(struts-examples) branch dependabot/maven/io.quarkus-quarkus-universe-bom-3.18.2 deleted (was 9809394)
This is an automated email from the ASF dual-hosted git repository. github-bot pushed a change to branch dependabot/maven/io.quarkus-quarkus-universe-bom-3.18.2 in repository https://gitbox.apache.org/repos/asf/struts-examples.git was 9809394 Bump io.quarkus:quarkus-universe-bom from 3.17.5 to 3.18.2 The revisions that were on this branch are still contained in other references; therefore, this change does not discard any commits from the repository.
(struts-examples) branch dependabot/maven/io.quarkus-quarkus-universe-bom-3.18.3 created (now 3c4452a)
This is an automated email from the ASF dual-hosted git repository. github-bot pushed a change to branch dependabot/maven/io.quarkus-quarkus-universe-bom-3.18.3 in repository https://gitbox.apache.org/repos/asf/struts-examples.git at 3c4452a Bump io.quarkus:quarkus-universe-bom from 3.17.5 to 3.18.3 No new revisions were added by this update.
(struts-examples) branch dependabot/maven/commons-beanutils-commons-beanutils-1.10.0 deleted (was 44302f8)
This is an automated email from the ASF dual-hosted git repository. github-bot pushed a change to branch dependabot/maven/commons-beanutils-commons-beanutils-1.10.0 in repository https://gitbox.apache.org/repos/asf/struts-examples.git was 44302f8 Bump commons-beanutils:commons-beanutils from 1.9.4 to 1.10.0 The revisions that were on this branch are still contained in other references; therefore, this change does not discard any commits from the repository.
(struts-examples) branch dependabot/maven/org.springframework-spring-web-6.2.3 created (now f89f4b1)
This is an automated email from the ASF dual-hosted git repository. github-bot pushed a change to branch dependabot/maven/org.springframework-spring-web-6.2.3 in repository https://gitbox.apache.org/repos/asf/struts-examples.git at f89f4b1 Bump org.springframework:spring-web from 6.2.0 to 6.2.3 No new revisions were added by this update.
(struts-examples) branch dependabot/maven/commons-beanutils-commons-beanutils-1.10.1 created (now 8ab8a7f)
This is an automated email from the ASF dual-hosted git repository. github-bot pushed a change to branch dependabot/maven/commons-beanutils-commons-beanutils-1.10.1 in repository https://gitbox.apache.org/repos/asf/struts-examples.git at 8ab8a7f Bump commons-beanutils:commons-beanutils from 1.9.4 to 1.10.1 No new revisions were added by this update.
(struts-examples) branch dependabot/maven/org.springframework-spring-web-6.2.2 deleted (was 71787c3)
This is an automated email from the ASF dual-hosted git repository. github-bot pushed a change to branch dependabot/maven/org.springframework-spring-web-6.2.2 in repository https://gitbox.apache.org/repos/asf/struts-examples.git was 71787c3 Bump org.springframework:spring-web from 6.2.0 to 6.2.2 The revisions that were on this branch are still contained in other references; therefore, this change does not discard any commits from the repository.
(struts) branch main updated: WW-5501 Reverts changes related to WW-5501 (#1219)
This is an automated email from the ASF dual-hosted git repository.
lukaszlenart pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/struts.git
The following commit(s) were added to refs/heads/main by this push:
new 568b292bd WW-5501 Reverts changes related to WW-5501 (#1219)
568b292bd is described below
commit 568b292bd42a3b2f28f7196f259bab501463364b
Author: Lukasz Lenart
AuthorDate: Sun Feb 16 11:42:09 2025 +0100
WW-5501 Reverts changes related to WW-5501 (#1219)
---
.../multipart/AbstractMultiPartRequest.java| 62 +
.../multipart/JakartaMultiPartRequest.java | 26 ++--
.../multipart/JakartaStreamMultiPartRequest.java | 27 ++--
.../org/apache/struts2/struts-messages.properties | 4 --
.../multipart/AbstractMultiPartRequestTest.java| 57 +---
.../AbstractMultiPartRequestWithDMITest.java | 69 ---
.../JakartaMultiPartRequestWithDMITest.java| 28
.../JakartaStreamMultiPartRequestWithDMITest.java | 28
.../ActionFileUploadInterceptorTest.java | 78 +++---
.../DefaultExcludedPatternsCheckerTest.java| 2 +-
10 files changed, 24 insertions(+), 357 deletions(-)
diff --git
a/core/src/main/java/org/apache/struts2/dispatcher/multipart/AbstractMultiPartRequest.java
b/core/src/main/java/org/apache/struts2/dispatcher/multipart/AbstractMultiPartRequest.java
index 00e774a72..90ecbe816 100644
---
a/core/src/main/java/org/apache/struts2/dispatcher/multipart/AbstractMultiPartRequest.java
+++
b/core/src/main/java/org/apache/struts2/dispatcher/multipart/AbstractMultiPartRequest.java
@@ -18,6 +18,8 @@
*/
package org.apache.struts2.dispatcher.multipart;
+import org.apache.struts2.inject.Inject;
+import jakarta.servlet.http.HttpServletRequest;
import org.apache.commons.fileupload2.core.FileUploadByteCountLimitException;
import org.apache.commons.fileupload2.core.FileUploadContentTypeException;
import org.apache.commons.fileupload2.core.FileUploadException;
@@ -30,11 +32,7 @@ import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.apache.struts2.StrutsConstants;
import org.apache.struts2.dispatcher.LocalizedMessage;
-import org.apache.struts2.inject.Inject;
-import org.apache.struts2.security.DefaultExcludedPatternsChecker;
-import org.apache.struts2.security.ExcludedPatternsChecker;
-import jakarta.servlet.http.HttpServletRequest;
import java.io.IOException;
import java.nio.charset.Charset;
import java.nio.file.Path;
@@ -45,8 +43,6 @@ import java.util.HashMap;
import java.util.List;
import java.util.Map;
-import static org.apache.commons.lang3.StringUtils.normalizeSpace;
-
/**
* Abstract class with some helper methods, it should be used
* when starting development of another implementation of {@link
MultiPartRequest}
@@ -54,14 +50,9 @@ import static
org.apache.commons.lang3.StringUtils.normalizeSpace;
public abstract class AbstractMultiPartRequest implements MultiPartRequest {
protected static final String
STRUTS_MESSAGES_UPLOAD_ERROR_PARAMETER_TOO_LONG_KEY =
"struts.messages.upload.error.parameter.too.long";
-protected static final String
STRUTS_MESSAGES_UPLOAD_ERROR_ILLEGAL_CHARACTERS_FIELD =
"struts.messages.upload.error.illegal.characters.field";
-protected static final String
STRUTS_MESSAGES_UPLOAD_ERROR_ILLEGAL_CHARACTERS_NAME =
"struts.messages.upload.error.illegal.characters.name";
private static final Logger LOG =
LogManager.getLogger(AbstractMultiPartRequest.class);
-private static final String EXCLUDED_FILE_PATTERN =
"^(.*[<>&\"'|;/?*:]+.*|.*\\.\\..*)$";
-private static final String EXCLUDED_FILE_PATTERN_WITH_DMI_SUPPORT =
"^(?!action:[^<>&\"'|;/?*:]+(![^<>&\"'|;/?*:]+)?$)(.*[<>&\"'|;/?*:]+.*|.*\\.\\..*)$\n";
-
/**
* Defines the internal buffer size used during streaming operations.
