Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WW-5440 Fix OGNL allowlist compat with Convention plugin #986

Merged
merged 7 commits into from
Jul 15, 2024

Conversation

kusalk
Copy link
Member

@kusalk kusalk commented Jul 13, 2024

WW-5440

  • Fixed struts2-convention-plugin compatibility with OGNL allowlist, Actions are now auto-allowlisted as expected
  • Fixed struts2-config-browser-plugin compatibility with struts.parameters.requireAnnotations=true
  • Fixed Showcase App Hangman Action by adding appropriate classes to OGNL allowlist configuration
  • Fixed a number of other Showcase App Actions which required further annotating/allowlisting
  • Deprecated AnnotationParameterFilterInterceptor which is superseded by @StrutsParameter capability

I also went through and did a batch application of @StrutsParameter even in unit test Actions in which they may not be strictly required. Did this as a precautionary measure against any other regressions or unintended test behaviour.

@kusalk kusalk force-pushed the WW-5440-convention branch from 611933c to 899b35b Compare July 13, 2024 13:25
@kusalk kusalk marked this pull request as ready for review July 13, 2024 13:39
@kusalk kusalk force-pushed the WW-5440-convention branch from 899b35b to 27e4d0d Compare July 13, 2024 14:34
@kusalk kusalk requested a review from lukaszlenart July 13, 2024 14:58
@kusalk
Copy link
Member Author

kusalk commented Jul 13, 2024

@lukaszlenart Sorry about the massive diff on this one - it should be a bit easier to review commit by commit. Otherwise, let me know and I'll try split it up into smaller PRs

@@ -28,9 +28,11 @@
* a HttpRequest parameter.
*
* @author martin.gilday
* @deprecated since 6.6.0, use {@link org.apache.struts2.interceptor.parameter.StrutsParameter}.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

❤️

@@ -46,7 +46,10 @@
* </p>
*
* @author martin.gilday
* @deprecated since 6.6.0, integrated into {@link ParametersInterceptor} with {@link StrutsParameter} using
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we have a task to remove this interceptor in Struts 7?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've just updated the description of WW-5411 - if you'd prefer a separate card I can create one too

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's fine, just to not forget about this :)

public String execute() throws Exception {
executionCount++;
LOG.info("executing ExecutionCountTestAction. Current count is " + executionCount);
LOG.info("executing ExecutionCountTestAction. Current count is {}", executionCount);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

❤️

try {
Object action = objectFactory.buildAction(actionName, namespace, config, null);
properties = reflectionProvider.getPropertyDescriptors(action);
} catch (Exception e) {
LOG.error("Unable to get properties for action " + actionName, e);
addActionError("Unable to retrieve action properties: " + e.toString());
LOG.error("Unable to get properties for action {}", actionName, e);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This won't work, you must use ParameterizedMessage like this

LOG.error(new ParameterizedMessage("Unable to get properties for action {}", actionName), e);

Copy link
Member Author

@kusalk kusalk Jul 14, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So I double checked this because IntelliJ insisted this was correct despite the JavaDoc for the method suggesting it was incorrect. Turns out Log4J 2 will actually log this correctly as it will identify that the last argument is an exception (also tested locally). Here is the relevant Log4J 2 code - https://github.com/apache/logging-log4j2/blob/rel/2.23.1/log4j-api/src/main/java/org/apache/logging/log4j/message/ReusableParameterizedMessage.java#L128
And the relevant documentation - https://logging.apache.org/log4j/2.x/manual/api.html#substituting-parameters

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, nice! I were always using ParameterizedMessage in such case, good to know!

@lukaszlenart
Copy link
Member

Thanks a lot for all your work, this is huge! One small thing and I'm good

@lukaszlenart
Copy link
Member

conflict

@kusalk
Copy link
Member Author

kusalk commented Jul 15, 2024

Resolved!

@kusalk kusalk requested a review from lukaszlenart July 15, 2024 03:23
Copy link

Quality Gate Failed Quality Gate failed

Failed conditions
30.0% Coverage on New Code (required ≥ 80%)

See analysis details on SonarCloud

@kusalk kusalk merged commit 9195990 into master Jul 15, 2024
8 of 9 checks passed
@kusalk kusalk deleted the WW-5440-convention branch July 15, 2024 06:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants