This is an automated email from the ASF dual-hosted git repository.
kusal pushed a commit to branch WW-5343-sec-extend
in repository https://gitbox.apache.org/repos/asf/struts.git
commit 7e92a8d7b4c2f06a174fb9330786174abbf23b0a
Author: Kusal Kithul-Godage <g...@kusal.io>
AuthorDate: Wed Nov 15 00:23:51 2023 +1100
WW-5343 Refactor OgnlValueStackFactory to utilise SecurityMemberAccess bean
---
.../opensymphony/xwork2/ognl/OgnlValueStack.java | 74 +++++++++++++++++-----
.../xwork2/ognl/OgnlValueStackFactory.java | 23 +++----
2 files changed, 67 insertions(+), 30 deletions(-)
diff --git
a/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlValueStack.java
b/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlValueStack.java
index a003972d5..63802717a 100644
--- a/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlValueStack.java
+++ b/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlValueStack.java
@@ -75,45 +75,76 @@ public class OgnlValueStack implements Serializable,
ValueStack, ClearableValueS
private boolean devMode;
private boolean logMissingProperties;
+ /**
+ * @since 6.4.0
+ */
protected OgnlValueStack(ValueStack vs,
XWorkConverter xworkConverter,
CompoundRootAccessor accessor,
TextProvider prov,
- boolean allowStaticFieldAccess) {
+ SecurityMemberAccess securityMemberAccess) {
setRoot(xworkConverter,
accessor,
vs != null ? new CompoundRoot(vs.getRoot()) : new
CompoundRoot(),
- allowStaticFieldAccess);
+ securityMemberAccess);
if (prov != null) {
push(prov);
}
}
+ /**
+ * @since 6.4.0
+ */
+ protected OgnlValueStack(XWorkConverter xworkConverter,
CompoundRootAccessor accessor, TextProvider prov, SecurityMemberAccess
securityMemberAccess) {
+ this(null, xworkConverter, accessor, prov, securityMemberAccess);
+ }
+
+ /**
+ * @since 6.4.0
+ */
+ protected OgnlValueStack(ValueStack vs, XWorkConverter xworkConverter,
CompoundRootAccessor accessor, SecurityMemberAccess securityMemberAccess) {
+ this(vs, xworkConverter, accessor, null, securityMemberAccess);
+ }
+
+ /**
+ * @deprecated since 6.4.0, use {@link #OgnlValueStack(ValueStack,
XWorkConverter, CompoundRootAccessor, TextProvider, SecurityMemberAccess)}
instead.
+ */
+ @Deprecated
+ protected OgnlValueStack(ValueStack vs,
+ XWorkConverter xworkConverter,
+ CompoundRootAccessor accessor,
+ TextProvider prov,
+ boolean allowStaticFieldAccess) {
+ this(vs, xworkConverter, accessor, prov, new
SecurityMemberAccess(allowStaticFieldAccess));
+ }
+
+ /**
+ * @deprecated since 6.4.0, use {@link #OgnlValueStack(XWorkConverter,
CompoundRootAccessor, TextProvider, SecurityMemberAccess)} instead.
+ */
+ @Deprecated
protected OgnlValueStack(XWorkConverter xworkConverter,
CompoundRootAccessor accessor, TextProvider prov, boolean
allowStaticFieldAccess) {
- this(null, xworkConverter, accessor, prov, allowStaticFieldAccess);
+ this(xworkConverter, accessor, prov, new
SecurityMemberAccess(allowStaticFieldAccess));
}
+ /**
+ * @deprecated since 6.4.0, use {@link #OgnlValueStack(ValueStack,
XWorkConverter, CompoundRootAccessor, SecurityMemberAccess)} instead.