*/
@@ -117,19 +108,6 @@ public abstract class AbstractMultiPartRequest implements
MultiPartRequest {
*/
protected Map> parameters = new HashMap<>();
-
-private final ExcludedPatternsChecker patternsChecker;
-
-protected AbstractMultiPartRequest() {
-this(false);
-}
-
-protected AbstractMultiPartRequest(boolean dmiValue) {
-var patternsChecker = new DefaultExcludedPatternsChecker();
-patternsChecker.setAdditionalExcludePatterns(dmiValue ?
EXCLUDED_FILE_PATTERN_WITH_DMI_SUPPORT : EXCLUDED_FILE_PATTERN);
-this.patternsChecker = patternsChecker;
-}
-
/**
* @param bufferSize Sets the buffer size to be used.
*/
@@ -431,40 +409,4 @@ public abstract class AbstractMultiPartRequest implements
MultiPartRequest {
}
}
-/**
- * @param fileName file name to check
- * @return true if the file name is excluded
- */
-protected boolean isExcluded(String fileName) {
-return patternsChecker.isExcluded(
(struts) branch fix/WW-5501-revert-s7 deleted (was 2db4479e7)
This is an automated email from the ASF dual-hosted git repository. lukaszlenart pushed a change to branch fix/WW-5501-revert-s7 in repository https://gitbox.apache.org/repos/asf/struts.git was 2db4479e7 WW-5501 Reverts changes related to WW-5501 The revisions that were on this branch are still contained in other references; therefore, this change does not discard any commits from the repository.
(struts) branch fix/WW-5501-revert updated (d367be4aa -> 010b454ec)
This is an automated email from the ASF dual-hosted git repository. lukaszlenart pushed a change to branch fix/WW-5501-revert in repository https://gitbox.apache.org/repos/asf/struts.git from d367be4aa Fixes CodeQL scan by using proper versions of actions add 010b454ec WW-5501 Uses FilenameUtils instead of a custom code No new revisions were added by this update. Summary of changes: .../dispatcher/multipart/AbstractMultiPartRequest.java | 12 ++-- 1 file changed, 2 insertions(+), 10 deletions(-)
(struts) 01/01: Merge pull request #1214 from apache/WW-5525-proxyutil-npe
This is an automated email from the ASF dual-hosted git repository. kusal pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/struts.git commit 31c3fc50ed55d24a5dd2898f7cfa7c0810d3ab15 Merge: adcd1df0c 3c856c92a Author: Kusal Kithul-Godage AuthorDate: Mon Feb 17 17:10:48 2025 +1100 Merge pull request #1214 from apache/WW-5525-proxyutil-npe WW-5525 Fix NPE in ProxyUtil for SecurityMemberAccess originating static members .../apache/struts2/ognl/SecurityMemberAccess.java | 17 .../java/org/apache/struts2/util/ProxyUtil.java| 9 +++-- .../apache/struts2/ognl/OgnlValueStackTest.java| 47 +- .../apache/struts2/spring/SpringProxyUtilTest.java | 4 +- 4 files changed, 55 insertions(+), 22 deletions(-)
(struts) branch main updated (adcd1df0c -> 31c3fc50e)
This is an automated email from the ASF dual-hosted git repository. kusal pushed a change to branch main in repository https://gitbox.apache.org/repos/asf/struts.git from adcd1df0c Bump github/codeql-action from 3.28.8 to 3.28.9 (#1217) add 3c856c92a WW-5525 Fix NPE in ProxyUtil for SecurityMemberAccess originating static members new 31c3fc50e Merge pull request #1214 from apache/WW-5525-proxyutil-npe The 1 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Summary of changes: .../apache/struts2/ognl/SecurityMemberAccess.java | 17 .../java/org/apache/struts2/util/ProxyUtil.java| 9 +++-- .../apache/struts2/ognl/OgnlValueStackTest.java| 47 +- .../apache/struts2/spring/SpringProxyUtilTest.java | 4 +- 4 files changed, 55 insertions(+), 22 deletions(-)
(struts) branch WW-5525-proxyutil-npe deleted (was 3c856c92a)
This is an automated email from the ASF dual-hosted git repository. kusal pushed a change to branch WW-5525-proxyutil-npe in repository https://gitbox.apache.org/repos/asf/struts.git was 3c856c92a WW-5525 Fix NPE in ProxyUtil for SecurityMemberAccess originating static members The revisions that were on this branch are still contained in other references; therefore, this change does not discard any commits from the repository.
