Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WW-5340 Introducing OGNL Guard #747

Merged
merged 12 commits into from
Sep 30, 2023
Merged

WW-5340 Introducing OGNL Guard #747

merged 12 commits into from
Sep 30, 2023

Conversation

kusalk
Copy link
Member

@kusalk kusalk commented Aug 31, 2023
edited
Loading

WW-5340

This serves as an optional, additional layer of protection to SecurityMemberAccess. OgnlGuard can validate both the raw and parsed OGNL expression. It is implemented as a user-configurable bean.

The default functionality includes the capability to block any expressions which contain specified OGNL AST nodes.

@kusalk kusalk force-pushed the WW-5340-ognl-guard branch 6 times, most recently from 02db368 to 31cc8a1 Compare August 31, 2023 14:19
Base automatically changed from WW-5340-ognlutil-refactor to master September 26, 2023 09:06
@lukaszlenart
Copy link
Member

Conflicts

lukaszlenart
lukaszlenart reviewed Sep 26, 2023
View reviewed changes
core/src/main/java/com/opensymphony/xwork2/ognl/DefaultOgnlGuard.java Outdated
*
* @since 6.4.0
*/
public class DefaultOgnlGuard implements OgnlGuard {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I prefer to use StrutsOgnlGuard - default means different things for different ppl ;)

@kusalk kusalk marked this pull request as ready for review September 26, 2023 09:16
lukaszlenart
lukaszlenart reviewed Sep 26, 2023
View reviewed changes
Copy link
Member

@lukaszlenart lukaszlenart left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry for review in steps, got distracted :)

core/src/main/java/com/opensymphony/xwork2/ognl/OgnlGuard.java Outdated Show resolved Hide resolved
core/src/main/java/org/apache/struts2/StrutsConstants.java Show resolved Hide resolved
core/src/main/resources/struts-beans.xml Outdated Show resolved Hide resolved
@sonarcloud
Copy link

sonarcloud bot commented Sep 28, 2023

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

94.7% 94.7% Coverage
0.0% 0.0% Duplication

@lukaszlenart
Copy link
Member

Is it ready for review?

@kusalk
Copy link
Member Author

kusalk commented Sep 28, 2023

Yep that should be everything addressed

lukaszlenart
lukaszlenart approved these changes Sep 30, 2023
View reviewed changes
Copy link
Member

@lukaszlenart lukaszlenart left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice 💪 LGTM 👍

@lukaszlenart lukaszlenart merged commit 6f8844e into master Sep 30, 2023
8 checks passed
@lukaszlenart lukaszlenart deleted the WW-5340-ognl-guard branch September 30, 2023 08:39
@kusalk kusalk mentioned this pull request Oct 5, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lukaszlenart lukaszlenart lukaszlenart approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@kusalk @lukaszlenart