WW-5379 Implement alternative mechanism for Velocity directives to obtain ValueStack

[kusalk]

WW-5379

This affords applications the ability to not include the ValueStack as $stack in the Velocity context and reduce risk of SSTI escalation.

[kusalk]

(Again, SonarCloud is using the wrong base)

[kusalk]

Was technically a bug as we were failing to look at chained contexts within our chained contexts

[kusalk]

This shouldn't occur but left it for backwards compatibility in case there is a scenario I didn't foresee

[lukaszlenart]

Do we need to have this public? Also this requires to cast to StrutsVelocityContext, wouldn't be better to have a marking interface ValueStackAware or ValueStackProvider to expose the ValueStack?

[kusalk]

I think it has to be but I wonder if Directives can simply obtain the ValueStack from the ActionContext? It's not clear to me if the ValueStack on the ActionContext changes between the time of Velocity context creation and directive rendering. I recall this was how the ValueStack was obtained in WebWork 2.1 but I presume it was changed for a reason?

But also, there's no change in terms of security as the stack was already exposed on the StrutsVelocityContext instance using internalGet("stack") or get("stack").

And yep I can definitely use a marker interface to allow more flexibility in the Velocity context implementation used by applications.

[lukaszlenart]

It shouldn't change as far I understand, yet I'm not sure if this is true :) Let's leave it as is, at some point I will solve this puzzle ;-)

[sonarcloud]

Quality Gate failed

Failed conditions

10 Security Hotspots
28.5% Coverage on New Code (required ≥ 80%)
4.1% Duplication on New Code (required ≤ 3%)
E Security Rating on New Code (required ≥ A)
E Reliability Rating on New Code (required ≥ A)

See analysis details on SonarCloud

Catch issues before they fail your Quality Gate with our IDE extension SonarLint