(struts) branch main updated: Bump github/codeql-action from 3.28.8 to 3.28.9 (#1217)
This is an automated email from the ASF dual-hosted git repository.
lukaszlenart pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/struts.git
The following commit(s) were added to refs/heads/main by this push:
new adcd1df0c Bump github/codeql-action from 3.28.8 to 3.28.9 (#1217)
adcd1df0c is described below
commit adcd1df0ca626ed329ffcbefb50afdefb63082c6
Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
AuthorDate: Sun Feb 16 12:06:16 2025 +0100
Bump github/codeql-action from 3.28.8 to 3.28.9 (#1217)
Bumps [github/codeql-action](https://github.com/github/codeql-action) from
3.28.8 to 3.28.9.
- [Release notes](https://github.com/github/codeql-action/releases)
-
[Commits](https://github.com/github/codeql-action/compare/v3.28.8...v3.28.9)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot]
Co-authored-by: dependabot[bot]
<49699333+dependabot[bot]@users.noreply.github.com>
---
.github/workflows/codeql.yml | 6 +++---
.github/workflows/scorecards-analysis.yaml | 2 +-
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index db643998c..91c989a01 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -52,12 +52,12 @@ jobs:
java-version: 17
cache: 'maven'
- name: Initialize CodeQL
- uses: github/codeql-action/init@v3.28.8
+ uses: github/codeql-action/init@v3.28.9
with:
languages: ${{ matrix.language }}
- name: Autobuild
- uses: github/codeql-action/autobuild@v3.28.8
+ uses: github/codeql-action/autobuild@v3.28.9
- name: Perform CodeQL Analysis
- uses: github/codeql-action/analyze@v3.28.8
+ uses: github/codeql-action/analyze@v3.28.9
with:
category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/scorecards-analysis.yaml
b/.github/workflows/scorecards-analysis.yaml
index 82400812f..1e94b8152 100644
--- a/.github/workflows/scorecards-analysis.yaml
+++ b/.github/workflows/scorecards-analysis.yaml
@@ -65,6 +65,6 @@ jobs:
retention-days: 5
- name: "Upload to code-scanning"
-uses:
github/codeql-action/upload-sarif@0701025a8b1600e416be4f3bb5a830b1aa6af01e#
2.22.11
+uses:
github/codeql-action/upload-sarif@0a35e8f6866a39b001e5f7ad1d0daf9836786896#
2.22.11
with:
sarif_file: results.sarif
(struts) branch release/struts-6-7-x updated: WW-5501 Reverts all changes related to WW-5501 (#1218)
This is an automated email from the ASF dual-hosted git repository.
lukaszlenart pushed a commit to branch release/struts-6-7-x
in repository https://gitbox.apache.org/repos/asf/struts.git
The following commit(s) were added to refs/heads/release/struts-6-7-x by this
push:
new 9b044377a WW-5501 Reverts all changes related to WW-5501 (#1218)
9b044377a is described below
commit 9b044377ac699078a162ae914ec4891d0d6bd729
Author: Lukasz Lenart
AuthorDate: Sun Feb 16 12:05:49 2025 +0100
WW-5501 Reverts all changes related to WW-5501 (#1218)
* Reverts all changes related to WW-5501
* Fixes CodeQL scan by using proper versions of actions
* WW-5501 Uses FilenameUtils instead of a custom code
---
.github/workflows/codeql.yml | 33 ++-
.../multipart/AbstractMultiPartRequest.java| 66 ++
.../multipart/JakartaMultiPartRequest.java | 25 ++--
.../multipart/JakartaStreamMultiPartRequest.java | 23 ++--
.../org/apache/struts2/struts-messages.properties | 2 -
.../ActionFileUploadInterceptorTest.java | 64 -
.../interceptor/FileUploadInterceptorTest.java | 64 -
.../dispatcher/multipart/PellMultiPartRequest.java | 8 ---
8 files changed, 34 insertions(+), 251 deletions(-)
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 0410b5fd6..c5a78f535 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -17,7 +17,8 @@ name: "CodeQL"
on:
push:
-branches: [ "master" ]
+branches:
+ - 'release/*'
pull_request:
permissions:
@@ -41,15 +42,21 @@ jobs:
matrix:
language: [ 'java' ]
steps:
-- name: Checkout repository
- uses: actions/checkout@v4
-- name: Initialize CodeQL
- uses: github/codeql-action/init@v3.27.1
- with:
-languages: ${{ matrix.language }}
-- name: Autobuild
- uses: github/codeql-action/autobuild@v3.27.1
-- name: Perform CodeQL Analysis
- uses: github/codeql-action/analyze@v3.27.1
- with:
-category: "/language:${{matrix.language}}"
+ - name: Checkout repository
+uses: actions/checkout@v4
+ - name: Setup Java JDK
+uses: actions/setup-java@v4
+with:
+ distribution: temurin
+ java-version: 17
+ cache: 'maven'
+ - name: Initialize CodeQL
+uses: github/codeql-action/init@v3.28.8
+with:
+ languages: ${{ matrix.language }}
+ - name: Autobuild
+uses: github/codeql-action/autobuild@v3.28.8
+ - name: Perform CodeQL Analysis
+uses: github/codeql-action/analyze@v3.28.8
+with:
+ category: "/language:${{matrix.language}}"
diff --git
a/core/src/main/java/org/apache/struts2/dispatcher/multipart/AbstractMultiPartRequest.java
b/core/src/main/java/org/apache/struts2/dispatcher/multipart/AbstractMultiPartRequest.java
index 88d6e991b..dbfe1c853 100644
---
a/core/src/main/java/org/apache/struts2/dispatcher/multipart/AbstractMultiPartRequest.java
+++
b/core/src/main/java/org/apache/struts2/dispatcher/multipart/AbstractMultiPartRequest.java
@@ -20,8 +20,6 @@ package org.apache.struts2.dispatcher.multipart;
import com.opensymphony.xwork2.LocaleProviderFactory;
import com.opensymphony.xwork2.inject.Inject;
-import com.opensymphony.xwork2.security.DefaultExcludedPatternsChecker;
-import com.opensymphony.xwork2.security.ExcludedPatternsChecker;
import org.apache.commons.io.FilenameUtils;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
@@ -33,29 +31,21 @@ import java.util.ArrayList;
import java.util.List;
import java.util.Locale;
-import static org.apache.commons.lang3.StringUtils.normalizeSpace;
-
/**
* Abstract class with some helper methods, it should be used
* when starting development of another implementation of {@link
MultiPartRequest}
*/
public abstract class AbstractMultiPartRequest implements MultiPartRequest {
-protected static final String
STRUTS_MESSAGES_UPLOAD_ERROR_ILLEGAL_CHARACTERS_FIELD =
"struts.messages.upload.error.illegal.characters.field";
-protected static final String
STRUTS_MESSAGES_UPLOAD_ERROR_ILLEGAL_CHARACTERS_NAME =
"struts.messages.upload.error.illegal.characters.name";
-
private static final Logger LOG =
LogManager.getLogger(AbstractMultiPartRequest.class);
-private static final String EXCLUDED_FILE_PATTERN =
"^(.*[<>&\"'|;/?*:]+.*|.*\\.\\..*)$";
-private static final String EXCLUDED_FILE_PATTERN_WITH_DMI_SUPPORT =
"^(?!action:[^<>&\"'|;/?*:]+(![^<>&\"'|;/?*:]+)?$)(.*[<>&\"'|;/?*:]+.*|.*\\.\\..*)$\n";
-
/**
* Defines the internal buffer size used during streaming operations.
