struts-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From lukaszlen...@apache.org
Subject [struts] 06/13: Adds proper handling of primitive types
Date Fri, 24 Aug 2018 08:34:31 GMT
This is an automated email from the ASF dual-hosted git repository.

lukaszlenart pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/struts.git

commit c2b2511f851da37055df2b13fb7405afe5f316e2
Author: Lukasz Lenart <lukaszlenart@apache.org>
AuthorDate: Wed Jun 20 11:47:53 2018 +0200

    Adds proper handling of primitive types
---
 .../xwork2/ognl/SecurityMemberAccess.java          | 11 ++++--
 core/src/main/resources/struts-default.xml         |  2 +-
 .../xwork2/ognl/SecurityMemberAccessTest.java      | 46 ++++++++++++++--------
 3 files changed, 38 insertions(+), 21 deletions(-)

diff --git a/core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java b/core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
index 05db70f..5d87944 100644
--- a/core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
+++ b/core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
@@ -154,9 +154,9 @@ public class SecurityMemberAccess implements MemberAccess {
         if (targetPackage == null || memberPackage == null) {
             LOG.warn("The use of the default (unnamed) package is discouraged!");
         }
-
-        final String targetPackageName = targetPackage == null ? "" : targetPackage.getName();
-        final String memberPackageName = memberPackage == null ? "" : memberPackage.getName();
+        
+        String targetPackageName = targetPackage == null ? "" : targetPackage.getName();
+        String memberPackageName = memberPackage == null ? "" : memberPackage.getName();
 
         for (Pattern pattern : excludedPackageNamePatterns) {
             if (pattern.matcher(targetPackageName).matches() || pattern.matcher(memberPackageName).matches())
{
@@ -164,7 +164,10 @@ public class SecurityMemberAccess implements MemberAccess {
             }
         }
 
-        for (String packageName : excludedPackageNames) {
+        targetPackageName = targetPackageName + ".";
+        memberPackageName = memberPackageName + ".";
+
+        for (String packageName: excludedPackageNames) {
             if (targetPackageName.startsWith(packageName) || targetPackageName.equals(packageName)
                     || memberPackageName.startsWith(packageName) || memberPackageName.equals(packageName))
{
                 return true;
diff --git a/core/src/main/resources/struts-default.xml b/core/src/main/resources/struts-default.xml
index 3896a51..417e6d8 100644
--- a/core/src/main/resources/struts-default.xml
+++ b/core/src/main/resources/struts-default.xml
@@ -62,7 +62,7 @@
                 com.opensymphony.xwork2.ognl.,
                 java.lang.,
                 ognl.,
-                javax,
+                javax.,
                 freemarker.core.,
                 freemarker.template.,
                 freemarker.ext.rhino.,
diff --git a/core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java
b/core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java
index c78e9ab..ddb3f28 100644
--- a/core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java
+++ b/core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java
@@ -22,7 +22,6 @@ import com.opensymphony.xwork2.util.TextParseUtil;
 import junit.framework.TestCase;
 
 import java.lang.reflect.Member;
-import java.util.Arrays;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.HashSet;
@@ -62,7 +61,7 @@ public class SecurityMemberAccessTest extends TestCase {
         String propertyName = "stringField";
         Member member = FooBar.class.getDeclaredMethod("get" + propertyName.substring(0,
1).toUpperCase() + propertyName.substring(1));
 
-        Set<Class<?>> excluded = new HashSet<Class<?>>();
+        Set<Class<?>> excluded = new HashSet<>();
         excluded.add(FooBar.class);
         sma.setExcludedClasses(excluded);
 
@@ -108,7 +107,7 @@ public class SecurityMemberAccessTest extends TestCase {
         String propertyName = "barLogic";
         Member member = BarInterface.class.getMethod(propertyName);
 
-        Set<Class<?>> excluded = new HashSet<Class<?>>();
+        Set<Class<?>> excluded = new HashSet<>();
         excluded.add(BarInterface.class);
         sma.setExcludedClasses(excluded);
 
@@ -126,7 +125,7 @@ public class SecurityMemberAccessTest extends TestCase {
         String propertyName = "fooLogic";
         Member member = FooBar.class.getMethod(propertyName);
 
-        Set<Class<?>> excluded = new HashSet<Class<?>>();
+        Set<Class<?>> excluded = new HashSet<>();
         excluded.add(BarInterface.class);
         sma.setExcludedClasses(excluded);
 
@@ -158,7 +157,7 @@ public class SecurityMemberAccessTest extends TestCase {
         String propertyName = "barLogic";
         Member member = BarInterface.class.getMethod(propertyName);
 
-        Set<Class<?>> excluded = new HashSet<Class<?>>();
+        Set<Class<?>> excluded = new HashSet<>();
         excluded.add(FooBarInterface.class);
         sma.setExcludedClasses(excluded);
 
@@ -173,7 +172,7 @@ public class SecurityMemberAccessTest extends TestCase {
         // given
         SecurityMemberAccess sma = new SecurityMemberAccess(false);
 
