You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@struts.apache.org by lu...@apache.org on 2014/04/25 15:00:10 UTC
[1/4] git commit: Defines new logic to allow exclude some properties
(eg. getClass)
Repository: struts
Updated Branches:
refs/heads/feature/exclude-object-class [created] aff3a3a62
Defines new logic to allow exclude some properties (eg. getClass)
Project: http://git-wip-us.apache.org/repos/asf/struts/repo
Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/25503840
Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/25503840
Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/25503840
Branch: refs/heads/feature/exclude-object-class
Commit: 255038405549562593227c221c04a6cb096a0c05
Parents: 9519cd1
Author: Lukasz Lenart <lu...@apache.org>
Authored: Fri Apr 25 14:57:07 2014 +0200
Committer: Lukasz Lenart <lu...@apache.org>
Committed: Fri Apr 25 14:57:07 2014 +0200
----------------------------------------------------------------------
.../com/opensymphony/xwork2/ognl/OgnlUtil.java | 26 ++++++
.../opensymphony/xwork2/ognl/OgnlUtilTest.java | 91 +++++++++++++++++++-
2 files changed, 116 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/struts/blob/25503840/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java
----------------------------------------------------------------------
diff --git a/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java b/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java
index fa907e3..a0231bc 100644
--- a/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java
+++ b/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java
@@ -19,6 +19,7 @@ import com.opensymphony.xwork2.XWorkConstants;
import com.opensymphony.xwork2.conversion.impl.XWorkConverter;
import com.opensymphony.xwork2.inject.Inject;
import com.opensymphony.xwork2.util.CompoundRoot;
+import com.opensymphony.xwork2.util.TextParseUtil;
import com.opensymphony.xwork2.util.logging.Logger;
import com.opensymphony.xwork2.util.logging.LoggerFactory;
import com.opensymphony.xwork2.util.reflection.ReflectionException;
@@ -36,7 +37,9 @@ import java.beans.PropertyDescriptor;
import java.lang.reflect.Method;
import java.util.Collection;
import java.util.HashMap;
+import java.util.HashSet;
import java.util.Map;
+import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentMap;
@@ -58,6 +61,8 @@ public class OgnlUtil {
private boolean enableExpressionCache = true;
private boolean enableEvalExpression;
+ private Set<String> excludedProperties = new HashSet<String>();
+
@Inject
public void setXWorkConverter(XWorkConverter conv) {
this.defaultConverter = new OgnlTypeConverterWrapper(conv);
@@ -82,6 +87,11 @@ public class OgnlUtil {
}
}
+ @Inject(value = XWorkConstants.OGNL_EXCLUDED_PROPERTIES, required = false)
+ public void setExcludedProperties(String commaDelimitedProperties) {
+ excludedProperties = TextParseUtil.commaDelimitedStringToSet(commaDelimitedProperties);
+ }
+
/**
* Sets the object's properties using the default type converter, defaulting to not throw
* exceptions for problems setting the properties.