*/
public static final int BUFFER_SIZE = 10240;
/**
- * Internal list of raised errors to be passed to the Struts2 framework.
+ * Internal lis
(struts) branch fix/WW-5501-revert deleted (was 010b454ec)
This is an automated email from the ASF dual-hosted git repository. lukaszlenart pushed a change to branch fix/WW-5501-revert in repository https://gitbox.apache.org/repos/asf/struts.git was 010b454ec WW-5501 Uses FilenameUtils instead of a custom code The revisions that were on this branch are still contained in other references; therefore, this change does not discard any commits from the repository.
(struts) branch dependabot/github_actions/github/codeql-action-3.28.9 deleted (was 693855455)
This is an automated email from the ASF dual-hosted git repository. lukaszlenart pushed a change to branch dependabot/github_actions/github/codeql-action-3.28.9 in repository https://gitbox.apache.org/repos/asf/struts.git was 693855455 Bump github/codeql-action from 3.28.8 to 3.28.9 The revisions that were on this branch are still contained in other references; therefore, this change does not discard any commits from the repository.
(struts) branch WW-5525-proxyutil-npe-67 updated (fc9f0f901 -> d35ec15c7)
This is an automated email from the ASF dual-hosted git repository. kusal pushed a change to branch WW-5525-proxyutil-npe-67 in repository https://gitbox.apache.org/repos/asf/struts.git discard fc9f0f901 WW-5525 Fixes NPE when checking if expressions is acceptable discard 14254e602 WW-5525 Fix NPE in ProxyUtil for SecurityMemberAccess originating static members add 583b174fe WW-5525 Fix NPE in ProxyUtil for SecurityMemberAccess originating static members add d35ec15c7 WW-5525 Fixes NPE when checking if expressions is acceptable This update added new revisions after undoing existing revisions. That is to say, some revisions that were in the old version of the branch are not in the new version. This situation occurs when a user --force pushes a change and generates a repository containing something like this: * -- * -- B -- O -- O -- O (fc9f0f901) \ N -- N -- N refs/heads/WW-5525-proxyutil-npe-67 (d35ec15c7) You should already have received notification emails for all of the O revisions, and so the following emails describe only the N revisions from the common base, B. Any revisions marked "omit" are not gone; other references still refer to them. Any revisions marked "discard" are gone forever. No new revisions were added by this update. Summary of changes: core/src/test/java/com/opensymphony/xwork2/ognl/OgnlValueStackTest.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
(struts) branch fix/WW-5525-sma-npe updated (a8bce0f94 -> ac1fbc14f)
This is an automated email from the ASF dual-hosted git repository. lukaszlenart pushed a change to branch fix/WW-5525-sma-npe in repository https://gitbox.apache.org/repos/asf/struts.git discard a8bce0f94 WW-5525 Fixes NPE when checking if expressions is acceptable add 358f80856 WW-5512 Extends the container to support injecting optional parameters into constructor add 05deb7b5e Merge pull request #1191 from apache/feature/WW-5512-optional-inject-s7 add 10d3545ac Bump github/codeql-action from 3.28.1 to 3.28.5 add ebc4e3516 Merge pull request #1196 from apache/dependabot/github_actions/github/codeql-action-3.28.5 add c5cf2f8f9 Bump byte-buddy.version from 1.15.11 to 1.16.1 add 01af64615 Merge pull request #1198 from apache/dependabot/maven/byte-buddy.version-1.16.1 add d5b94369d Bump org.apache.commons:commons-text from 1.12.0 to 1.13.0 add 25d0338e6 Merge pull request #1199 from apache/dependabot/maven/org.apache.commons-commons-text-1.13.0 add f6bf43ae0 [maven-release-plugin] prepare release STRUTS_7_0_1 add 080263e93 [maven-release-plugin] prepare for next development iteration add b34665046 Improves code quality Uses existing function to split input using comma add f4d6564bb Merge pull request #1204 from apache/fix/improves-code-quality add 9d5d80298 Bump github/codeql-action from 3.28.5 to 3.28.8 add 442b4ea2e Merge pull request #1205 from apache/dependabot/github_actions/github/codeql-action-3.28.8 add 0b4855ac4 Bump org.htmlunit:htmlunit from 4.2.0 to 4.9.0 add 58b0d536e Merge pull request #1207 from apache/dependabot/maven/org.htmlunit-htmlunit-4.9.0 add 21c7ecc10 WW-5501 Ignores DMI related action field add abbb2aad2 Fix inject add 2d8433d30 WW-5516 Fix AttributeMap NPE when PageContext has no request add 9474ba41f Merge pull request #1209 from apache/WW-5516-attrmap-npe add 932627976 [maven-release-plugin] prepare release STRUTS_7_0_2 add a1de1cfde [maven-release-plugin] prepare for next development iteration add ff249c64c WW-5528 Ensure multipart upload illegal characters reported as error add 02e17f591 Merge pull request #1213 from apache/WW-5528-multipart-illegal-char-errors add 568b292bd WW-5501 Reverts changes related to WW-5501 (#1219) add adcd1df0c Bump github/codeql-action from 3.28.8 to 3.28.9 (#1217) add 3c856c92a WW-5525 Fix NPE in ProxyUtil for SecurityMemberAccess originating static members add 31c3fc50e Merge pull request #1214 from apache/WW-5525-proxyutil-npe add ac1fbc14f WW-5525 Fixes NPE when checking if expressions is acceptable This update added new revisions after undoing existing revisions. That is to say, some revisions that were in the old version of the branch are not in the new version. This situation occurs when a user --force pushes a change and generates a repository containing something like this: * -- * -- B -- O -- O -- O (a8bce0f94) \ N -- N -- N refs/heads/fix/WW-5525-sma-npe (ac1fbc14f) You should already have received notification emails for all of the O revisions, and so the following emails describe only the N revisions from the common base, B. Any revisions marked "omit" are not gone; other