Adds option to define additional accepted/excluded patterns Also all patterns are by default case insensitive
Project: http://git-wip-us.apache.org/repos/asf/struts/repo Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/89cbe138 Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/89cbe138 Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/89cbe138 Branch: refs/heads/develop Commit: 89cbe13853a849340d740d45685e6fd14da93d9b Parents: 2df72b9 Author: Lukasz Lenart <lukaszlen...@apache.org> Authored: Sun Jun 1 10:33:39 2014 +0200 Committer: Lukasz Lenart <lukaszlen...@apache.org> Committed: Sun Jun 1 10:33:39 2014 +0200 ---------------------------------------------------------------------- .../org/apache/struts2/StrutsConstants.java | 3 ++ .../config/DefaultBeanSelectionProvider.java | 2 + .../com/opensymphony/xwork2/XWorkConstants.java | 3 ++ .../DefaultAcceptedPatternsChecker.java | 18 +++---- .../DefaultExcludedPatternsChecker.java | 28 ++++++---- .../DefaultAcceptedPatternsCheckerTest.java | 56 ++++++++++++++++++++ .../DefaultExcludedPatternsCheckerTest.java | 56 ++++++++++++++++++++ 7 files changed, 147 insertions(+), 19 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/struts/blob/89cbe138/core/src/main/java/org/apache/struts2/StrutsConstants.java ---------------------------------------------------------------------- diff --git a/core/src/main/java/org/apache/struts2/StrutsConstants.java b/core/src/main/java/org/apache/struts2/StrutsConstants.java index dd08993..918f91b 100644 --- a/core/src/main/java/org/apache/struts2/StrutsConstants.java +++ b/core/src/main/java/org/apache/struts2/StrutsConstants.java @@ -294,4 +294,7 @@ public final class StrutsConstants { public static final String STRUTS_OVERRIDE_EXCLUDED_PATTERNS = "struts.override.excludedPatterns"; public static final String STRUTS_OVERRIDE_ACCEPTED_PATTERNS = "struts.override.acceptedPatterns"; + public static final String STRUTS_ADDITIONAL_EXCLUDED_PATTERNS = "struts.additional.excludedPatterns"; + public static final String STRUTS_ADDITIONAL_ACCEPTED_PATTERNS = "struts.additional.acceptedPatterns"; + } http://git-wip-us.apache.org/repos/asf/struts/blob/89cbe138/core/src/main/java/org/apache/struts2/config/DefaultBeanSelectionProvider.java ---------------------------------------------------------------------- diff --git a/core/src/main/java/org/apache/struts2/config/DefaultBeanSelectionProvider.java b/core/src/main/java/org/apache/struts2/config/DefaultBeanSelectionProvider.java index a671133..06b7302 100644 --- a/core/src/main/java/org/apache/struts2/config/DefaultBeanSelectionProvider.java +++ b/core/src/main/java/org/apache/struts2/config/DefaultBeanSelectionProvider.java @@ -407,6 +407,8 @@ public class DefaultBeanSelectionProvider extends AbstractBeanSelectionProvider convertIfExist(props, StrutsConstants.STRUTS_EXCLUDED_CLASSES, XWorkConstants.OGNL_EXCLUDED_CLASSES); convertIfExist(props, StrutsConstants.STRUTS_EXCLUDED_PACKAGE_NAME_PATTERNS, XWorkConstants.OGNL_EXCLUDED_PACKAGE_NAME_PATTERNS); + convertIfExist(props, StrutsConstants.STRUTS_ADDITIONAL_EXCLUDED_PATTERNS, XWorkConstants.ADDITIONAL_EXCLUDED_PATTERNS); + convertIfExist(props, StrutsConstants.STRUTS_ADDITIONAL_ACCEPTED_PATTERNS, XWorkConstants.ADDITIONAL_ACCEPTED_PATTERNS); convertIfExist(props, StrutsConstants.STRUTS_OVERRIDE_EXCLUDED_PATTERNS, XWorkConstants.OVERRIDE_EXCLUDED_PATTERNS); convertIfExist(props, StrutsConstants.STRUTS_OVERRIDE_ACCEPTED_PATTERNS, XWorkConstants.OVERRIDE_ACCEPTED_PATTERNS); http://git-wip-us.apache.org/repos/asf/struts/blob/89cbe138/xwork-core/src/main/java/com/opensymphony/xwork2/XWorkConstants.java ---------------------------------------------------------------------- diff --git a/xwork-core/src/main/java/com/opensymphony/xwork2/XWorkConstants.java b/xwork-core/src/main/java/com/opensymphony/xwork2/XWorkConstants.java index 830df78..433b005 100644 --- a/xwork-core/src/main/java/com/opensymphony/xwork2/XWorkConstants.java +++ b/xwork-core/src/main/java/com/opensymphony/xwork2/XWorkConstants.java @@ -21,6 +21,9 @@ public final class XWorkConstants { public static final String OGNL_EXCLUDED_CLASSES = "ognlExcludedClasses"; public static final String OGNL_EXCLUDED_PACKAGE_NAME_PATTERNS = "ognlExcludedPackageNamePatterns"; + public static final String ADDITIONAL_EXCLUDED_PATTERNS = "additionalExcludedPatterns"; + public static final String ADDITIONAL_ACCEPTED_PATTERNS = "additionalAcceptedPatterns"; + public static final String OVERRIDE_EXCLUDED_PATTERNS = "overrideExcludedPatterns"; public static final String OVERRIDE_ACCEPTED_PATTERNS = "overrideAcceptedPatterns"; http://git-wip-us.apache.org/repos/asf/struts/blob/89cbe138/xwork-core/src/main/java/com/opensymphony/xwork2/security/DefaultAcceptedPatternsChecker.java ---------------------------------------------------------------------- diff --git a/xwork-core/src/main/java/com/opensymphony/xwork2/security/DefaultAcceptedPatternsChecker.java b/xwork-core/src/main/java/com/opensymphony/xwork2/security/DefaultAcceptedPatternsChecker.java index fa1b8e1..970a52c 100644 --- a/xwork-core/src/main/java/com/opensymphony/xwork2/security/DefaultAcceptedPatternsChecker.java +++ b/xwork-core/src/main/java/com/opensymphony/xwork2/security/DefaultAcceptedPatternsChecker.java @@ -24,7 +24,7 @@ public class DefaultAcceptedPatternsChecker implements AcceptedPatternsChecker { public DefaultAcceptedPatternsChecker() { acceptedPatterns = new HashSet<Pattern>(); for (String pattern : ACCEPTED_PATTERNS) { - acceptedPatterns.add(Pattern.compile(pattern)); + acceptedPatterns.add(Pattern.compile(pattern, Pattern.CASE_INSENSITIVE)); } } @@ -36,19 +36,17 @@ public class DefaultAcceptedPatternsChecker implements AcceptedPatternsChecker { } acceptedPatterns = new HashSet<Pattern>(); for (String pattern : TextParseUtil.commaDelimitedStringToSet(acceptablePatterns)) { - acceptedPatterns.add(Pattern.compile(pattern)); + acceptedPatterns.add(Pattern.compile(pattern, Pattern.CASE_INSENSITIVE)); } } - @Inject(value = XWorkConstants.OVERRIDE_ACCEPTED_PATTERNS, required = false) - public void setOverrideExcludePatterns(String acceptPatterns) { - if (LOG.isWarnEnabled()) { - LOG.warn("Overriding [#0] with [#1], be aware that this can affect safety of your application!", - XWorkConstants.OVERRIDE_ACCEPTED_PATTERNS, acceptedPatterns); + @Inject(value = XWorkConstants.ADDITIONAL_ACCEPTED_PATTERNS, required = false) + public void setAdditionalAcceptedPatterns(String acceptablePatterns) { + if (LOG.isDebugEnabled()) { + LOG.warn("Adding additional patterns [#0] to accepted patterns!", acceptablePatterns); } - acceptedPatterns = new HashSet<Pattern>(); - for (String pattern : TextParseUtil.commaDelimitedStringToSet(acceptPatterns)) { - acceptedPatterns.add(Pattern.compile(pattern)); + for (String pattern : TextParseUtil.commaDelimitedStringToSet(acceptablePatterns)) { + acceptedPatterns.add(Pattern.compile(pattern, Pattern.CASE_INSENSITIVE)); } } http://git-wip-us.apache.org/repos/asf/struts/blob/89cbe138/xwork-core/src/main/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsChecker.java ---------------------------------------------------------------------- diff --git a/xwork-core/src/main/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsChecker.java b/xwork-core/src/main/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsChecker.java index 53854d3..f0a3d62 100644 --- a/xwork-core/src/main/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsChecker.java +++ b/xwork-core/src/main/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsChecker.java @@ -17,13 +17,13 @@ public class DefaultExcludedPatternsChecker implements ExcludedPatternsChecker { public static final String[] EXCLUDED_PATTERNS = { "(.*\\.|^|.*|\\[('|\"))class(\\.|('|\")]|\\[).*", - "^dojo\\..*", - "^struts\\..*", - "^session\\..*", - "^request\\..*", - "^application\\..*", - "^servlet(Request|Response)\\..*", - "^parameters\\..*" + "(^|.*#)dojo(\\.|\\[).*", + "(^|.*#)struts(\\.|\\[).*", + "(^|.*#)session(\\.|\\[).*", + "(^|.*#)request(\\.|\\[).*", + "(^|.*#)application(\\.|\\[).*", + "(^|.*#)servlet(Request|Response)(\\.|\\[).*", + "(^|.*#)parameters(\\.|\\[).*" }; private Set<Pattern> excludedPatterns; @@ -31,7 +31,7 @@ public class DefaultExcludedPatternsChecker implements ExcludedPatternsChecker { public DefaultExcludedPatternsChecker() { excludedPatterns = new HashSet<Pattern>(); for (String pattern : EXCLUDED_PATTERNS) { - excludedPatterns.add(Pattern.compile(pattern)); + excludedPatterns.add(Pattern.compile(pattern, Pattern.CASE_INSENSITIVE)); } } @@ -43,7 +43,17 @@ public class DefaultExcludedPatternsChecker implements ExcludedPatternsChecker { } excludedPatterns = new HashSet<Pattern>(); for (String pattern : TextParseUtil.commaDelimitedStringToSet(excludePatterns)) { - excludedPatterns.add(Pattern.compile(pattern)); + excludedPatterns.add(Pattern.compile(pattern, Pattern.CASE_INSENSITIVE)); + } + } + + @Inject(value = XWorkConstants.ADDITIONAL_EXCLUDED_PATTERNS, required = false) + public void setAdditionalExcludePatterns(String excludePatterns) { + if (LOG.isDebugEnabled()) { + LOG.debug("Adding additional patterns [#0] to excluded patterns!", excludePatterns); + } + for (String pattern : TextParseUtil.commaDelimitedStringToSet(excludePatterns)) { + excludedPatterns.add(Pattern.compile(pattern, Pattern.CASE_INSENSITIVE)); } } http://git-wip-us.apache.org/repos/asf/struts/blob/89cbe138/xwork-core/src/test/java/com/opensymphony/xwork2/security/DefaultAcceptedPatternsCheckerTest.java ---------------------------------------------------------------------- diff --git a/xwork-core/src/test/java/com/opensymphony/xwork2/security/DefaultAcceptedPatternsCheckerTest.java b/xwork-core/src/test/java/com/opensymphony/xwork2/security/DefaultAcceptedPatternsCheckerTest.java new file mode 100644 index 0000000..c2c079b --- /dev/null +++ b/xwork-core/src/test/java/com/opensymphony/xwork2/security/DefaultAcceptedPatternsCheckerTest.java @@ -0,0 +1,56 @@ +package com.opensymphony.xwork2.security; + +import com.opensymphony.xwork2.XWorkTestCase; + +import java.util.ArrayList; +import java.util.List; + +public class DefaultAcceptedPatternsCheckerTest extends XWorkTestCase { + + public void testHardcodedAcceptedPatterns() throws Exception { + // given + List<String> params = new ArrayList<String>() { + { + add("%{#application['test']}"); + add("%{#application.test}"); + add("%{#Application['test']}"); + add("%{#Application.test}"); + add("%{#session['test']}"); + add("%{#session.test}"); + add("%{#Session['test']}"); + add("%{#Session.test}"); + add("%{#struts['test']}"); + add("%{#struts.test}"); + add("%{#Struts['test']}"); + add("%{#Struts.test}"); + add("%{#request['test']}"); + add("%{#request.test}"); + add("%{#Request['test']}"); + add("%{#Request.test}"); + add("%{#servletRequest['test']}"); + add("%{#servletRequest.test}"); + add("%{#ServletRequest['test']}"); + add("%{#ServletRequest.test}"); + add("%{#servletResponse['test']}"); + add("%{#servletResponse.test}"); + add("%{#ServletResponse['test']}"); + add("%{#ServletResponse.test}"); + add("%{#parameters['test']}"); + add("%{#parameters.test}"); + add("%{#Parameters['test']}"); + add("%{#Parameters.test}"); + } + }; + + AcceptedPatternsChecker checker = new DefaultAcceptedPatternsChecker(); + + for (String param : params) { + // when + AcceptedPatternsChecker.IsAccepted actual = checker.isAccepted(param); + + // then + assertFalse("Access to " + param + " is possible!", actual.isAccepted()); + } + } + +} \ No newline at end of file http://git-wip-us.apache.org/repos/asf/struts/blob/89cbe138/xwork-core/src/test/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsCheckerTest.java ---------------------------------------------------------------------- diff --git a/xwork-core/src/test/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsCheckerTest.java b/xwork-core/src/test/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsCheckerTest.java new file mode 100644 index 0000000..32121b9 --- /dev/null +++ b/xwork-core/src/test/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsCheckerTest.java @@ -0,0 +1,56 @@ +package com.opensymphony.xwork2.security; + +import com.opensymphony.xwork2.XWorkTestCase; + +import java.util.ArrayList; +import java.util.List; + +public class DefaultExcludedPatternsCheckerTest extends XWorkTestCase { + + public void testHardcodedPatterns() throws Exception { + // given + List<String> params = new ArrayList<String>() { + { + add("%{#application['test']}"); + add("%{#application.test}"); + add("%{#Application['test']}"); + add("%{#Application.test}"); + add("%{#session['test']}"); + add("%{#session.test}"); + add("%{#Session['test']}"); + add("%{#Session.test}"); + add("%{#struts['test']}"); + add("%{#struts.test}"); + add("%{#Struts['test']}"); + add("%{#Struts.test}"); + add("%{#request['test']}"); + add("%{#request.test}"); + add("%{#Request['test']}"); + add("%{#Request.test}"); + add("%{#servletRequest['test']}"); + add("%{#servletRequest.test}"); + add("%{#ServletRequest['test']}"); + add("%{#ServletRequest.test}"); + add("%{#servletResponse['test']}"); + add("%{#servletResponse.test}"); + add("%{#ServletResponse['test']}"); + add("%{#ServletResponse.test}"); + add("%{#parameters['test']}"); + add("%{#parameters.test}"); + add("%{#Parameters['test']}"); + add("%{#Parameters.test}"); + } + }; + + ExcludedPatternsChecker checker = new DefaultExcludedPatternsChecker(); + + for (String param : params) { + // when + ExcludedPatternsChecker.IsExcluded actual = checker.isExcluded(param); + + // then + assertTrue("Access to " + param + " is possible!", actual.isExcluded()); + } + } + +} \ No newline at end of file