@@ -279,11 +289,13 @@ public class OgnlUtil {
if (tree == null) {
tree = Ognl.parseExpression(expression);
checkEnableEvalExpression(tree, context);
+ checkExcludedPropertiesAccess(tree, null);
expressions.putIfAbsent(expression, tree);
}
} else {
tree = Ognl.parseExpression(expression);
checkEnableEvalExpression(tree, context);
+ checkExcludedPropertiesAccess(tree, null);
}
@@ -293,6 +305,20 @@ public class OgnlUtil {
return exec;
}
+ private void checkExcludedPropertiesAccess(Object tree, SimpleNode parent) throws OgnlException {
+ if (tree instanceof SimpleNode) {
+ SimpleNode node = (SimpleNode) tree;
+ for (String excludedPattern : excludedProperties) {
+ if (excludedPattern.equalsIgnoreCase(node.toString())) {
+ throw new OgnlException("Tree [" + (parent != null ? parent : tree) + "] trying access excluded pattern [" + excludedPattern + "]");
+ }
+ for (int i = 0; i < node.jjtGetNumChildren(); i++) {
+ checkExcludedPropertiesAccess(node.jjtGetChild(i), node);
+ }
+ }
+ }
+ }
+
public Object compile(String expression, Map<String, Object> context) throws OgnlException {
return compileAndExecute(expression,context,new OgnlTask<Object>() {
public Object execute(Object tree) throws OgnlException {
http://git-wip-us.apache.org/repos/asf/struts/blob/25503840/xwork-core/src/test/java/com/opensymphony/xwork2/ognl/OgnlUtilTest.java
----------------------------------------------------------------------
diff --git a/xwork-core/src/test/java/com/opensymphony/xwork2/ognl/OgnlUtilTest.java b/xwork-core/src/test/java/com/opensymphony/xwork2/ognl/OgnlUtilTest.java
index 8bd5e23..d471183 100644
--- a/xwork-core/src/test/java/com/opensymphony/xwork2/ognl/OgnlUtilTest.java
+++ b/xwork-core/src/test/java/com/opensymphony/xwork2/ognl/OgnlUtilTest.java
@@ -630,7 +630,96 @@ public class OgnlUtilTest extends XWorkTestCase {
stack.setValue("1114778947765", foo);
stack.setValue("1234", foo);
}
-
+
+ public void testAvoidCallingMethodsOnObjectClass() throws Exception {
+ Foo foo = new Foo();
+ OgnlUtil util = new OgnlUtil();
+ util.setEnableExpressionCache("false");
+ util.setExcludedProperties("class");
+
+ Exception expected = null;
+ try {
+ util.setValue("class.classLoader.defaultAssertionStatus", ActionContext.getContext().getContextMap(), foo, true);
+ fail();
+ } catch (OgnlException e) {
+ expected = e;
+ }
+ assertNotNull(expected);
+ assertSame(expected.getClass(), OgnlException.class);
+ assertEquals(expected.getMessage(), "Tree [class.classLoader.defaultAssertionStatus] trying access excluded pattern [class]");
+ }
+
+ public void testAvoidCallingMethodsOnObjectClassUpperCased() throws Exception {
+ Foo foo = new Foo();
+ OgnlUtil util = new OgnlUtil();
+ util.setEnableExpressionCache("false");
+ util.setExcludedProperties("class");
+
+ Exception expected = null;
+ try {
+ util.setValue("Class.ClassLoader.DefaultAssertionStatus", ActionContext.getContext().getContextMap(), foo, true);
+ fail();
+ } catch (OgnlException e) {
+ expected = e;
+ }
+ assertNotNull(expected);
+ assertSame(expected.getClass(), OgnlException.class);
+ assertEquals(expected.getMessage(), "Tree [Class.ClassLoader.DefaultAssertionStatus] trying access excluded pattern [class]");
+ }
+
+ public void testAvoidCallingMethodsOnObjectClassAsMap() throws Exception {
+ Foo foo = new Foo();
+ OgnlUtil util = new OgnlUtil();
+ util.setEnableExpressionCache("false");
+ util.setExcludedProperties("class");
+
+ Exception expected = null;
+ try {
+ util.setValue("class['classLoader']['defaultAssertionStatus']", ActionContext.getContext().getContextMap(), foo, true);
+ fail();
+ } catch (OgnlException e) {
+ expected = e;
+ }
+ assertNotNull(expected);
+ assertSame(expected.getClass(), OgnlException.class);