references still refer to them. Any revisions marked "discard" are gone forever. No new revisions were added by this update. Summary of changes: .github/workflows/codeql.yml | 6 +- .github/workflows/scorecards-analysis.yaml | 2 +- apps/pom.xml | 2 +- apps/rest-showcase/pom.xml | 4 +- apps/showcase/pom.xml | 2 +- assembly/pom.xml | 2 +- bom/pom.xml| 6 +- core/pom.xml | 2 +- .../apache/struts2/dispatcher/AttributeMap.java| 4 +- .../multipart/AbstractMultiPartRequest.java| 32 +--- .../multipart/JakartaMultiPartRequest.java | 17 +- .../multipart/JakartaStreamMultiPartRequest.java | 14 +- .../org/apache/struts2/inject/ContainerImpl.java | 60 +- .../apache/struts2/ognl/SecurityMemberAccess.java | 35 ++-- .../java/org/apache/struts2/util/ProxyUtil.java| 9 +- .../struts2/dispatcher/AttributeMapTest.java | 47 +++-- .../multipart/AbstractMultiPartRequestTest.java| 57 +- .../apache/struts2/inject/ContainerImplTest.java | 142 --- .../ActionFileUploadInterceptorTest.java | 62 +-- .../apache/struts2/ognl/OgnlValueStackTest.java| 47 - .../DefaultExcludedPatternsCheckerTest.java| 2 +- jakarta/pom.xml| 2 +- jakarta/velocity-tools-jsp-jakarta/pom.xml | 2 +- jakarta/velocity-tools-view-jakarta/pom.xml| 2 +- plugins/async/pom.xml | 2
(struts) branch fix/WW-5525-sma-npe updated (60a982386 -> 9fee06cea)
This is an automated email from the ASF dual-hosted git repository. lukaszlenart pushed a change to branch fix/WW-5525-sma-npe in repository https://gitbox.apache.org/repos/asf/struts.git discard 60a982386 WW-5525 Fixes NPE when checking if expressions is acceptable add 9fee06cea WW-5525 Fixes NPE when checking if expressions is acceptable This update added new revisions after undoing existing revisions. That is to say, some revisions that were in the old version of the branch are not in the new version. This situation occurs when a user --force pushes a change and generates a repository containing something like this: * -- * -- B -- O -- O -- O (60a982386) \ N -- N -- N refs/heads/fix/WW-5525-sma-npe (9fee06cea) You should already have received notification emails for all of the O revisions, and so the following emails describe only the N revisions from the common base, B. Any revisions marked "omit" are not gone; other references still refer to them. Any revisions marked "discard" are gone forever. No new revisions were added by this update. Summary of changes: .../ognl/SecurityMemberAccessProxyTest.java| 36 +- 1 file changed, 22 insertions(+), 14 deletions(-)
(struts) branch fix/WW-5525-sma-npe updated (ac1fbc14f -> 60a982386)
This is an automated email from the ASF dual-hosted git repository. lukaszlenart pushed a change to branch fix/WW-5525-sma-npe in repository https://gitbox.apache.org/repos/asf/struts.git omit ac1fbc14f WW-5525 Fixes NPE when checking if expressions is acceptable add 60a982386 WW-5525 Fixes NPE when checking if expressions is acceptable This update added new revisions after undoing existing revisions. That is to say, some revisions that were in the old version of the branch are not in the new version. This situation occurs when a user --force pushes a change and generates a repository containing something like this: * -- * -- B -- O -- O -- O (ac1fbc14f) \ N -- N -- N refs/heads/fix/WW-5525-sma-npe (60a982386) You should already have received notification emails for all of the O revisions, and so the following emails describe only the N revisions from the common base, B. Any revisions marked "omit" are not gone; other references still refer to them. Any revisions marked "discard" are gone forever. No new revisions were added by this update. Summary of changes: .../apache/struts2/ognl/SecurityMemberAccessProxyTest.java | 14 +++--- 1 file changed, 7 insertions(+), 7 deletions(-)
(struts) branch fix/WW-5525-sma-npe updated (9fee06cea -> 491c8f70c)
This is an automated email from the ASF dual-hosted git repository. lukaszlenart pushed a change to branch fix/WW-5525-sma-npe in repository https://gitbox.apache.org/repos/asf/struts.git from 9fee06cea WW-5525 Fixes NPE when checking if expressions is acceptable add 491c8f70c WW-5525 Fixes bugs introduced by previous commit No new revisions were added by this update. Summary of changes: .../java/org/apache/struts2/ognl/SecurityMemberAccess.java | 10 +- .../java/org/apache/struts2/ognl/SecurityMemberAccessTest.java | 1 - 2 files changed, 5 insertions(+), 6 deletions(-)
(struts) branch fix/WW-5525-sma-npe updated (491c8f70c -> d9d6becbc)
This is an automated email from the ASF dual-hosted git repository. lukaszlenart pushed a change to branch fix/WW-5525-sma-npe in repository https://gitbox.apache.org/repos/asf/struts.git discard 491c8f70c WW-5525 Fixes bugs introduced by previous commit add d9d6becbc WW-5525 Fixes bugs introduced by previous commit This update added new revisions after undoing existing revisions. That is to say, some revisions that were in the old version of the branch are not in the new version. This situation occurs when a user --force pushes a change and generates a repository containing something like this: * -- * -- B -- O -- O -- O (491c8f70c) \ N -- N -- N refs/heads/fix/WW-5525-sma-npe (d9d6becbc) You should already have received notification emails for all of the O revisions, and so the following emails describe only the N revisions from the common base, B. Any revisions marked "omit" are not gone; other references still refer to them. Any revisions marked "discard" are gone forever. No new revisions were added by this update. Summary of changes: .../apache/struts2/ognl/SecurityMemberAccessProxyTest.java | 12 1 file changed, 8 insertions(+), 4 deletions(-)
(struts) 02/02: WW-5525 Fixes NPE when checking if expressions is acceptable
This is an automated email from the ASF dual-hosted git repository.