+ */
+ @Deprecated
protected OgnlValueStack(ValueStack vs, XWorkConverter xworkConverter,
CompoundRootAccessor accessor, boolean allowStaticFieldAccess) {
- this(vs, xworkConverter, accessor, null, allowStaticFieldAccess);
+ this(vs, xworkConverter, accessor, new
SecurityMemberAccess(allowStaticFieldAccess));
}
@Inject
protected void setOgnlUtil(OgnlUtil ognlUtil) {
this.ognlUtil = ognlUtil;
- securityMemberAccess.useExcludedClasses(ognlUtil.getExcludedClasses());
-
securityMemberAccess.useExcludedPackageNamePatterns(ognlUtil.getExcludedPackageNamePatterns());
-
securityMemberAccess.useExcludedPackageNames(ognlUtil.getExcludedPackageNames());
-
securityMemberAccess.useExcludedPackageExemptClasses(ognlUtil.getExcludedPackageExemptClasses());
-
securityMemberAccess.useEnforceAllowlistEnabled(ognlUtil.isEnforceAllowlistEnabled());
-
securityMemberAccess.useAllowlistClasses(ognlUtil.getAllowlistClasses());
-
securityMemberAccess.useAllowlistPackageNames(ognlUtil.getAllowlistPackageNames());
-
securityMemberAccess.disallowProxyMemberAccess(ognlUtil.isDisallowProxyMemberAccess());
-
securityMemberAccess.disallowDefaultPackageAccess(ognlUtil.isDisallowDefaultPackageAccess());
}
- protected void setRoot(XWorkConverter xworkConverter, CompoundRootAccessor
accessor, CompoundRoot compoundRoot, boolean allowStaticFieldAccess) {
+ /**
+ * @since 6.4.0
+ */
+ protected void setRoot(XWorkConverter xworkConverter, CompoundRootAccessor
accessor, CompoundRoot compoundRoot, SecurityMemberAccess securityMemberAccess)
{
this.root = compoundRoot;
- this.securityMemberAccess = new
SecurityMemberAccess(allowStaticFieldAccess);
+ this.securityMemberAccess = securityMemberAccess;
this.context = Ognl.createDefaultContext(this.root,
securityMemberAccess, accessor, new OgnlTypeConverterWrapper(xworkConverter));
this.converter = xworkConverter;
context.put(VALUE_STACK, this);
@@ -121,6 +152,19 @@ public class OgnlValueStack implements Serializable,
ValueStack, ClearableValueS
((OgnlContext) context).setKeepLastEvaluation(false);
}
+ /**
+ * @deprecated since 6.4.0, use {@link #setRoot(XWorkConverter,
CompoundRootAccessor, CompoundRoot, SecurityMemberAccess)} instead.
+ */
+ @Deprecated
+ protected void setRoot(XWorkConverter xworkConverter, CompoundRootAccessor
accessor, CompoundRoot compoundRoot, boolean allowStaticFieldAccess) {
+ setRoot(xworkConverter, accessor, compoundRoot, new
SecurityMemberAccess(allowStaticFieldAccess));
+ }
+
+ @Inject
+ protected void setSecurityMemberAccess(SecurityMemberAccess
securityMemberAccess) {
+ this.securityMemberAccess = securityMemberAccess;
+ }
+
@Inject(StrutsConstants.STRUTS_DEVMODE)
protected void setDevMode(String mode) {
this.devMode = BooleanUtils.toBoolean(mode);
diff --git
a/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlValueStackFactory.java
b/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlValueStackFactory.java
index 69dd54026..111a44d79 100644
--- a/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlValueStackFactory.java
+++ b/core/src/main/java/com/opensymphony/xwork2/ognl/OgnlValueStackFactory.java
@@ -31,11 +31,8 @@ import ognl.MethodAccessor;
import ognl.OgnlRuntime;
import ognl.PropertyAccessor;
import org.apache.commons.lang3.BooleanUtils;
-import org.apache.logging.log4j.LogManager;
-import org.apache.logging.log4j.Logger;
import org.apache.struts2.StrutsConstants;
-import java.util.Map;
import java.util.Set;
/**
@@ -59,21 +56,17 @@ public class OgnlValueStackFactory implements
ValueStackFactory {
}
public ValueStack createValueStack() {
- ValueStack stack = new OgnlValueStack(xworkConverter,
compoundRootAccessor, textProvider, containerAllowsStaticFieldAccess());
+ ValueStack stack = new OgnlValueStack(
+ xworkConverter, compoundRootAccessor, textProvider,
container.getInstance(SecurityMemberAccess.class));
container.inject(stack);
- return stack.getActionContext()
- .withContainer(container)
- .withValueStack(stack)
- .getValueStack();
+ return
stack.getActionContext().withContainer(container).withValueStack(stack).getValueStack();
}
public ValueStack createValueStack(ValueStack stack) {
- ValueStack result = new OgnlValueStack(stack, xworkConverter,
compoundRootAccessor, containerAllowsStaticFieldAccess());
+ ValueStack result = new OgnlValueStack(
+ stack, xworkConverter, compoundRootAccessor,
container.getInstance(SecurityMemberAccess.class));
container.inject(result);
- return result.getActionContext()
- .withContainer(container)
- .withValueStack(result)
- .getValueStack();
+ return
result.getActionContext().withContainer(container).withValueStack(result).getValueStack();
}
@Inject
@@ -105,10 +98,10 @@ public class OgnlValueStackFactory implements
ValueStackFactory {
}
/**
- * Retrieve allowStaticFieldAccess state from the container (allows for
lazy fetching)
+ * @deprecated since 6.4.0, no replacement.
*/
+ @Deprecated
protected boolean containerAllowsStaticFieldAccess() {
return BooleanUtils.toBoolean(container.getInstance(String.class,
StrutsConstants.STRUTS_ALLOW_STATIC_FIELD_ACCESS));
}
-
}
