Re: Showcase app broken by struts.allowlist.classes

2024-07-13 Thread Kusal Kithul-Godage
Ah just saw this - I've already created a fix PR, took me a little longer than expected as it turns out there were a few more broken Showcase Actions which I've also fixed https://github.com/apache/struts/pull/986 On Sat, Jul 13, 2024 at 7:23 PM Lukasz Lenart wrote: > > sob., 13 lip 2024 o 10:23

Re: Showcase app broken by struts.allowlist.classes

2024-07-13 Thread Lukasz Lenart
sob., 13 lip 2024 o 10:23 Kusal Kithul-Godage napisał(a): > That's correct, it's only enabled by default from 7.0, but I enabled > it manually for the Showcase App so we can ensure its functionality > and catch regressions. It seems in this case, we have an Action that > utilises the Convention pl

Re: Showcase app broken by struts.allowlist.classes

2024-07-13 Thread Kusal Kithul-Godage
That's correct, it's only enabled by default from 7.0, but I enabled it manually for the Showcase App so we can ensure its functionality and catch regressions. It seems in this case, we have an Action that utilises the Convention plugin but isn't actually covered by any tests. On Sat, Jul 13, 2024

Re: Showcase app broken by struts.allowlist.classes

2024-07-13 Thread Lukasz Lenart
sob., 13 lip 2024 o 08:05 Kusal Kithul-Godage napisał(a):> > Let me take a look, I think I overlooked testing the OGNL allowlist > with the Convention plugin - created WW-5440 to track. BTW. I thought the stronger security settings have been enabled since Struts 7, did I miss something? Regards

Re: Showcase app broken by struts.allowlist.classes

2024-07-12 Thread Kusal Kithul-Godage
Let me take a look, I think I overlooked testing the OGNL allowlist with the Convention plugin - created WW-5440 to track. On Sat, Jul 13, 2024 at 3:04 PM Lukasz Lenart wrote: > > Hi, > > I'm playing a bit with our Showcase App and noticed a few issues > related to the latest security changes. He

Showcase app broken by struts.allowlist.classes

2024-07-12 Thread Lukasz Lenart
Hi, I'm playing a bit with our Showcase App and noticed a few issues related to the latest security changes. Here is an example method annotated as follow: @Action(value = "bean-validation", results = { @Result(name = "success", location = "bean-validation.jsp") }) @SkipValidation public Stri