kusal pushed a commit to branch WW-5525-proxyutil-npe-67
in repository https://gitbox.apache.org/repos/asf/struts.git
commit fc9f0f9014ae647455ce1d2d67a7d5cb68b77988
Author: Lukasz Lenart
AuthorDate: Sat Feb 1 07:40:18 2025 +0100
WW-5525 Fixes NPE when checking if expressions is acceptable
(cherry picked from commit 9fee06cea030447c4bae650bde40282a93e85cd2)
---
.../xwork2/ognl/SecurityMemberAccessProxyTest.java | 88 ++
1 file changed, 88 insertions(+)
diff --git
a/plugins/spring/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessProxyTest.java
b/plugins/spring/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessProxyTest.java
index 885665a12..7a9d017fe 100644
---
a/plugins/spring/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessProxyTest.java
+++
b/plugins/spring/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessProxyTest.java
@@ -31,6 +31,7 @@ import java.util.HashMap;
import java.util.Map;
import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertThrows;
import static org.junit.Assert.assertTrue;
public class SecurityMemberAccessProxyTest extends XWorkJUnit4TestCase {
@@ -87,4 +88,91 @@ public class SecurityMemberAccessProxyTest extends
XWorkJUnit4TestCase {
assertTrue(sma.isAccessible(context, proxy.getAction(),
proxyObjectProxyMember, ""));
assertTrue(sma.isAccessible(context, proxy.getAction(),
proxyObjectNonProxyMember, ""));
}
+
+@Test
+public void nullTargetAndTargetAndMemberNotAllowed() {
+sma.useDisallowProxyObjectAccess(Boolean.TRUE.toString());
+sma.useDisallowProxyMemberAccess(Boolean.TRUE.toString());
+assertTrue(sma.isAccessible(context, null, proxyObjectProxyMember,
""));
+}
+
+@Test
+public void nullTargetAndTargetAllowedAndMemberNotAllowed() {
+sma.useDisallowProxyObjectAccess(Boolean.FALSE.toString());
+sma.useDisallowProxyMemberAccess(Boolean.TRUE.toString());
+assertTrue(sma.isAccessible(context, null, proxyObjectProxyMember,
""));
+}
+
+@Test
+public void nullTargetAndTargetAndMemberAllowed() {
+sma.useDisallowProxyObjectAccess(Boolean.FALSE.toString());
+sma.useDisallowProxyMemberAccess(Boolean.FALSE.toString());
+assertTrue(sma.isAccessible(context, null, proxyObjectProxyMember,
""));
+}
+
+@Test
+public void nullMemberAndTargetAndMemberNotAllowed() {
+sma.useDisallowProxyObjectAccess(Boolean.TRUE.toString());
+sma.useDisallowProxyMemberAccess(Boolean.TRUE.toString());
+Object action = proxy.getAction();
+assertThrows("Member cannot be null!", IllegalArgumentException.class,
+() -> sma.isAccessible(context, action, null, ""));
+}
+
+@Test
+public void nullMemberAndTargetAllowedAndMemberNotAllowed() {
+sma.useDisallowProxyObjectAccess(Boolean.FALSE.toString());
+sma.useDisallowProxyMemberAccess(Boolean.TRUE.toString());
+Object action = proxy.getAction();
+assertThrows("Member cannot be null!", IllegalArgumentException.class,
+() -> sma.isAccessible(context, action, null, ""));
+}
+
+@Test
+public void nullMemberAndTargetNotAllowedAndMemberAllowed() {
+sma.useDisallowProxyObjectAccess(Boolean.TRUE.toString());
+sma.useDisallowProxyMemberAccess(Boolean.FALSE.toString());
+Object action = proxy.getAction();
+assertThrows("Member cannot be null!", IllegalArgumentException.class,
+() -> sma.isAccessible(context, action, null, ""));
+}
+
+@Test
+public void nullTargetAndMemberAndTargetAndMemberNotAllowed() {
+sma.useDisallowProxyObjectAccess(Boolean.TRUE.toString());
+sma.useDisallowProxyMemberAccess(Boolean.TRUE.toString());
+assertThrows("Member cannot be null!", IllegalArgumentException.class,
+() -> sma.isAccessible(context, null, null, ""));
+}
+
+@Test
+public void nullTargetAndMemberAndTargetNotAllowedAndMemberAllowed() {
+sma.useDisallowProxyObjectAccess(Boolean.TRUE.toString());
+sma.useDisallowProxyMemberAccess(Boolean.FALSE.toString());
+assertThrows("Member cannot be null!", IllegalArgumentException.class,
+() -> sma.isAccessible(context, null, null, ""));
+}
+
+@Test
+public void nullTargetAndMemberAndTargetAllowedAndMemberNotAllowed() {
+sma.useDisallowProxyObjectAccess(Boolean.FALSE.toString());
+sma.useDisallowProxyMemberAccess(Boolean.TRUE.toString());
+assertThrows("Member cannot be null!", IllegalArgumentException.class,
+() -> sma.isAccessible(context, null, null, ""));
+}
+
+@Test
+public void nullTargetAndMemberAndTargetAndMemberAllowed() {
+sma.useDisallowProxyObjectAccess(Boolean.FALSE.toString
(struts) branch main updated: WW-5525 Fixes NPE when checking if expressions is acceptable (#1201)
This is an automated email from the ASF dual-hosted git repository.