-        Set<Pattern> excluded = new HashSet<Pattern>();
+        Set<Pattern> excluded = new HashSet<>();
         excluded.add(Pattern.compile("^" + FooBar.class.getPackage().getName().replaceAll("\\.",
"\\\\.") + ".*"));
         sma.setExcludedPackageNamePatterns(excluded);
 
@@ -191,7 +190,7 @@ public class SecurityMemberAccessTest extends TestCase {
         // given
         SecurityMemberAccess sma = new SecurityMemberAccess(false);
 
-        Set<String> excluded = new HashSet<String>();
+        Set<String> excluded = new HashSet<>();
         excluded.add(FooBar.class.getPackage().getName());
         sma.setExcludedPackageNames(excluded);
 
@@ -205,11 +204,11 @@ public class SecurityMemberAccessTest extends TestCase {
         assertFalse("stringField is accessible!", actual);
     }
 
-    public void testDefaultPackageExclusion() throws Exception {
+    public void testDefaultPackageExclusion() {
         // given
         SecurityMemberAccess sma = new SecurityMemberAccess(false);
 
-        Set<Pattern> excluded = new HashSet<Pattern>();
+        Set<Pattern> excluded = new HashSet<>();
         excluded.add(Pattern.compile("^" + FooBar.class.getPackage().getName().replaceAll("\\.",
"\\\\.") + ".*"));
         sma.setExcludedPackageNamePatterns(excluded);
         
@@ -220,11 +219,11 @@ public class SecurityMemberAccessTest extends TestCase {
         assertFalse("default package is excluded!", actual);
     }
     
-    public void testDefaultPackageExclusion2() throws Exception {
+    public void testDefaultPackageExclusion2() {
         // given
         SecurityMemberAccess sma = new SecurityMemberAccess(false);
 
-        Set<Pattern> excluded = new HashSet<Pattern>();
+        Set<Pattern> excluded = new HashSet<>();
         excluded.add(Pattern.compile("^$"));
         sma.setExcludedPackageNamePatterns(excluded);
         
@@ -317,10 +316,10 @@ public class SecurityMemberAccessTest extends TestCase {
     public void testAccessPrimitiveDoubleWithNames() throws Exception {
         // given
         SecurityMemberAccess sma = new SecurityMemberAccess(false);
-        sma.setExcludedPackageNames(TextParseUtil.commaDelimitedStringToSet("java.lang.,ognl,javax"));
+        sma.setExcludedPackageNames(TextParseUtil.commaDelimitedStringToSet("ognl.,javax."));
 
 
-        Set<Class<?>> excluded = new HashSet<Class<?>>();
+        Set<Class<?>> excluded = new HashSet<>();
         excluded.add(Object.class);
         excluded.add(Runtime.class);
         excluded.add(System.class);
@@ -369,7 +368,7 @@ public class SecurityMemberAccessTest extends TestCase {
     public void testAccessPrimitiveDoubleWithPackageRegExs() throws Exception {
         // given
         SecurityMemberAccess sma = new SecurityMemberAccess(false);
-        Set<Pattern> patterns = new HashSet<Pattern>();
+        Set<Pattern> patterns = new HashSet<>();
         patterns.add(Pattern.compile("^java\\.lang\\..*"));
         sma.setExcludedPackageNamePatterns(patterns);
 
@@ -386,7 +385,7 @@ public class SecurityMemberAccessTest extends TestCase {
     public void testAccessMemberAccessIsAccessible() throws Exception {
         // given
         SecurityMemberAccess sma = new SecurityMemberAccess(false);
-        Set<Class<?>> excluded = new HashSet<Class<?>>();
+        Set<Class<?>> excluded = new HashSet<>();
         excluded.add(ognl.MemberAccess.class);
         sma.setExcludedClasses(excluded);
 
@@ -404,7 +403,7 @@ public class SecurityMemberAccessTest extends TestCase {
     public void testAccessMemberAccessIsBlocked() throws Exception {
         // given
         SecurityMemberAccess sma = new SecurityMemberAccess(false);
-        Set<Class<?>> excluded = new HashSet<Class<?>>();
+        Set<Class<?>> excluded = new HashSet<>();
         excluded.add(SecurityMemberAccess.class);
         sma.setExcludedClasses(excluded);
 
@@ -419,6 +418,21 @@ public class SecurityMemberAccessTest extends TestCase {
         assertFalse(accessible);
     }
 
+    public void testPackageNameExclusionAsCommaDelimited() {
+        // given
+        SecurityMemberAccess sma = new SecurityMemberAccess(false);
+
+
+        sma.setExcludedPackageNames(TextParseUtil.commaDelimitedStringToSet("java.lang."));
+
+        // when
+        boolean actual = sma.isPackageExcluded(String.class.getPackage(), null);
+        actual &= sma.isPackageExcluded(null, String.class.getPackage());
+
+        // then
+        assertTrue("package java.lang. is accessible!", actual);
+    }
+
 }
 
 class FooBar implements FooBarInterface {


Mime
View raw message