Repository: struts Updated Branches: refs/heads/support-2-3 ae5630197 -> 086b63735
Adds constant to control proxy member access Project: http://git-wip-us.apache.org/repos/asf/struts/repo Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/086b6373 Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/086b6373 Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/086b6373 Branch: refs/heads/support-2-3 Commit: 086b63735527d4bb0c1dd0d86a7c0374b825ff24 Parents: ae56301 Author: Yasser Zamani <yasser.zam...@live.com> Authored: Fri Jul 7 13:35:10 2017 +0430 Committer: Yasser Zamani <yasser.zam...@live.com> Committed: Fri Jul 7 13:35:10 2017 +0430 ---------------------------------------------------------------------- .../spring/src/main/resources/struts-plugin.xml | 1 + .../com/opensymphony/xwork2/XWorkConstants.java | 1 + .../com/opensymphony/xwork2/ognl/OgnlUtil.java | 11 +++++ .../xwork2/ognl/OgnlValueStack.java | 1 + .../xwork2/ognl/SecurityMemberAccess.java | 7 ++- .../ognl/SecurityMemberAccessProxyTest.java | 49 ++++++++++++++++++++ .../xwork2/spring/actionContext-xwork.xml | 1 + 7 files changed, 70 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/struts/blob/086b6373/plugins/spring/src/main/resources/struts-plugin.xml ---------------------------------------------------------------------- diff --git a/plugins/spring/src/main/resources/struts-plugin.xml b/plugins/spring/src/main/resources/struts-plugin.xml index 2e9b1b1..8f46858 100644 --- a/plugins/spring/src/main/resources/struts-plugin.xml +++ b/plugins/spring/src/main/resources/struts-plugin.xml @@ -34,6 +34,7 @@ <constant name="struts.class.reloading.watchList" value="" /> <constant name="struts.class.reloading.acceptClasses" value="" /> <constant name="struts.class.reloading.reloadConfig" value="false" /> + <constant name="xwork.disallowProxyMemberAccess" value="true" /> <package name="spring-default"> <interceptors> http://git-wip-us.apache.org/repos/asf/struts/blob/086b6373/xwork-core/src/main/java/com/opensymphony/xwork2/XWorkConstants.java ---------------------------------------------------------------------- diff --git a/xwork-core/src/main/java/com/opensymphony/xwork2/XWorkConstants.java b/xwork-core/src/main/java/com/opensymphony/xwork2/XWorkConstants.java index bc532d0..b0c2748 100644 --- a/xwork-core/src/main/java/com/opensymphony/xwork2/XWorkConstants.java +++ b/xwork-core/src/main/java/com/opensymphony/xwork2/XWorkConstants.java @@ -28,4 +28,5 @@ public final class XWorkConstants { public static final String OVERRIDE_EXCLUDED_PATTERNS = "overrideExcludedPatterns"; public static final String OVERRIDE_ACCEPTED_PATTERNS = "overrideAcceptedPatterns"; + public static final String XWORK_DISALLOW_PROXY_MEMBER_ACCESS = "xwork.disallowProxyMemberAccess"; } http://git-wip-us.apache.org/repos/asf/struts/blob/086b6373/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java ---------------------------------------------------------------------- diff --git a/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java b/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java index 42132ba..e1cc46e 100644 --- a/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java +++ b/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java @@ -72,6 +72,7 @@ public class OgnlUtil { private Container container; private boolean allowStaticMethodAccess; + private boolean disallowProxyMemberAccess; @Inject public void setXWorkConverter(XWorkConverter conv) { @@ -144,6 +145,15 @@ public class OgnlUtil { this.allowStaticMethodAccess = Boolean.parseBoolean(allowStaticMethodAccess); } + @Inject(value = XWorkConstants.XWORK_DISALLOW_PROXY_MEMBER_ACCESS, required = false) + public void setDisallowProxyMemberAccess(String disallowProxyMemberAccess) { + this.disallowProxyMemberAccess = Boolean.parseBoolean(disallowProxyMemberAccess); + } + + public boolean isDisallowProxyMemberAccess() { + return disallowProxyMemberAccess; + } + /** * Sets the object's properties using the default type converter, defaulting to not throw * exceptions for problems setting the properties. @@ -654,6 +664,7 @@ public class OgnlUtil { memberAccess.setExcludedClasses(excludedClasses); memberAccess.setExcludedPackageNamePatterns(excludedPackageNamePatterns); memberAccess.setExcludedPackageNames(excludedPackageNames); + memberAccess.setDisallowProxyMemberAccess(disallowProxyMemberAccess); return Ognl.createDefaultContext(root, resolver, defaultConverter, memberAccess); } http://git-wip-us.apache.org/repos/asf/struts/blob/086b6373/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/OgnlValueStack.java ---------------------------------------------------------------------- diff --git a/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/OgnlValueStack.java b/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/OgnlValueStack.java index 3f44169..f6decf3 100644 --- a/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/OgnlValueStack.java +++ b/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/OgnlValueStack.java @@ -83,6 +83,7 @@ public class OgnlValueStack implements Serializable, ValueStack, ClearableValueS