lukaszlenart pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/struts.git
The following commit(s) were added to refs/heads/main by this push:
new 1db8a72bb WW-5525 Fixes NPE when checking if expressions is acceptable
(#1201)
1db8a72bb is described below
commit 1db8a72bb5184b4e6fa9dac56dd0fb2e107cb73b
Author: Lukasz Lenart
AuthorDate: Mon Feb 17 08:53:42 2025 +0100
WW-5525 Fixes NPE when checking if expressions is acceptable (#1201)
* WW-5525 Fixes NPE when checking if expressions is acceptable
* WW-5525 Fixes bugs introduced by previous commit
---
.../ognl/SecurityMemberAccessProxyTest.java| 88 ++
1 file changed, 88 insertions(+)
diff --git
a/plugins/spring/src/test/java/org/apache/struts2/ognl/SecurityMemberAccessProxyTest.java
b/plugins/spring/src/test/java/org/apache/struts2/ognl/SecurityMemberAccessProxyTest.java
index 91ffae19e..43f82bfe5 100644
---
a/plugins/spring/src/test/java/org/apache/struts2/ognl/SecurityMemberAccessProxyTest.java
+++
b/plugins/spring/src/test/java/org/apache/struts2/ognl/SecurityMemberAccessProxyTest.java
@@ -31,6 +31,7 @@ import java.util.HashMap;
import java.util.Map;
import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertThrows;
import static org.junit.Assert.assertTrue;
public class SecurityMemberAccessProxyTest extends XWorkJUnit4TestCase {
@@ -87,4 +88,91 @@ public class SecurityMemberAccessProxyTest extends
XWorkJUnit4TestCase {
assertTrue(sma.isAccessible(context, proxy.getAction(),
proxyObjectProxyMember, ""));
assertTrue(sma.isAccessible(context, proxy.getAction(),
proxyObjectNonProxyMember, ""));
}
+
+@Test
+public void nullTargetAndTargetAndMemberNotAllowed() {
+sma.useDisallowProxyObjectAccess(Boolean.TRUE.toString());
+sma.useDisallowProxyMemberAccess(Boolean.TRUE.toString());
+assertTrue(sma.isAccessible(context, null, proxyObjectProxyMember,
""));
+}
+
+@Test
+public void nullTargetAndTargetAllowedAndMemberNotAllowed() {
+sma.useDisallowProxyObjectAccess(Boolean.FALSE.toString());
+sma.useDisallowProxyMemberAccess(Boolean.TRUE.toString());
+assertTrue(sma.isAccessible(context, null, proxyObjectProxyMember,
""));
+}
+
+@Test
+public void nullTargetAndTargetAndMemberAllowed() {
+sma.useDisallowProxyObjectAccess(Boolean.FALSE.toString());
+sma.useDisallowProxyMemberAccess(Boolean.FALSE.toString());
+assertTrue(sma.isAccessible(context, null, proxyObjectProxyMember,
""));
+}
+
+@Test
+public void nullMemberAndTargetAndMemberNotAllowed() {
+sma.useDisallowProxyObjectAccess(Boolean.TRUE.toString());
+sma.useDisallowProxyMemberAccess(Boolean.TRUE.toString());
+Object action = proxy.getAction();
+assertThrows("Member cannot be null!", IllegalArgumentException.class,
+() -> sma.isAccessible(context, action, null, ""));
+}
+
+@Test
+public void nullMemberAndTargetAllowedAndMemberNotAllowed() {
+sma.useDisallowProxyObjectAccess(Boolean.FALSE.toString());
+sma.useDisallowProxyMemberAccess(Boolean.TRUE.toString());
+Object action = proxy.getAction();
+assertThrows("Member cannot be null!", IllegalArgumentException.class,
+() -> sma.isAccessible(context, action, null, ""));
+}
+
+@Test
+public void nullMemberAndTargetNotAllowedAndMemberAllowed() {
+sma.useDisallowProxyObjectAccess(Boolean.TRUE.toString());
+sma.useDisallowProxyMemberAccess(Boolean.FALSE.toString());
+Object action = proxy.getAction();
+assertThrows("Member cannot be null!", IllegalArgumentException.class,
+() -> sma.isAccessible(context, action, null, ""));
+}
+
+@Test
+public void nullTargetAndMemberAndTargetAndMemberNotAllowed() {
+sma.useDisallowProxyObjectAccess(Boolean.TRUE.toString());
+sma.useDisallowProxyMemberAccess(Boolean.TRUE.toString());
+assertThrows("Member cannot be null!", IllegalArgumentException.class,
+() -> sma.isAccessible(context, null, null, ""));
+}
+
+@Test
+public void nullTargetAndMemberAndTargetNotAllowedAndMemberAllowed() {
+sma.useDisallowProxyObjectAccess(Boolean.TRUE.toString());
+sma.useDisallowProxyMemberAccess(Boolean.FALSE.toString());
+assertThrows("Member cannot be null!", IllegalArgumentException.class,
+() -> sma.isAccessible(context, null, null, ""));
+}
+
+@Test
+public void nullTargetAndMemberAndTargetAllowedAndMemberNotAllowed() {
+sma.useDisallowProxyObjectAccess(Boolean.FALSE.toString());
+sma.useDisallowProxyMemberAccess(Boolean.TRUE.toString());
+assertThrows("Member cannot be null!", IllegalArgumentException.class,
(struts) 01/02: WW-5525 Fix NPE in ProxyUtil for SecurityMemberAccess originating static members
This is an automated email from the ASF dual-hosted git repository.
