This is an automated email from the ASF dual-hosted git repository.
kusal pushed a change to branch WW-5343-sec-extend
in repository https://gitbox.apache.org/repos/asf/struts.git
discard de16218cb WW-5343 Delete unused code and consolidate constructors
add 891598545 WW-5334 Fix empty chained context name
add 03e232344 Merge pull request #744 from
apache/WW-5334-fix-chained-contexts
add 20e211061 Reverts version to 6.3.0-SNAPSHOT
add 1a88f78a7 [maven-release-plugin] prepare release STRUTS_6_3_0
add a0185f248 [maven-release-plugin] prepare for next development iteration
add 85fe68071 Moves all CI notifications to commits@ list
add 74e5aad4f Update .asf.yaml
add f70feb11e Merge pull request #748 from apache/feature/notify-builds
add 50b36695e Bump actions/checkout from 3 to 4
add badb3f457 Merge pull request #751 from
apache/dependabot/github_actions/actions/checkout-4
add f0e3cec5c Bump actions/upload-artifact from 3.1.2 to 3.1.3
add 59e9c18ca Merge pull request #752 from
apache/dependabot/github_actions/actions/upload-artifact-3.1.3
add 0ba2d69af [maven-release-plugin] prepare release STRUTS_6_3_0_1
add f4253ff8f [maven-release-plugin] prepare for next development iteration
add 4c044f125 Always delete uploaded file
add 236ae15c6 [maven-release-plugin] prepare release STRUTS_6_3_0_1
add b7f73715d [maven-release-plugin] prepare for next development iteration
add 4f5c4ff00 Bump actions/cache from 3.3.1 to 3.3.2
add 142bb9efe Merge pull request #753 from
apache/dependabot/github_actions/actions/cache-3.3.2
add bc85d35a2 WW-5341 Make validation more efficient
add 501d395b9 Merge pull request #741 from apache/WW-5341-classloaders
add bb83a6014 Merge pull request #742 from apache/WW-5342-default-package
add 7bd31cf31 WW-5339 Clean up OgnlValueStackTest
add 2b70b024b WW-5339 Misc clean up in CompoundRootAccessor
add fde2b70fa Merge pull request #745 from apache/WW-5339-cleanup
add 452cb774a WW-5340 Refactor OgnlUtil, specifically calls to
Ognl#getValue,setValue,parseExpression
add 13f0591ca WW-5340 Remove redundant check on #setValue
add 65ff2422e WW-5340 Rename functional interface
add 90adbfb3c WW-5340 Fix OgnlReflectionProvider bypassing OgnlUtil
add 19d26b29a Merge pull request #746 from apache/WW-5340-ognlutil-refactor
add 49a27d1b2 replace BeanManager::createInjectionTarget
add 61ca68f4a indent CdiObjectFactory with 4 spaces everywhere
add 3da11a29a Merge pull request #754 from
hepptho/replace-deprecated-beanmanager-method
add 684c61560 Split SonarCloud into separate action
add 9540ba6a0 Merge pull request #755 from apache/gh-actions-sonar
add 8551a09a6 WW-5340 Introducing OGNL Guard
add 25585617f WW-5340 Fix tests
add f542fde45 WW-5340 Make OgnlGuard a configurable bean
add 91d58d31d WW-5340 Cache OgnlGuard result
add 2bca0147c WW-5340 Add validation to excluded node configuration
add 4ff700e9a WW-5340 Add unit tests
add a4a0d70aa WW-5340 Refactor OgnlGuard to do the parsing
add 11e4dce71 WW-5340 Correct optimisation
add f69364bf6 WW-5340 Rename DefaultOgnlGuard to StrutsOgnlGuard
add a75a87364 WW-5340 Repackage OgnlGuard
add 4c4ec52b3 WW-5340 Rename blocked by OgnlGuard string
add ed5974689 WW-5340 Make excludedNodeTypes protected for subclassing
versatility
add 6f8844eac Merge pull request #747 from apache/WW-5340-ognl-guard
add ebaec639c WW-5348 Introduce protected #logPatternChange method
add b8f95bdcc Merge pull request #757 from apache/WW-5348-patterns-logging