securityMemberAccess.setExcludedClasses(ognlUtil.getExcludedClasses()); securityMemberAccess.setExcludedPackageNamePatterns(ognlUtil.getExcludedPackageNamePatterns()); securityMemberAccess.setExcludedPackageNames(ognlUtil.getExcludedPackageNames()); + securityMemberAccess.setDisallowProxyMemberAccess(ognlUtil.isDisallowProxyMemberAccess()); } protected void setRoot(XWorkConverter xworkConverter, CompoundRootAccessor accessor, CompoundRoot compoundRoot, http://git-wip-us.apache.org/repos/asf/struts/blob/086b6373/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java ---------------------------------------------------------------------- diff --git a/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java b/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java index 6ff74f1..7d52a46 100644 --- a/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java +++ b/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java @@ -42,6 +42,7 @@ public class SecurityMemberAccess extends DefaultMemberAccess { private Set<Class<?>> excludedClasses = Collections.emptySet(); private Set<Pattern> excludedPackageNamePatterns = Collections.emptySet(); private Set<String> excludedPackageNames = Collections.emptySet(); + private boolean disallowProxyMemberAccess; public SecurityMemberAccess(boolean method) { super(false); @@ -94,7 +95,7 @@ public class SecurityMemberAccess extends DefaultMemberAccess { return false; } - if (ProxyUtil.isProxyMember(member, target)) { + if (disallowProxyMemberAccess && ProxyUtil.isProxyMember(member, target)) { LOG.warn("Access to proxy [#0] is blocked!", member); return false; } @@ -222,4 +223,8 @@ public class SecurityMemberAccess extends DefaultMemberAccess { public void setExcludedPackageNames(Set<String> excludedPackageNames) { this.excludedPackageNames = excludedPackageNames; } + + public void setDisallowProxyMemberAccess(boolean disallowProxyMemberAccess) { + this.disallowProxyMemberAccess = disallowProxyMemberAccess; + } } http://git-wip-us.apache.org/repos/asf/struts/blob/086b6373/xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessProxyTest.java ---------------------------------------------------------------------- diff --git a/xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessProxyTest.java b/xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessProxyTest.java new file mode 100644 index 0000000..7e11ceb --- /dev/null +++ b/xwork-core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessProxyTest.java @@ -0,0 +1,49 @@ +package com.opensymphony.xwork2.ognl; + +import java.lang.reflect.Member; +import java.util.HashMap; +import java.util.Map; + +import com.opensymphony.xwork2.ActionProxy; +import com.opensymphony.xwork2.XWorkTestCase; +import com.opensymphony.xwork2.config.providers.XmlConfigurationProvider; + +public class SecurityMemberAccessProxyTest extends XWorkTestCase { + private Map<String, Object> context; + + @Override + public void setUp() throws Exception { + super.setUp(); + + context = new HashMap<String, Object>(); + // Set up XWork + XmlConfigurationProvider provider = new XmlConfigurationProvider("com/opensymphony/xwork2/spring/actionContext-xwork.xml"); + container.inject(provider); + loadConfigurationProviders(provider); + } + + public void testProxyAccessIsBlocked() throws Exception { + ActionProxy proxy = actionProxyFactory.createActionProxy(null, + "paramsAwareProxiedAction", null, context); + + SecurityMemberAccess sma = new SecurityMemberAccess(false); + sma.setDisallowProxyMemberAccess(true); + + Member member = proxy.getAction().getClass().getMethod("isExposeProxy"); + + boolean accessible = sma.isAccessible(context, proxy.getAction(), member, ""); + assertFalse(accessible); + } + + public void testProxyAccessIsAccessible() throws Exception { + ActionProxy proxy = actionProxyFactory.createActionProxy(null, + "paramsAwareProxiedAction", null, context); + + SecurityMemberAccess sma = new SecurityMemberAccess(false); + + Member member = proxy.getAction().getClass().getMethod("isExposeProxy"); + + boolean accessible = sma.isAccessible(context, proxy.getAction(), member, ""); + assertTrue(accessible); + } +} \ No newline at end of file http://git-wip-us.apache.org/repos/asf/struts/blob/086b6373/xwork-core/src/test/resources/com/opensymphony/xwork2/spring/actionContext-xwork.xml ---------------------------------------------------------------------- diff --git a/xwork-core/src/test/resources/com/opensymphony/xwork2/spring/actionContext-xwork.xml b/xwork-core/src/test/resources/com/opensymphony/xwork2/spring/actionContext-xwork.xml index 928d37f..88b78ec 100644 --- a/xwork-core/src/test/resources/com/opensymphony/xwork2/spring/actionContext-xwork.xml +++ b/xwork-core/src/test/resources/com/opensymphony/xwork2/spring/actionContext-xwork.xml @@ -2,6 +2,7 @@ <xwork> <bean type="com.opensymphony.xwork2.ObjectFactory" class="com.opensymphony.xwork2.spring.SpringObjectFactory" /> <constant name="applicationContextPath" value="com/opensymphony/xwork2/spring/actionContext-spring.xml" /> + <constant name="xwork.disallowProxyMemberAccess" value="true" /> <package name="default"> <result-types> <result-type name="null" class="com.opensymphony.xwork2.mock.MockResult" default="true"/>
