptor only allows very limited configuration
[ https://issues.apache.org/jira/browse/WW-5400?focusedWorklogId=914267=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-914267 ] ASF GitHub Bot logged work on WW-5400: -- Author: ASF GitHub Bot Created on: 11/Apr/24 18:53 Start Date: 11/Apr/24 18:53 Worklog Time Spent: 10m Work Description: eschulma commented on PR #913: URL: https://github.com/apache/struts/pull/913#issuecomment-2050317405 Hold off a bit, I need to check something (this is what I get for implementing my own separate solution) Issue Time Tracking --- Worklog Id: (was: 914267) Time Spent: 0.5h (was: 20m) > CSP interceptor only allows very limited configuration > -- > > Key: WW-5400 > URL: https://issues.apache.org/jira/browse/WW-5400 > Project: Struts 2 > Issue Type: Improvement > Components: Core Interceptors >Affects Versions: 6.3.0 >Reporter: Erica Kane >Priority: Major > Fix For: 6.5.0 > > Time Spent: 0.5h > Remaining Estimate: 0h > > I have been trying to implement CSP on our website. The CSP interceptor > provides an elegant solution with the and tags. However, > I want to set my own base-uri. And perhaps make some other changes to the CSP > headers. > But these values are not accessible. Only the report-only and report-uri can > be changed. Even if one is willing to work at the Action level and implement > a new interface for all of them, I can't change the base-uri. I've seen > people on Stack Overflow disable it for this reason. I want to use it, but > could someone please explain how to set the base-uri globally? If not, I will > likely have to make my own. > P.S. I will update the documentation page. Nowhere in the description of the > interceptor does it mention the script and link tags, and without those, it > is useless! -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5400) CSP interceptor only allows very limited configuration
[ https://issues.apache.org/jira/browse/WW-5400?focusedWorklogId=914207=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-914207 ] ASF GitHub Bot logged work on WW-5400: -- Author: ASF GitHub Bot Created on: 11/Apr/24 15:03 Start Date: 11/Apr/24 15:03 Worklog Time Spent: 10m Work Description: eschulma commented on PR #913: URL: https://github.com/apache/struts/pull/913#issuecomment-2049907568 @lukaszlenart submitted per your request Issue Time Tracking --- Worklog Id: (was: 914207) Time Spent: 20m (was: 10m) > CSP interceptor only allows very limited configuration > -- > > Key: WW-5400 > URL: https://issues.apache.org/jira/browse/WW-5400 > Project: Struts 2 > Issue Type: Improvement > Components: Core Interceptors >Affects Versions: 6.3.0 >Reporter: Erica Kane >Priority: Major > Fix For: 6.5.0 > > Time Spent: 20m > Remaining Estimate: 0h > > I have been trying to implement CSP on our website. The CSP interceptor > provides an elegant solution with the and tags. However, > I want to set my own base-uri. And perhaps make some other changes to the CSP > headers. > But these values are not accessible. Only the report-only and report-uri can > be changed. Even if one is willing to work at the Action level and implement > a new interface for all of them, I can't change the base-uri. I've seen > people on Stack Overflow disable it for this reason. I want to use it, but > could someone please explain how to set the base-uri globally? If not, I will > likely have to make my own. > P.S. I will update the documentation page. Nowhere in the description of the > interceptor does it mention the script and link tags, and without those, it > is useless! -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5407) Extend SecurityMemberAccess proxy detection to Hibernate proxies
[ https://issues.apache.org/jira/browse/WW-5407?focusedWorklogId=914122=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-914122 ] ASF GitHub Bot logged work on WW-5407: -- Author: ASF GitHub Bot Created on: 11/Apr/24 09:16 Start Date: 11/Apr/24 09:16 Worklog Time Spent: 10m Work Description: kusalk merged PR #911: URL: https://github.com/apache/struts/pull/911 Issue Time Tracking --- Worklog Id: (was: 914122) Time Spent: 1h 50m (was: 1h 40m) > Extend SecurityMemberAccess proxy detection to Hibernate proxies > > > Key: WW-5407 > URL: https://issues.apache.org/jira/browse/WW-5407 > Project: Struts 2 > Issue Type: Improvement > Components: Core >Reporter: Kusal Kithul-Godage >Priority: Minor > Fix For: 6.5.0 > > Time Spent: 1h 50m > Remaining