[struts] branch master updated: [WW-4973] Upgrades to OGNL 3.2.8 (#258)

Wed, 31 Oct 2018 04:12:24 -0700 

This is an automated email from the ASF dual-hosted git repository.

yasserzamani pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/struts.git


The following commit(s) were added to refs/heads/master by this push:
     new b82db24  [WW-4973] Upgrades to OGNL 3.2.8 (#258)
b82db24 is described below

commit b82db24fb66dc7b956d5b87c979335292ad7911f
Author: Lukasz Lenart <[email protected]>
AuthorDate: Wed Oct 31 12:12:12 2018 +0100

    [WW-4973] Upgrades to OGNL 3.2.8 (#258)
    
    * WW-4973 Upgrades to OGNL 3.2.8
    
    * WW-4973 Supports null target in case of accessing a static field
    
    * WW-4973 Reduce code duplication
    
    * WW-4973 Supports null when checking proxy
    
    * WW-4973 Adds more tests to cover new functionality
    
    * WW-4973 Adds additional tests to cover null when checking proxy
    
    * improve isAccessible method body
    
    See WW-4973
---
 .../xwork2/ognl/SecurityMemberAccess.java          | 45 +++++++++-------------
 .../com/opensymphony/xwork2/util/ProxyUtil.java    |  5 ++-
 .../xwork2/ognl/SecurityMemberAccessTest.java      | 42 ++++++++++++++++++++
 .../xwork2/spring/SpringProxyUtilTest.java         |  2 +
 pom.xml                                            |  2 +-
 5 files changed, 66 insertions(+), 30 deletions(-)

diff --git 
a/core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java 
b/core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
index 2002669..0344352 100644
--- a/core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
+++ b/core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
@@ -81,23 +81,27 @@ public class SecurityMemberAccess implements MemberAccess {
     @Override
     public boolean isAccessible(Map context, Object target, Member member, 
String propertyName) {
         LOG.debug("Checking access for [target: {}, member: {}, property: 
{}]", target, member, propertyName);
-        
-        Class targetClass = target.getClass();
-        Class memberClass = member.getDeclaringClass();
-        
+
         if (checkEnumAccess(target, member)) {
-            LOG.trace("Allowing access to enum: target class [{}] of target 
[{}], member [{}]", targetClass, target, member);
+            LOG.trace("Allowing access to enum: target [{}], member [{}]", 
target, member);
             return true;
         }
 
-        if (Modifier.isStatic(member.getModifiers()) && 
allowStaticMethodAccess) {
-            LOG.debug("Support for accessing static methods [target: {}, 
targetClass: {}, member: {}, property: {}] is deprecated!",
-                    target, targetClass, member, propertyName);
-            if (!isClassExcluded(member.getDeclaringClass())) {
-                targetClass = member.getDeclaringClass();
-            }
+        if (!checkStaticMethodAccess(member)) {
+            LOG.warn("Access to static [{}] is blocked!", member);
+            return false;
         }
 
+        final Class memberClass = member.getDeclaringClass();
+
+        if (isClassExcluded(memberClass)) {
+            LOG.warn("Declaring class of member type [{}] is excluded!", 
member);
+            return false;
+        }
+
+        // target can be null in case of accessing static fields, since OGNL 
3.2.8
+        Class targetClass = Modifier.isStatic(member.getModifiers()) ? 
memberClass : target.getClass();
+
         if (isPackageExcluded(targetClass.getPackage(), 
memberClass.getPackage())) {
             LOG.warn("Package [{}] of target class [{}] of target [{}] or 
package [{}] of member [{}] are excluded!", targetClass.getPackage(), 
targetClass,
                     target, memberClass.getPackage(), member);
@@ -109,33 +113,20 @@ public class SecurityMemberAccess implements MemberAccess 
{
             return false;
         }
 
-        if (isClassExcluded(memberClass)) {
-            LOG.warn("Declaring class of member type [{}] is excluded!", 
member);
-            return false;
-        }
-
         if (disallowProxyMemberAccess && ProxyUtil.isProxyMember(member, 
target)) {
             LOG.warn("Access to proxy is blocked! Target class [{}] of target 
[{}], member [{}]", targetClass, target, member);
             return false;
         }
 
-        boolean allow = true;
-        if (!checkStaticMethodAccess(member)) {
-            LOG.warn("Access to static [{}] is blocked!", member);
-            allow = false;
-        }
-
-        //failed static test
-        if (!allow) {
-            return false;
-        }
-
         return Modifier.isPublic(member.getModifiers()) && 
isAcceptableProperty(propertyName);
     }
 
     protected boolean checkStaticMethodAccess(Member member) {
         int modifiers = member.getModifiers();
         if (Modifier.isStatic(modifiers)) {
+            if (allowStaticMethodAccess) {
+                LOG.debug("Support for accessing static methods [member: {}] 
is deprecated!", member);
+            }
             return allowStaticMethodAccess;
         } else {
             return true;
diff --git a/core/src/main/java/com/opensymphony/xwork2/util/ProxyUtil.java 
b/core/src/main/java/com/opensymphony/xwork2/util/ProxyUtil.java
index 0f9ec65..9b0e7d4 100644
--- a/core/src/main/java/com/opensymphony/xwork2/util/ProxyUtil.java
+++ b/core/src/main/java/com/opensymphony/xwork2/util/ProxyUtil.java
@@ -82,13 +82,14 @@ public class ProxyUtil {
     }
 