add 85843b26f WW-5347 Upgrades to commons-digester3 ver 3.2
add 248bc7214 Merge pull request #756 from apache/feature/WW-5347-digester
add debcb541e WW-5338 Removes deprecated OgnTool
add 3b41e6bcb WW-5338 Removes also deprecated constant in ContextUtil
add ff9ecbe08 Merge pull request #758 from
apache/feature/WW-5338-remove-ognltool
add 529b61115 WW-5344 Un-deprecates Sitemesh plugin and upgrades Sitmesh
to ver 2.5.0
add 46c29ae33 Merge pull request #759 from
apache/feature/WW-5344-undeprecate
add 20eafb632 WW-5340 Mild refactor StrutsOgnlGuard for easier subclassing
add 276ede4c8 WW-5340 Add debug logging for rejected form fields
add f4029f8fd WW-5340 Sanitize field names before logging
add fc03a2b69 Merge pull request #760 from apache/WW-5340-subclassable
add 8a95a3f48 Bump ossf/scorecard-action from 2.2.0 to 2.3.0
add a165c02ef Merge pull request #762 from
apache/dependabot/github_actions/ossf/scorecard-action-2.3.0
add 8ff8e42e7 Bump org.jfree:jfreechart from 1.5.1 to 1.5.4
add 23feab685 Merge pull request #740 from
apache/dependabot/maven/org.jfree-jfreechart-1.5.4
add 4155263e6 WW-5349 Remove Struts core dependency on OGNL VarRefs
add 6995eaf2f WW-5349 Remove corresponding unit tests
add 913f6bf3a Merge pull request #763 from apache/WW-5349-astvarref
add 62db310b0 Add JDK 21 build
add 9c12bb86b Fix JDK 21 build
add 00db84468 Convert test class to JUnit4
add b736eb281 Upgrade EasyMock
add f2834d252 Merge pull request #764 from apache/gh-actions-sonar-21
add 0432205a6 WW-5354 Ensure ActionSupport fields are not parameter
injectable
add 67da669f0 Merge pull request #765 from apache/WW-5354-block-params
add 39f81575f Upgrade Jackson and remove unnecessary transitive override
add 403c3c4a1 Unify HtmlUnit versions
add a750917fb Upgrade ASM and exclude conflicting artifact
add 43fb80e17 Merge pull request #767 from apache/fix-conflict-deps
add fb710f9ca Bump org.codehaus.mojo:versions-maven-plugin from 2.7 to
2.16.1
add 84c1b1d0e Merge pull request #768 from
apache/dependabot/maven/org.codehaus.mojo-versions-maven-plugin-2.16.1
add 74d2fdcc6 WW-5355 Use LRU cache by default
add 5011a7977 WW-5355 Prevent AtomicInteger being initialised to zero
add 9527da5d3 WW-5355 Initial Caffeine cache implementation
add 1573207ee WW-5355 Fix eviction limit in LRU cache not being enforced
add 6ff7e15bf WW-5355 Update JavaDoc for basic and LRU cache
add 9c932f203 WW-5355 Introduce new Struts constants and their defaults
add bfb4df13e WW-5355 Unify bootstrap constant declaration
add d245dc551 WW-5355 Introduce new cache type selection methods and
deprecate problematic setter injection
add 4700dca18 WW-5355 Downgrade Caffeine version
add 7463e1de1 WW-5355 Fix interface and unit test bug
add 28cc6459b WW-5355 Address code smells
add 793d38371 WW-5355 Delegate deprecated constructor
add 9be23d7a0 WW-5355 Extract constants into static final fields
add 3d5beae36 WW-5355 Declare bootstrap constants as final field instead
add f314b455f WW-5355 Add since tags to StrutsConstants JavaDoc
add 9dbea66f9 WW-5355 Amend Caffeine cache implementation
add 7cded18c0 WW-5355 Rename cache types
add 7afc77266 WW-5355 Bootstrap using basic cache
add cae627f35 Merge pull request #766 from apache/WW-5355-cache-lru
add e8562c78d Bump org.owasp:dependency-check-maven from 7.2.0 to 8.4.2
add fc5d1cabe Merge pull request #771 from
apache/dependabot/maven/org.owasp-dependency-check-maven-8.4.2
add 5bcf9e785 Improved charset retrieval to get only once.