Estimate: 0h > > The current option {{struts.disallowProxyMemberAccess}} does not have any > logic to detect Hibernate proxies which may also present a security risk. > Additionally, the current option only forbids access to members which > originate from a proxy. However, it makes more sense to forbid access to > proxy objects entirely. This is because proxying is often used for sensitive > instances, application beans or Hibernate objects. None of which is safe to > be accessed or manipulated via OGNL. Thus, let's introduce an additional > option {{struts.disallowProxyObjectAccess}} which will offer stronger > protection. > Finally, the caching mechanism in the ProxyUtil class uses an unbounded map, > this can potentially be attacked and lead to a memory leak or DoS. Let's > replace it with a Caffeine cache as we have done previously for the OGNL > expression cache. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5409) Introduce final attribute to package elements which makes them unextendable
[ https://issues.apache.org/jira/browse/WW-5409?focusedWorklogId=914085=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-914085 ] ASF GitHub Bot logged work on WW-5409: -- Author: ASF GitHub Bot Created on: 11/Apr/24 05:09 Start Date: 11/Apr/24 05:09 Worklog Time Spent: 10m Work Description: jefferyxhy commented on code in PR #914: URL: https://github.com/apache/struts/pull/914#discussion_r1560440790 ## core/src/main/resources/struts-6.4.0.dtd: ## @@ -0,0 +1,158 @@ + + + Introduce final attribute to package elements which makes them unextendable > --- > > Key: WW-5409 > URL: https://issues.apache.org/jira/browse/WW-5409 > Project: Struts 2 > Issue Type: Improvement > Components: Core >Reporter: Kusal Kithul-Godage >Priority: Minor > Fix For: 6.5.0 > > Time Spent: 40m > Remaining Estimate: 0h > > Extending packages is a very useful capability of Struts but there are some > quirks, that if a developer is not aware of, can lead to critical > vulnerabilities. > One such misunderstood quirk is the {{default-interceptor-ref}} element. > Take the following package: > {code:xml} > > > > > > {code} > If it is extended by another package like so: > {code:xml} > > > > > > {code} > The second package will inherit Action1, however it will behave very > differently in Package2, because it is no longer subject to the same > interceptors. The {{default-interceptor-ref}} value from the first package > does not apply to any action in the extending package, not even the ones > defined in the inherited one. > This is not immediately obvious to many developers, especially those not very > familiar with Struts. They could simply have extended the package to obtain > access to other elements such as results or result-types. > One potential mitigation against this developer error is to mark potentially > sensitive packages as 'final' to prevent certain Actions from being inherited > by other packages. > This would look like the following: > {code:xml} > > > > > > {code} > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5408) Add option to NOT fallback to empty namespace when unresolved
[ https://issues.apache.org/jira/browse/WW-5408?focusedWorklogId=914084=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-914084 ] ASF GitHub Bot logged work on WW-5408: -- Author: ASF GitHub Bot Created on: 11/Apr/24 04:59 Start Date: 11/Apr/24 04:59 Worklog Time Spent: 10m Work Description: jefferyxhy commented on code in PR #912: URL: https://github.com/apache/struts/pull/912#discussion_r1560435674 ## core/src/main/java/com/opensymphony/xwork2/config/impl/DefaultConfiguration.java: ## @@ -583,11 +590,10 @@ public ActionConfig getActionConfig(String namespace, String name) { } // fail over to empty namespace -if (config == null && StringUtils.isNotBlank(namespace)) { +if (config == null && StringUtils.isNotBlank(namespace) && ("/".equals(namespace) || fallbackToEmptyNamespace)) { Review Comment: Done. Thanks ## core/src/main/java/com/opensymphony/xwork2/config/impl/DefaultConfiguration.java: ## @@ -459,9 +460,12 @@ protected synchronized RuntimeConfiguration buildRuntimeConfiguration() throws C boolean appendNamedParameters = Boolean.parseBoolean( container.getInstance(String.class, StrutsConstants.STRUTS_MATCHER_APPEND_NAMED_PARAMETERS) ); +boolean fallbackToEmptyNamespace = Boolean.parseBoolean( +Optional.ofNullable(container.getInstance(String.class, StrutsConstants.STRUTS_ACTION_CONFIG_FALLBACK_TO_EMPTY_NAMESPACE)).orElse("true") Review