     /**
-     * Check whether the given member is a proxy member of a proxy object.
+     * Check whether the given member is a proxy member of a proxy object or 
is a static proxy member.
      * @param member the member to check
      * @param object the object to check
      */
     public static boolean isProxyMember(Member member, Object object) {
-        if (!isProxy(object))
+        if (!Modifier.isStatic(member.getModifiers()) && !isProxy(object)) {
             return false;
+        }
 
         Boolean flag = isProxyMemberCache.get(member);
         if (flag != null) {
diff --git 
a/core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java 
b/core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java
index ddb3f28..fbc8f5e 100644
--- 
a/core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java
+++ 
b/core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java
@@ -22,6 +22,7 @@ import com.opensymphony.xwork2.util.TextParseUtil;
 import junit.framework.TestCase;
 
 import java.lang.reflect.Member;
+import java.util.Arrays;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.HashSet;
@@ -259,6 +260,45 @@ public class SecurityMemberAccessTest extends TestCase {
         assertTrue("Access to static is blocked!", actual);
     }
 
+    public void testAccessStaticField() throws Exception {
+        // given
+        SecurityMemberAccess sma = new SecurityMemberAccess(true);
+        sma.setExcludedClasses(new 
HashSet<Class<?>>(Collections.singletonList(Class.class)));
+
+        // when
+        Member method = StaticTester.class.getField("MAX_VALUE");
+        boolean actual = sma.isAccessible(context, null, method, null);
+
+        // then
+        assertTrue("Access to static field is blocked!", actual);
+    }
+
+    public void testBlockedStaticFieldWhenFlagIsFalse() throws Exception {
+        // given
+        SecurityMemberAccess sma = new SecurityMemberAccess(false);
+        sma.setExcludedClasses(new 
HashSet<Class<?>>(Collections.singletonList(Class.class)));
+
+        // when
+        Member method = StaticTester.class.getField("MAX_VALUE");
+        boolean actual = sma.isAccessible(context, null, method, null);
+
+        // then
+        assertFalse("Access to static field isn't blocked!", actual);
+    }
+
+    public void testBlockedStaticFieldWhenClassIsExcluded() throws Exception {
+        // given
+        SecurityMemberAccess sma = new SecurityMemberAccess(true);
+        sma.setExcludedClasses(new HashSet<>(Arrays.asList(Class.class, 
StaticTester.class)));
+
+        // when
+        Member method = StaticTester.class.getField("MAX_VALUE");
+        boolean actual = sma.isAccessible(context, null, method, null);
+
+        // then
+        assertFalse("Access to static field isn't blocked!", actual);
+    }
+
     public void testBlockStaticAccess() throws Exception {
         // given
         SecurityMemberAccess sma = new SecurityMemberAccess(false);
@@ -503,6 +543,8 @@ enum MyValues {
 
 class StaticTester {
 
+    public static int MAX_VALUE = 0;
+
     public static String sayHello() {
         return "Hello";
     }
diff --git 
a/core/src/test/java/com/opensymphony/xwork2/spring/SpringProxyUtilTest.java 
b/core/src/test/java/com/opensymphony/xwork2/spring/SpringProxyUtilTest.java
index 895e7b2..ce19976 100644
--- a/core/src/test/java/com/opensymphony/xwork2/spring/SpringProxyUtilTest.java
+++ b/core/src/test/java/com/opensymphony/xwork2/spring/SpringProxyUtilTest.java
@@ -87,6 +87,8 @@ public class SpringProxyUtilTest extends XWorkTestCase {
     }
 
     public void testIsProxyMember() throws Exception {
+        
assertFalse(ProxyUtil.isProxyMember(SimpleAction.class.getField("COMMAND_RETURN_CODE"),
 null));
+
         Object simpleAction = appContext.getBean("simple-action");
         assertFalse(ProxyUtil.isProxyMember(
                 simpleAction.getClass().getMethod("setName", String.class), 
simpleAction));
diff --git a/pom.xml b/pom.xml
index c3e5668..ccd8e80 100644
--- a/pom.xml
+++ b/pom.xml
@@ -98,7 +98,7 @@
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
 
         <spring.platformVersion>4.3.13.RELEASE</spring.platformVersion>
-        <ognl.version>3.2.7</ognl.version>
+        <ognl.version>3.2.8</ognl.version>
         <asm.version>5.2</asm.version>
         <tiles.version>3.0.8</tiles.version>
         <tiles-request.version>1.0.7</tiles-request.version>

Reply via email to