kusal pushed a commit to branch WW-5525-proxyutil-npe-67
in repository https://gitbox.apache.org/repos/asf/struts.git
commit 14254e602bb17c64af7e92576c777842feefce3b
Author: Kusal Kithul-Godage
AuthorDate: Thu Feb 6 12:02:40 2025 +1100
WW-5525 Fix NPE in ProxyUtil for SecurityMemberAccess originating static
members
---
.../xwork2/ognl/SecurityMemberAccess.java | 5 +++-
.../com/opensymphony/xwork2/util/ProxyUtil.java| 3 ++-
.../xwork2/ognl/OgnlValueStackTest.java| 28 ++
.../xwork2/spring/SpringProxyUtilTest.java | 2 ++
4 files changed, 36 insertions(+), 2 deletions(-)
diff --git
a/core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
b/core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
index f15b50af1..3963ac730 100644
--- a/core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
+++ b/core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
@@ -160,6 +160,9 @@ public class SecurityMemberAccess implements MemberAccess {
public boolean isAccessible(Map context, Object target, Member member,
String propertyName) {
LOG.debug("Checking access for [target: {}, member: {}, property:
{}]", target, member, propertyName);
+if (member == null) {
+throw new IllegalArgumentException("Member cannot be null!");
+}
if (target != null) {
// Special case: Target is a Class object but not Class.class
if (Class.class.equals(target.getClass()) &&
!Class.class.equals(target)) {
@@ -228,7 +231,7 @@ public class SecurityMemberAccess implements MemberAccess {
return true;
}
-if (!disallowProxyObjectAccess && target != null &&
ProxyUtil.isProxy(target)) {
+if (!disallowProxyObjectAccess && ProxyUtil.isProxy(target)) {
// If `disallowProxyObjectAccess` is not set, allow resolving
Hibernate entities to their underlying
// classes/members. This allows the allowlist capability to
continue working and offer some level of
// protection in applications where the developer has accepted the
risk of allowing OGNL access to Hibernate
diff --git a/core/src/main/java/com/opensymphony/xwork2/util/ProxyUtil.java
b/core/src/main/java/com/opensymphony/xwork2/util/ProxyUtil.java
index 895cfb7ee..22c36 100644
--- a/core/src/main/java/com/opensymphony/xwork2/util/ProxyUtil.java
+++ b/core/src/main/java/com/opensymphony/xwork2/util/ProxyUtil.java
@@ -81,6 +81,7 @@ public class ProxyUtil {
* @param object the object to check
*/
public static boolean isProxy(Object object) {
+if (object == null) return false;
Class clazz = object.getClass();
Boolean flag = isProxyCache.get(clazz);
if (flag != null) {
@@ -121,7 +122,7 @@ public class ProxyUtil {
*/
public static boolean isHibernateProxy(Object object) {
try {
-return HibernateProxy.class.isAssignableFrom(object.getClass());
+return object != null &&
HibernateProxy.class.isAssignableFrom(object.getClass());
} catch (NoClassDefFoundError ignored) {
return false;
}
diff --git
a/core/src/test/java/com/opensymphony/xwork2/ognl/OgnlValueStackTest.java
b/core/src/test/java/com/opensymphony/xwork2/ognl/OgnlValueStackTest.java
index 7fb560c5b..86a83cd8c 100644
--- a/core/src/test/java/com/opensymphony/xwork2/ognl/OgnlValueStackTest.java
+++ b/core/src/test/java/com/opensymphony/xwork2/ognl/OgnlValueStackTest.java
@@ -1233,6 +1233,34 @@ public class OgnlValueStackTest extends XWorkTestCase {
assertNull("accessed private field (result not null) ?",
accessedValue);
}
+public void testFindValueWithConstructorAndProxyChecks() {
+Map properties = new HashMap<>();
+properties.put(StrutsConstants.STRUTS_DISALLOW_PROXY_OBJECT_ACCESS,
Boolean.TRUE.toString());
+properties.put(StrutsConstants.STRUTS_DISALLOW_PROXY_MEMBER_ACCESS,
Boolean.TRUE.toString());
+loadButSet(properties);
+refreshContainerFields();
+
+String value = "test";
+String ognlResult = (String) vs.findValue(
+"new org.apache.struts2.ognl.OgnlValueStackTest$ValueHolder('"
+ value + "').value", String.class);
+
+assertEquals(value, ognlResult);
+}
+
+@SuppressWarnings({"unused"})
+public static class ValueHolder {
+// See testFindValueWithConstructorAndProxyChecks
+private final String value;
+
+public ValueHolder(String value) {
+this.value = value;
+}
+
+public String getValue() {
+return value;
+}
+}
+
static class BadJavaBean {
private int count;
private int count2;
diff --git
a/plugins/spring/src/test/java/com/opensymphony/xwork2/sprin
(struts) branch fix/WW-5525-sma-npe deleted (was d9d6becbc)
This is an automated email from the ASF dual-hosted git repository. lukaszlenart pushed a change to branch fix/WW-5525-sma-npe in repository https://gitbox.apache.org/repos/asf/struts.git was d9d6becbc WW-5525 Fixes bugs introduced by previous commit The revisions that were on this branch are still contained in other references; therefore, this change does not discard any commits from the repository.
(struts) branch WW-5525-proxyutil-npe-67 created (now fc9f0f901)
This is an automated email from the ASF dual-hosted git repository. kusal pushed a change to branch WW-5525-proxyutil-npe-67 in repository https://gitbox.apache.org/repos/asf/struts.git at fc9f0f901 WW-5525 Fixes NPE when checking if expressions is acceptable This branch includes the following new commits: new 14254e602 WW-5525 Fix NPE in ProxyUtil for SecurityMemberAccess originating static members new fc9f0f901 WW-5525 Fixes NPE when checking if expressions is acceptable The 2 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference.