Comment: Updated. Thanks Issue Time Tracking --- Worklog Id: (was: 914084) Time Spent: 1.5h (was: 1h 20m) > Add option to NOT fallback to empty namespace when unresolved > - > > Key: WW-5408 > URL: https://issues.apache.org/jira/browse/WW-5408 > Project: Struts 2 > Issue Type: Improvement > Components: Core >Reporter: Kusal Kithul-Godage >Priority: Minor > Fix For: 6.5.0 > > Time Spent: 1.5h > Remaining Estimate: 0h > > Currently, when a namespace cannot be resolved from a request URL, it falls > back to the empty namespace. > This effectively allows all Actions which are defined for the empty namespace > to be accessed from an infinite number of endpoints. > For example, you may have an Action defined in the empty namespace, intended > for access at: > {{www.domain.com/login.action}} > However, due to the current fallback behaviour, this Action can actually be > accessed at any non-resolving namespace, eg.: > {{www.domain.com/what/about/this/login.action}} > This behaviour is not usually beneficial and could lead to bugs if a > developer only expects their Action to be accessible at a very specific URL. > Many developers may not be aware of these Action resolving quirks of Struts. > As far as I can tell, there is not currently an option to prevent this > behaviour, so I propose we add one. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5409) Introduce final attribute to package elements which makes them unextendable
[ https://issues.apache.org/jira/browse/WW-5409?focusedWorklogId=914081=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-914081 ] ASF GitHub Bot logged work on WW-5409: -- Author: ASF GitHub Bot Created on: 11/Apr/24 04:43 Start Date: 11/Apr/24 04:43 Worklog Time Spent: 10m Work Description: lukaszlenart commented on code in PR #914: URL: https://github.com/apache/struts/pull/914#discussion_r1560427870 ## core/src/main/resources/struts-6.4.0.dtd: ## @@ -0,0 +1,158 @@ + + + Introduce final attribute to package elements which makes them unextendable > --- > > Key: WW-5409 > URL: https://issues.apache.org/jira/browse/WW-5409 > Project: Struts 2 > Issue Type: Improvement > Components: Core >Reporter: Kusal Kithul-Godage >Priority: Minor > Fix For: 6.5.0 > > Time Spent: 0.5h > Remaining Estimate: 0h > > Extending packages is a very useful capability of Struts but there are some > quirks, that if a developer is not aware of, can lead to critical > vulnerabilities. > One such misunderstood quirk is the {{default-interceptor-ref}} element. > Take the following package: > {code:xml} > > > > > > {code} > If it is extended by another package like so: > {code:xml} > > > > > > {code} > The second package will inherit Action1, however it will behave very > differently in Package2, because it is no longer subject to the same > interceptors. The {{default-interceptor-ref}} value from the first package > does not apply to any action in the extending package, not even the ones > defined in the inherited one. > This is not immediately obvious to many developers, especially those not very > familiar with Struts. They could simply have extended the package to obtain > access to other elements such as results or result-types. > One potential mitigation against this developer error is to mark potentially > sensitive packages as 'final' to prevent certain Actions from being inherited > by other packages. > This would look like the following: > {code:xml} > > > > > > {code} > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5408) Add option to NOT fallback to empty namespace when unresolved
[ https://issues.apache.org/jira/browse/WW-5408?focusedWorklogId=914080=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-914080 ] ASF GitHub Bot logged work on WW-5408: -- Author: ASF GitHub Bot Created on: 11/Apr/24 04:40 Start Date: 11/Apr/24 04:40 Worklog Time Spent: 10m Work Description: lukaszlenart commented on code in PR #912: URL: https://github.com/apache/struts/pull/912#discussion_r1560426064 ## core/src/main/java/com/opensymphony/xwork2/config/impl/DefaultConfiguration.java: ## @@ -459,9 +460,12 @@ protected synchronized RuntimeConfiguration buildRuntimeConfiguration() throws C boolean appendNamedParameters = Boolean.parseBoolean( container.getInstance(String.class, StrutsConstants.STRUTS_MATCHER_APPEND_NAMED_PARAMETERS) ); +boolean fallbackToEmptyNamespace = Boolean.parseBoolean( +Optional.ofNullable(container.getInstance(String.class, StrutsConstants.STRUTS_ACTION_CONFIG_FALLBACK_TO_EMPTY_NAMESPACE)).orElse("true") Review Comment: Understood, yet `default.properties` is used as a documentation by users so I would define the constant there with short description and keep fallback to `true` as above Issue Time Tracking --- Worklog Id: (was: 914080) Time Spent: 1h 20m (was: 1h 10m) > Add option to NOT fallback to empty namespace when unresolved > - > > Key: WW-5408 > URL: https://issues.apache.org/jira/browse/WW-5408 > Project: Struts 2 > Issue Type: Improvement > Components: Core >Reporter: Kusal Kithul-Godage >Priority: Minor > Fix For: 6.5.0 > > Time Spent: 1h 20m > Remaining Estimate: 0h > > Currently, when a namespace cannot be resolved from a request URL, it falls > back to the empty namespace. > This effectively allows all Actions which are defined for the empty namespace > to be accessed from an infinite number of endpoints. > For example, you may have an Action defined in the empty namespace, intended > for access at: > {{www.domain.com/login.action}} > However, due to the current fallback behaviour, this Action can actually be > accessed at any non-resolving namespace, eg.: > {{www.domain.com/what/about/this/login.action}} > This behaviour is not usually beneficial and could lead to bugs if a > developer only expects their Action to be accessible at a very specific URL. > Many developers may not be aware of these Action resolving quirks of Struts. > As far as I can tell, there is not currently an option to prevent this > behaviour, so I propose we add one. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5409) Introduce final attribute to package elements which makes them unextendable
[ https://issues.apache.org/jira/browse/WW-5409?focusedWorklogId=914077=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-914077 ] ASF GitHub Bot logged work on WW-5409: -- Author: ASF GitHub Bot Created on: 11/Apr/24 04:34 Start Date: 11/Apr/24 04:34 Worklog Time Spent: 10m Work Description: jefferyxhy commented on code in PR #914: URL: https://github.com/apache/struts/pull/914#discussion_r1560423741 ## core/src/main/resources/struts-6.4.0.dtd: ## @@ -0,0 +1,158 @@ + + + Introduce final attribute to package elements which makes them unextendable > --- > > Key: WW-5409 > URL: https://issues.apache.org/jira/browse/WW-5409 > Project: Struts 2 > Issue Type: Improvement > Components: Core >Reporter: Kusal Kithul-Godage >Priority: Minor > Fix For: 6.5.0 > > Time Spent: 20m > Remaining Estimate: 0h > > Extending packages is a very useful capability of Struts but there are some > quirks, that if a developer is not aware of, can lead to critical > vulnerabilities. > One such misunderstood quirk is the {{default-interceptor-ref}} element. > Take the following package: > {code:xml} > > > > > > {code} > If it is extended by another package like so: > {code:xml} > > > > > > {code} > The second package will inherit Action1, however it will behave very > differently in Package2, because it is no longer subject to the same > interceptors. The {{default-interceptor-ref}} value from the first package > does not apply to any action in the extending package, not even the ones > defined in the inherited one. > This is not immediately obvious to many developers, especially those not very > familiar with Struts. They could simply have extended the package to obtain > access to other elements such as results or result-types. > One potential mitigation against this developer error is to mark potentially > sensitive packages as 'final' to prevent certain Actions from being inherited > by other packages. > This would look like the following: > {code:xml} > > > > > > {code} > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5406) Action excluded patterns are not updated following a configuration reload
[ https://issues.apache.org/jira/browse/WW-5406?focusedWorklogId=914076=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-914076 ] ASF GitHub Bot logged work on WW-5406: -- Author: ASF GitHub Bot Created on: 11/Apr/24 04:27 Start Date: 11/Apr/24 04:27 Worklog Time Spent: 10m Work Description: kusalk merged PR #910: URL: https://github.com/apache/struts/pull/910 Issue Time Tracking --- Worklog Id: (was: 914076) Time Spent: 2h 20m (was: 2h 10m) > Action excluded patterns are not updated following a configuration reload > - > > Key: WW-5406 > URL: https://issues.apache.org/jira/browse/WW-5406 > Project: Struts 2 > Issue Type: Bug > Components: Core >Reporter: Kusal Kithul-Godage >Priority: Minor > Fix For: 6.5.0 > > Time Spent: 2h 20m > Remaining Estimate: 0h > > If {{struts.action.excludePattern}} or > {{struts.action.excludePattern.separator}} are updated during runtime, the > changes are not reflected in the application behaviour due to these constants > only being read exactly once. This is not consistent with all other > configuration which is re-injected following a configuration reload. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5409) Introduce final attribute to package elements which makes them unextendable
