-
Notifications
You must be signed in to change notification settings - Fork 813
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WW-5440 Fix OGNL allowlist compat with Convention plugin #986
Conversation
611933c
to
899b35b
Compare
899b35b
to
27e4d0d
Compare
@lukaszlenart Sorry about the massive diff on this one - it should be a bit easier to review commit by commit. Otherwise, let me know and I'll try split it up into smaller PRs |
@@ -28,9 +28,11 @@ | |||
* a HttpRequest parameter. | |||
* | |||
* @author martin.gilday | |||
* @deprecated since 6.6.0, use {@link org.apache.struts2.interceptor.parameter.StrutsParameter}. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
❤️
@@ -46,7 +46,10 @@ | |||
* </p> | |||
* | |||
* @author martin.gilday | |||
* @deprecated since 6.6.0, integrated into {@link ParametersInterceptor} with {@link StrutsParameter} using |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we have a task to remove this interceptor in Struts 7?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've just updated the description of WW-5411 - if you'd prefer a separate card I can create one too
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's fine, just to not forget about this :)
public String execute() throws Exception { | ||
executionCount++; | ||
LOG.info("executing ExecutionCountTestAction. Current count is " + executionCount); | ||
LOG.info("executing ExecutionCountTestAction. Current count is {}", executionCount); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
❤️
try { | ||
Object action = objectFactory.buildAction(actionName, namespace, config, null); | ||
properties = reflectionProvider.getPropertyDescriptors(action); | ||
} catch (Exception e) { | ||
LOG.error("Unable to get properties for action " + actionName, e); | ||
addActionError("Unable to retrieve action properties: " + e.toString()); | ||
LOG.error("Unable to get properties for action {}", actionName, e); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This won't work, you must use ParameterizedMessage
like this
LOG.error(new ParameterizedMessage("Unable to get properties for action {}", actionName), e);
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So I double checked this because IntelliJ insisted this was correct despite the JavaDoc for the method suggesting it was incorrect. Turns out Log4J 2 will actually log this correctly as it will identify that the last argument is an exception (also tested locally). Here is the relevant Log4J 2 code - https://github.com/apache/logging-log4j2/blob/rel/2.23.1/log4j-api/src/main/java/org/apache/logging/log4j/message/ReusableParameterizedMessage.java#L128
And the relevant documentation - https://logging.apache.org/log4j/2.x/manual/api.html#substituting-parameters
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, nice! I were always using ParameterizedMessage
in such case, good to know!
Thanks a lot for all your work, this is huge! One small thing and I'm good |
conflict |
Resolved! |
Quality Gate failedFailed conditions |
WW-5440
struts2-convention-plugin
compatibility with OGNL allowlist, Actions are now auto-allowlisted as expectedstruts2-config-browser-plugin
compatibility withstruts.parameters.requireAnnotations=true
AnnotationParameterFilterInterceptor
which is superseded by@StrutsParameter
capabilityI also went through and did a batch application of
@StrutsParameter
even in unit test Actions in which they may not be strictly required. Did this as a precautionary measure against any other regressions or unintended test behaviour.