+ assertEquals(expected.getMessage(), "Tree [class[\"classLoader\"][\"defaultAssertionStatus\"]] trying access excluded pattern [class]");
+ }
+
+ public void testAvoidCallingMethodsOnObjectClassAsMapWithQuotes() throws Exception {
+ Foo foo = new Foo();
+ OgnlUtil util = new OgnlUtil();
+ util.setEnableExpressionCache("false");
+ util.setExcludedProperties("class");
+
+ Exception expected = null;
+ try {
+ util.setValue("class[\"classLoader\"]['defaultAssertionStatus']", ActionContext.getContext().getContextMap(), foo, true);
+ fail();
+ } catch (OgnlException e) {
+ expected = e;
+ }
+ assertNotNull(expected);
+ assertSame(expected.getClass(), OgnlException.class);
+ assertEquals(expected.getMessage(), "Tree [class[\"classLoader\"][\"defaultAssertionStatus\"]] trying access excluded pattern [class]");
+ }
+
+ public void testAvoidCallingToString() throws Exception {
+ Foo foo = new Foo();
+ OgnlUtil util = new OgnlUtil();
+ util.setEnableExpressionCache("false");
+ util.setExcludedProperties("toString");
+
+ Exception expected = null;
+ try {
+ util.setValue("toString", ActionContext.getContext().getContextMap(), foo, true);
+ fail();
+ } catch (OgnlException e) {
+ expected = e;
+ }
+ assertNotNull(expected);
+ assertSame(expected.getClass(), OgnlException.class);
+ assertEquals(expected.getMessage(), "Tree [toString] trying access excluded pattern [toString]");
+ }
public static class Email {
String address;
[4/4] git commit: Adds conversion of Struts property to XWork property
Posted by lu...@apache.org.
Adds conversion of Struts property to XWork property
Project: http://git-wip-us.apache.org/repos/asf/struts/repo
Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/aff3a3a6
Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/aff3a3a6
Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/aff3a3a6
Branch: refs/heads/feature/exclude-object-class
Commit: aff3a3a625dc89f93f5b6548887245ffd6bba3d3
Parents: 14ad0ab
Author: Lukasz Lenart <lu...@apache.org>
Authored: Fri Apr 25 14:59:38 2014 +0200
Committer: Lukasz Lenart <lu...@apache.org>
Committed: Fri Apr 25 14:59:38 2014 +0200
----------------------------------------------------------------------
core/src/main/java/org/apache/struts2/StrutsConstants.java | 4 ++++
.../org/apache/struts2/config/DefaultBeanSelectionProvider.java | 1 +
core/src/main/resources/struts-default.xml | 3 +++
3 files changed, 8 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/struts/blob/aff3a3a6/core/src/main/java/org/apache/struts2/StrutsConstants.java
----------------------------------------------------------------------
diff --git a/core/src/main/java/org/apache/struts2/StrutsConstants.java b/core/src/main/java/org/apache/struts2/StrutsConstants.java
index 3423ec8..6be58ad 100644
--- a/core/src/main/java/org/apache/struts2/StrutsConstants.java
+++ b/core/src/main/java/org/apache/struts2/StrutsConstants.java
@@ -281,4 +281,8 @@ public final class StrutsConstants {
/** Allows override default DispatcherErrorHandler **/
public static final String STRUTS_DISPATCHER_ERROR_HANDLER = "struts.dispatcher.errorHandler";
+
+ /** Comma delimited set of excluded properties which cannot be accessed via expressions **/
+ public static final String STRUTS_EXCLUDED_PROPERTIES = "struts.excludedProperties";
+
}
http://git-wip-us.apache.org/repos/asf/struts/blob/aff3a3a6/core/src/main/java/org/apache/struts2/config/DefaultBeanSelectionProvider.java
----------------------------------------------------------------------
diff --git a/core/src/main/java/org/apache/struts2/config/DefaultBeanSelectionProvider.java b/core/src/main/java/org/apache/struts2/config/DefaultBeanSelectionProvider.java
index b6b5b45..4cc2d61 100644