[ https://issues.apache.org/jira/browse/WW-5409?focusedWorklogId=914061=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-914061 ] ASF GitHub Bot logged work on WW-5409: -- Author: ASF GitHub Bot Created on: 11/Apr/24 02:47 Start Date: 11/Apr/24 02:47 Worklog Time Spent: 10m Work Description: jefferyxhy opened a new pull request, #914: URL: https://github.com/apache/struts/pull/914 WW-5409 **Reason** Extending packages is a very useful capability of Struts but there are some quirks, that if a developer is not aware of, can lead to critical vulnerabilities. One such misunderstood quirk is the default-interceptor-ref element. e.g. a parent package add permission interceptor for its action (say **Action A**), while child package extends parent package will inherit its actions but not interceptor. So if the develop is not aware of this, then Action A is now exposed with permission vuln through child package's namespace. **Changes/ Solution** introduce new `final` attribute on `package` element which will make it is unextendable **Result & Impact** * By default, package `final` attribute is implied as `false`, so no difference. * Set package `final` attribute explicitly as `true`, will make this package unextendable, so any extends to this package will cause a ConfigurationException to be thrown during application struts config xml load step. Issue Time Tracking --- Worklog Id: (was: 914061) Remaining Estimate: 0h Time Spent: 10m > Introduce final attribute to package elements which makes them unextendable > --- > > Key: WW-5409 > URL: https://issues.apache.org/jira/browse/WW-5409 > Project: Struts 2 > Issue Type: Improvement > Components: Core >Reporter: Kusal Kithul-Godage >Priority: Minor > Fix For: 6.5.0 > > Time Spent: 10m > Remaining Estimate: 0h > > Extending packages is a very useful capability of Struts but there are some > quirks, that if a developer is not aware of, can lead to critical > vulnerabilities. > One such misunderstood quirk is the {{default-interceptor-ref}} element. > Take the following package: > {code:xml} > > > > > > {code} > If it is extended by another package like so: > {code:xml} > > > > > > {code} > The second package will inherit Action1, however it will behave very > differently in Package2, because it is no longer subject to the same > interceptors. The {{default-interceptor-ref}} value from the first package > does not apply to any action in the extending package, not even the ones > defined in the inherited one. > This is not immediately obvious to many developers, especially those not very > familiar with Struts. They could simply have extended the package to obtain > access to other elements such as results or result-types. > One potential mitigation against this developer error is to mark potentially > sensitive packages as 'final' to prevent certain Actions from being inherited > by other packages. > This would look like the following: > {code:xml} > > > > > > {code} > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5408) Add option to NOT fallback to empty namespace when unresolved
[ https://issues.apache.org/jira/browse/WW-5408?focusedWorklogId=914052=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-914052 ] ASF GitHub Bot logged work on WW-5408: -- Author: ASF GitHub Bot Created on: 11/Apr/24 00:33 Start Date: 11/Apr/24 00:33 Worklog Time Spent: 10m Work Description: kusalk commented on code in PR #912: URL: https://github.com/apache/struts/pull/912#discussion_r1560203638 ## core/src/main/java/com/opensymphony/xwork2/config/impl/DefaultConfiguration.java: ## @@ -459,9 +460,12 @@ protected synchronized RuntimeConfiguration buildRuntimeConfiguration() throws C boolean appendNamedParameters = Boolean.parseBoolean( container.getInstance(String.class, StrutsConstants.STRUTS_MATCHER_APPEND_NAMED_PARAMETERS) ); +boolean