add afe31cc01 Update
core/src/main/java/org/apache/struts2/url/StrutsUrlDecoder.java
add faa98d7af Update
core/src/main/java/org/apache/struts2/url/StrutsUrlDecoder.java
add b15b83dd0 Merge pull request #773 from
mygreen/improve-urldecoder-peformance
add c2aec9c07 WW-5358 Expand exclusion lists
add bd388956c Merge pull request #774 from apache/WW-5358-excl-list
add 3ef0aa709 Bump ossf/scorecard-action from 2.3.0 to 2.3.1
add 574da8111 Merge pull request #775 from
apache/dependabot/github_actions/ossf/scorecard-action-2.3.1
add f13284832 Bump junit:junit from 4.13.1 to 4.13.2
add 48b0c1173 Merge pull request #776 from
apache/dependabot/maven/junit-junit-4.13.2
add 453130666 Bump org.jacoco:jacoco-maven-plugin from 0.8.8 to 0.8.11
add 56fc1ddc5 Merge pull request #777 from
apache/dependabot/maven/org.jacoco-jacoco-maven-plugin-0.8.11
add 82647959b WW-5350 Refactor SecurityMemberAccess
add 39787947f WW-5350 Fix static member test
add c85d7ebf5 WW-5350 Fix argument validation
add 0928a6ae6 WW-5350 Make property matching code more succinct
add 9cbe10f06 WW-5350 See target to null in special case
add bef976917 WW-5350 Implement OGNL Allowlist capability
add 72d617012 Bump slf4j.version from 2.0.7 to 2.0.9
add d8bc96d17 Merge pull request #783 from
apache/dependabot/maven/slf4j.version-2.0.9
add 601fb0ff5 Bump net.sf.jasperreports:jasperreports from 6.20.5 to 6.20.6
add f511034ac Merge pull request #784 from
apache/dependabot/maven/net.sf.jasperreports-jasperreports-6.20.6
add e3241388d WW-5350 Fix mismatched logging
add 9d6fe7493 Merge pull request #780 from apache/WW-5350-allowlist
add b4fbc0f0d Merge branch 'master' into WW-5350-allowlist-2
new 79ffc86b6 WW-5343 Delete unused code and consolidate constructors
new 082532995 WW-5343 Extract ConfigParseUtil
new b0b80bac7 WW-5343 Extract deprecated methods as default interface
methods
new 9e556e9ed WW-5343 Deprecate unnecessary setter
new 90344b381 WW-5343 Make SecurityMemberAccess a prototype bean
new 7e92a8d7b WW-5343 Refactor OgnlValueStackFactory to utilise
SecurityMemberAccess bean
new b518635e2 WW-5343 Update OgnlUtil#createDefaultContext to utilise
SecurityMemberAccess bean
new 4490d9d77 WW-5343 Move configuration injection from OgnlUtil to
SecurityMemberAccess
new 8bf47b367 WW-5343 Fix OgnlUtilTest#testBeanMapExpressions
new 62988f783 WW-5343 Fix unit test compilation errors
This update added new revisions after undoing existing revisions.
That is to say, some revisions that were in the old version of the
branch are not in the new version. This situation occurs
when a user --force pushes a change and generates a repository
containing something like this:
* -- * -- B -- O -- O -- O (de16218cb)
\
N -- N -- N refs/heads/WW-5343-sec-extend (62988f783)
You should already have received notification emails for all of the O
revisions, and so the following emails describe only the N revisions
from the common base, B.
Any revisions marked "omit" are not gone; other references still
refer to them. Any revisions marked "discard" are gone forever.