--- a/core/src/main/java/org/apache/struts2/config/DefaultBeanSelectionProvider.java
+++ b/core/src/main/java/org/apache/struts2/config/DefaultBeanSelectionProvider.java
@@ -391,6 +391,7 @@ public class DefaultBeanSelectionProvider extends AbstractBeanSelectionProvider
convertIfExist(props, StrutsConstants.STRUTS_ENABLE_OGNL_EVAL_EXPRESSION, XWorkConstants.ENABLE_OGNL_EVAL_EXPRESSION);
convertIfExist(props, StrutsConstants.STRUTS_ALLOW_STATIC_METHOD_ACCESS, XWorkConstants.ALLOW_STATIC_METHOD_ACCESS);
convertIfExist(props, StrutsConstants.STRUTS_CONFIGURATION_XML_RELOAD, XWorkConstants.RELOAD_XML_CONFIGURATION);
+ convertIfExist(props, StrutsConstants.STRUTS_EXCLUDED_PROPERTIES, XWorkConstants.OGNL_EXCLUDED_PROPERTIES);
LocalizedTextUtil.addDefaultResourceBundle("org/apache/struts2/struts-messages");
loadCustomResourceBundles(props);
http://git-wip-us.apache.org/repos/asf/struts/blob/aff3a3a6/core/src/main/resources/struts-default.xml
----------------------------------------------------------------------
diff --git a/core/src/main/resources/struts-default.xml b/core/src/main/resources/struts-default.xml
index 87f1ff5..7cb687e 100644
--- a/core/src/main/resources/struts-default.xml
+++ b/core/src/main/resources/struts-default.xml
@@ -37,6 +37,9 @@
"http://struts.apache.org/dtds/struts-2.3.dtd">
<struts>
+
+ <constant name="struts.excludedProperties" value="getClass,class,hashCode,toString,clone,equals,finalize,notify,notifyAll,wait" />
+
<bean class="com.opensymphony.xwork2.ObjectFactory" name="struts"/>
<bean type="com.opensymphony.xwork2.factory.ResultFactory" name="struts" class="org.apache.struts2.factory.StrutsResultFactory" />
<bean type="com.opensymphony.xwork2.factory.ActionFactory" name="struts" class="com.opensymphony.xwork2.factory.DefaultActionFactory" />
[3/4] git commit: Extends tests to check if excluded properties works
on higher level
Posted by lu...@apache.org.
Extends tests to check if excluded properties works on higher level
Project: http://git-wip-us.apache.org/repos/asf/struts/repo
Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/14ad0ab0
Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/14ad0ab0
Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/14ad0ab0
Branch: refs/heads/feature/exclude-object-class
Commit: 14ad0ab00662e847b7959022d0106adfaf3219ea
Parents: bbcee42
Author: Lukasz Lenart <lu...@apache.org>
Authored: Fri Apr 25 14:58:40 2014 +0200
Committer: Lukasz Lenart <lu...@apache.org>
Committed: Fri Apr 25 14:58:40 2014 +0200
----------------------------------------------------------------------
.../xwork2/interceptor/ParametersInterceptorTest.java | 11 ++++++++---
xwork-core/src/test/resources/xwork-param-test.xml | 1 +
2 files changed, 9 insertions(+), 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/struts/blob/14ad0ab0/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ParametersInterceptorTest.java
----------------------------------------------------------------------
diff --git a/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ParametersInterceptorTest.java b/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ParametersInterceptorTest.java
index 5a4485d..f0adf02 100644
--- a/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ParametersInterceptorTest.java
+++ b/xwork-core/src/test/java/com/opensymphony/xwork2/interceptor/ParametersInterceptorTest.java
@@ -161,12 +161,14 @@ public class ParametersInterceptorTest extends XWorkTestCase {
// given
final String pollution1 = "class.classLoader.jarPath";
final String pollution2 = "model.class.classLoader.jarPath";
+ final String pollution3 = "class.classLoader.defaultAssertionStatus";
loadConfigurationProviders(new XWorkConfigurationProvider(), new XmlConfigurationProvider("xwork-param-test.xml"));