fallbackToEmptyNamespace = Boolean.parseBoolean( +Optional.ofNullable(container.getInstance(String.class, StrutsConstants.STRUTS_ACTION_CONFIG_FALLBACK_TO_EMPTY_NAMESPACE)).orElse("true") Review Comment: @jefferyxhy and I just discussed this one and one of the drawbacks of putting it in `default.properties` is that it isn't read by unit tests and causes a bunch of test failures, as the unit tests will default to `false`. To get around this we could additionally add the constant to `StrutsDefaultConfigurationProvider` as well as `default.properties`. I'm personally not too fussed. In the past I've deliberately made constants default to false to try sidestep this issue. Let us know know what you would prefer Issue Time Tracking --- Worklog Id: (was: 914052) Time Spent: 1h 10m (was: 1h) > Add option to NOT fallback to empty namespace when unresolved > - > > Key: WW-5408 > URL: https://issues.apache.org/jira/browse/WW-5408 > Project: Struts 2 > Issue Type: Improvement > Components: Core >Reporter: Kusal Kithul-Godage >Priority: Minor > Fix For: 6.5.0 > > Time Spent: 1h 10m > Remaining Estimate: 0h > > Currently, when a namespace cannot be resolved from a request URL, it falls > back to the empty namespace. > This effectively allows all Actions which are defined for the empty namespace > to be accessed from an infinite number of endpoints. > For example, you may have an Action defined in the empty namespace, intended > for access at: > {{www.domain.com/login.action}} > However, due to the current fallback behaviour, this Action can actually be > accessed at any non-resolving namespace, eg.: > {{www.domain.com/what/about/this/login.action}} > This behaviour is not usually beneficial and could lead to bugs if a > developer only expects their Action to be accessible at a very specific URL. > Many developers may not be aware of these Action resolving quirks of Struts. > As far as I can tell, there is not currently an option to prevent this > behaviour, so I propose we add one. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (WW-5400) CSP interceptor only allows very limited configuration
[ https://issues.apache.org/jira/browse/WW-5400?focusedWorklogId=914041=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-914041 ] ASF GitHub Bot logged work on WW-5400: -- Author: ASF GitHub Bot Created on: 10/Apr/24 22:45 Start Date: 10/Apr/24 22:45 Worklog Time Spent: 10m Work Description: eschulma opened a new pull request, #913: URL: https://github.com/apache/struts/pull/913 Previously, it was impossible to set global options for the CSP interceptor. The only option was to have every action individually implement CspSettingsAware. To fix this, we add an interceptor parameter of defaultCspSettingsClassName. Values from this class will be used in the CSP header instead of DefaultCspSettings. Users may define their own custom class which implements CspSettings, and that will be the default for all actions that do not implement the CspSettingsAware interface. It is now possible to create this custom class by simply extending DefaultCspSettings. I have fixed a spelling error in DefaultCspSettings.java Issue Time Tracking --- Worklog Id: (was: 914041) Remaining Estimate: 0h Time Spent: 10m > CSP interceptor only allows very limited configuration > -- > > Key: WW-5400 > URL: https://issues.apache.org/jira/browse/WW-5400 > Project: Struts 2 > Issue Type: Improvement > Components: Core Interceptors >Affects Versions: 6.3.0 >Reporter: Erica Kane >Priority: Major > Fix For: 6.5.0 > > Time Spent: 10m > Remaining Estimate: 0h > > I have been trying to implement CSP on our website. The CSP interceptor > provides an elegant solution with the and tags. However, > I want to set my own base-uri. And perhaps make some other changes to the CSP > headers. > But these values are not accessible. Only the report-only and report-uri can > be changed. Even if one is willing to work at the Action level and implement > a new interface for all of them, I can't change the base-uri. I've seen > people on Stack Overflow disable it for this reason. I want to use it, but > could someone please explain how to set the base-uri globally? If not, I will > likely have to make my own. > P.S. I will update the documentation page. Nowhere in the description of the > interceptor does it mention the script and link tags, and without those, it > is useless! -- This message was sent by Atlassian Jira (v8.20.10#820010)