The 10 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
.asf.yaml | 4 +-
.github/workflows/codeql.yml | 2 +-
.github/workflows/maven.yml | 27 +-
.github/workflows/scorecards-analysis.yaml | 6 +-
.github/workflows/{maven.yml => sonar.yml} | 33 +-
Jenkinsfile | 6 +-
apps/rest-showcase/pom.xml | 1 -
apps/showcase/pom.xml | 1 -
bom/pom.xml | 2 +-
bundles/demo/pom.xml | 4 +-
core/pom.xml | 10 +-
.../xwork2/config/impl/DefaultConfiguration.java | 118 ++++++-
.../xwork2/config/impl/MockConfiguration.java | 18 +-
.../StrutsDefaultConfigurationProvider.java | 20 +-
.../ognl/DefaultOgnlBeanInfoCacheFactory.java | 19 +-
.../xwork2/ognl/DefaultOgnlCacheFactory.java | 70 +++-
.../ognl/DefaultOgnlExpressionCacheFactory.java | 25 +-
.../com/opensymphony/xwork2/ognl/OgnlCache.java | 16 +-
.../opensymphony/xwork2/ognl/OgnlCacheFactory.java | 48 ++-
.../xwork2/ognl/OgnlCaffeineCache.java | 78 +++++
.../opensymphony/xwork2/ognl/OgnlDefaultCache.java | 31 +-
.../com/opensymphony/xwork2/ognl/OgnlLRUCache.java | 46 +--
.../xwork2/ognl/OgnlReflectionProvider.java | 8 +-
.../com/opensymphony/xwork2/ognl/OgnlUtil.java | 380 ++++++++++-----------
.../opensymphony/xwork2/ognl/OgnlValueStack.java | 89 +++--
.../xwork2/ognl/OgnlValueStackFactory.java | 23 +-
.../xwork2/ognl/SecurityMemberAccess.java | 350 ++++++++++---------
.../xwork2/ognl/accessor/CompoundRootAccessor.java | 47 ++-
.../security/DefaultAcceptedPatternsChecker.java | 43 ++-
.../security/DefaultExcludedPatternsChecker.java | 23 +-
.../opensymphony/xwork2/util/ConfigParseUtil.java | 77 +++++
.../xwork2/util/MemberAccessValueStack.java | 8 +-
.../java/org/apache/struts2/StrutsConstants.java | 70 ++--
.../java/org/apache/struts2/components/UIBean.java | 12 -
.../config/StrutsBeanSelectionProvider.java | 21 +-
.../multipart/JakartaMultiPartRequest.java | 82 ++---
.../java/org/apache/struts2/ognl/OgnlGuard.java | 80 +++++
.../org/apache/struts2/ognl/StrutsOgnlGuard.java | 108 ++++++
.../org/apache/struts2/url/StrutsUrlDecoder.java | 5 +-
.../java/org/apache/struts2/util/StrutsUtil.java | 15 +-
.../struts2/views/freemarker/FreemarkerResult.java | 16 +-
.../org/apache/struts2/views/jsp/ui/OgnlTool.java | 60 ----
.../org/apache/struts2/views/util/ContextUtil.java | 2 -
.../org/apache/struts2/default.properties | 38 +--
core/src/main/resources/struts-beans.xml | 6 +-
.../src/main/resources/struts-excluded-classes.xml | 102 ++++--
.../xwork2/DefaultActionInvocationTest.java | 6 +-
.../xwork2/inject/ContainerImplTest.java | 79 ++---
.../interceptor/ParametersInterceptorTest.java | 18 +-
.../com/opensymphony/xwork2/ognl/OgnlUtilTest.java | 50 +--
.../xwork2/ognl/OgnlValueStackTest.java | 245 ++++---------
.../xwork2/ognl/SecurityMemberAccessTest.java | 228 ++++++++-----
.../org/apache/struts2/components/UIBeanTest.java | 38 ---
.../apache/struts2/ognl/StrutsOgnlGuardTest.java | 79 +++++
.../util/SecurityMemberAccessInServletsTest.java | 11 +-
.../org/apache/struts2/cdi/CdiObjectFactory.java | 145 ++++----
plugins/jasperreports/pom.xml | 2 +-
plugins/jfreechart/pom.xml | 2 +-
plugins/osgi/pom.xml | 4 +-
plugins/portlet/pom.xml | 9 -
.../views/freemarker/PortletFreemarkerResult.java | 10 +-
plugins/sitemesh/pom.xml | 2 +-
.../xwork2/ognl/SecurityMemberAccessProxyTest.java | 2 +-
.../com/test/SecurityMemberAccessProxyTest.java | 49 +--
plugins/tiles/pom.xml | 4 +-
.../digester/DigesterDefinitionsReader.java | 327 ++++++++++--------
.../struts2/views/velocity/VelocityManager.java | 11 +-
.../views/velocity/VelocityManagerTest.java | 1 -
pom.xml | 61 ++--
69 files changed, 2044 insertions(+), 1589 deletions(-)
copy .github/workflows/{maven.yml => sonar.yml} (60%)
create mode 100644
core/src/main/java/com/opensymphony/xwork2/ognl/OgnlCaffeineCache.java
create mode 100644
core/src/main/java/com/opensymphony/xwork2/util/ConfigParseUtil.java
create mode 100644 core/src/main/java/org/apache/struts2/ognl/OgnlGuard.java
create mode 100644
core/src/main/java/org/apache/struts2/ognl/StrutsOgnlGuard.java
delete mode 100644
core/src/main/java/org/apache/struts2/views/jsp/ui/OgnlTool.java
create mode 100644
core/src/test/java/org/apache/struts2/ognl/StrutsOgnlGuardTest.java