final Map<String, Object> params = new HashMap<String, Object>() {
{
put(pollution1, "bad");
put(pollution2, "very bad");
+ put(pollution3, true);
}
};
@@ -190,16 +192,19 @@ public class ParametersInterceptorTest extends XWorkTestCase {
pi.setParameters(action, vs, params);
// then
- assertEquals(2, action.getActionMessages().size());
+ assertEquals(3, action.getActionMessages().size());
String msg1 = action.getActionMessage(0);
String msg2 = action.getActionMessage(1);
+ String msg3 = action.getActionMessage(2);
- assertEquals("Error setting expression 'class.classLoader.jarPath' with value 'bad'", msg1);
- assertEquals("Error setting expression 'model.class.classLoader.jarPath' with value 'very bad'", msg2);
+ assertEquals("Error setting expression 'class.classLoader.defaultAssertionStatus' with value 'true'", msg1);
+ assertEquals("Error setting expression 'class.classLoader.jarPath' with value 'bad'", msg2);
+ assertEquals("Error setting expression 'model.class.classLoader.jarPath' with value 'very bad'", msg3);
assertFalse(excluded.get(pollution1));
assertFalse(excluded.get(pollution2));
+ assertFalse(excluded.get(pollution3));
}
public void testDoesNotAllowMethodInvocations() throws Exception {
http://git-wip-us.apache.org/repos/asf/struts/blob/14ad0ab0/xwork-core/src/test/resources/xwork-param-test.xml
----------------------------------------------------------------------
diff --git a/xwork-core/src/test/resources/xwork-param-test.xml b/xwork-core/src/test/resources/xwork-param-test.xml
index fa081c4..3ca616a 100644
--- a/xwork-core/src/test/resources/xwork-param-test.xml
+++ b/xwork-core/src/test/resources/xwork-param-test.xml
@@ -4,4 +4,5 @@
<xwork>
<constant name="devMode" value="true" />
+ <constant name="ognlExcludedProperties" value="getClass,class,hashCode,toString,clone,equals,finalize,notify,notifyAll,wait" />
</xwork>
\ No newline at end of file
[2/4] git commit: Adds constant under which excluded properties can
be defined
Posted by lu...@apache.org.
Adds constant under which excluded properties can be defined
Project: http://git-wip-us.apache.org/repos/asf/struts/repo
Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/bbcee42f
Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/bbcee42f
Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/bbcee42f
Branch: refs/heads/feature/exclude-object-class
Commit: bbcee42f669f9e11e1ba1892eddbd612506616d2
Parents: 2550384
Author: Lukasz Lenart <lu...@apache.org>
Authored: Fri Apr 25 14:57:44 2014 +0200
Committer: Lukasz Lenart <lu...@apache.org>
Committed: Fri Apr 25 14:57:44 2014 +0200
----------------------------------------------------------------------
.../src/main/java/com/opensymphony/xwork2/XWorkConstants.java | 2 ++
1 file changed, 2 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/struts/blob/bbcee42f/xwork-core/src/main/java/com/opensymphony/xwork2/XWorkConstants.java
----------------------------------------------------------------------
diff --git a/xwork-core/src/main/java/com/opensymphony/xwork2/XWorkConstants.java b/xwork-core/src/main/java/com/opensymphony/xwork2/XWorkConstants.java
index 1936368..1894372 100644
--- a/xwork-core/src/main/java/com/opensymphony/xwork2/XWorkConstants.java
+++ b/xwork-core/src/main/java/com/opensymphony/xwork2/XWorkConstants.java
@@ -17,4 +17,6 @@ public final class XWorkConstants {
public static final String RELOAD_XML_CONFIGURATION = "reloadXmlConfiguration";
public static final String ALLOW_STATIC_METHOD_ACCESS = "allowStaticMethodAccess";
public static final String XWORK_LOGGER_FACTORY = "xwork.loggerFactory";
+ public static final String OGNL_EXCLUDED_PROPERTIES = "ognlExcludedProperties";
+
}