Merge pull request #920 from apache/fix/WW-5419-tiles
[WW-5419] Fixes support for loading Tiles definitions
diff --git a/.github/workflows/scorecards-analysis.yaml b/.github/workflows/scorecards-analysis.yaml
index 67faabc..6867c45 100644
--- a/.github/workflows/scorecards-analysis.yaml
+++ b/.github/workflows/scorecards-analysis.yaml
@@ -57,7 +57,7 @@
publish_results: true
- name: "Upload artifact"
- uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # 4.3.1
+ uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # 4.3.3
with:
name: SARIF file
path: results.sarif
diff --git a/apps/showcase/pom.xml b/apps/showcase/pom.xml
index a1a9138..551ef17 100644
--- a/apps/showcase/pom.xml
+++ b/apps/showcase/pom.xml
@@ -157,7 +157,7 @@
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-failsafe-plugin</artifactId>
- <version>3.0.0-M6</version>
+ <version>3.2.5</version>
<configuration>
<includes>
<include>it.org.apache.struts2.showcase.*Test</include>
diff --git a/core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java b/core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
index b0ee1f2..43ae992 100644
--- a/core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
+++ b/core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java
@@ -31,7 +31,6 @@
import java.lang.reflect.AccessibleObject;
import java.lang.reflect.Field;
import java.lang.reflect.Member;
-import java.lang.reflect.Method;
import java.lang.reflect.Modifier;
import java.util.Arrays;
import java.util.HashSet;
@@ -313,10 +312,6 @@
* @return {@code true} if member access is allowed
*/
protected boolean checkStaticMethodAccess(Member member) {
- if (checkEnumAccess(member)) {
- LOG.trace("Exempting Enum#values from static method check: class [{}]", member.getDeclaringClass());
- return true;
- }
return member instanceof Field || !isStatic(member);
}
@@ -347,17 +342,6 @@
return Modifier.isPublic(member.getModifiers());
}
- /**
- * @return {@code true} if member access is allowed
- */
- protected boolean checkEnumAccess(Member member) {
- return member.getDeclaringClass().isEnum()
- && isStatic(member)
- && member instanceof Method
- && member.getName().equals("values")
- && ((Method) member).getParameterCount() == 0;
- }
-
protected boolean isPackageExcluded(Class<?> clazz) {
return !excludedPackageExemptClasses.contains(clazz.getName()) && (isExcludedPackageNames(clazz) || isExcludedPackageNamePatterns(clazz));
}
diff --git a/core/src/main/resources/struts-excluded-classes.xml b/core/src/main/resources/struts-excluded-classes.xml
index f3f4f3f..58b89aa 100644
--- a/core/src/main/resources/struts-excluded-classes.xml
+++ b/core/src/main/resources/struts-excluded-classes.xml
@@ -92,6 +92,7 @@
org.apache.catalina.core,
org.apache.commons.beanutils,
org.apache.commons.collections,
+ org.apache.jasper,
org.apache.struts2.ognl,
org.apache.tomcat,
org.apache.velocity,
@@ -124,6 +125,7 @@
org.apache.catalina.core,
org.apache.commons.beanutils,
org.apache.commons.collections,
+ org.apache.jasper,
org.apache.struts2.ognl,
org.apache.tomcat,
org.apache.velocity,
diff --git a/core/src/test/java/com/opensymphony/xwork2/ognl/OgnlValueStackTest.java b/core/src/test/java/com/opensymphony/xwork2/ognl/OgnlValueStackTest.java
index 3bdfd67..7fb560c 100644
--- a/core/src/test/java/com/opensymphony/xwork2/ognl/OgnlValueStackTest.java
+++ b/core/src/test/java/com/opensymphony/xwork2/ognl/OgnlValueStackTest.java
@@ -437,12 +437,12 @@
}
/**
- * Allow access Enums without enabling access to static methods
+ * Enum methods should also be banned alongside static methods
*/
public void testEnum() throws Exception {
- assertEquals("ONE", vs.findValue("@com.opensymphony.xwork2.ognl.MyNumbers@values()[0]", String.class));
- assertEquals("TWO", vs.findValue("@com.opensymphony.xwork2.ognl.MyNumbers@values()[1]", String.class));
- assertEquals("THREE", vs.findValue("@com.opensymphony.xwork2.ognl.MyNumbers@values()[2]", String.class));
+ assertNull("ONE", vs.findValue("@com.opensymphony.xwork2.ognl.MyNumbers@values()[0]", String.class));
+ assertNull("TWO", vs.findValue("@com.opensymphony.xwork2.ognl.MyNumbers@values()[1]", String.class));
+ assertNull("THREE", vs.findValue("@com.opensymphony.xwork2.ognl.MyNumbers@values()[2]", String.class));
}
public void testStaticMethodDisallow() {
diff --git a/core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java b/core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java
index 03bad82..381b7d0 100644
--- a/core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java
+++ b/core/src/test/java/com/opensymphony/xwork2/ognl/SecurityMemberAccessTest.java
@@ -413,7 +413,7 @@
boolean actual = sma.isAccessible(context, MyValues.class, values, null);
// then
- assertTrue("Access to enums is blocked!", actual);
+ assertFalse("Access to enums is allowed!", actual);
}
@Test
diff --git a/plugins/tiles/pom.xml b/plugins/tiles/pom.xml
index 53d79b8..845062b 100644
--- a/plugins/tiles/pom.xml
+++ b/plugins/tiles/pom.xml
@@ -40,7 +40,7 @@
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>exec-maven-plugin</artifactId>
- <version>3.1.0</version>
+ <version>3.2.0</version>
<executions>
<execution>
<phase>compile</phase>
diff --git a/pom.xml b/pom.xml
index c86b129..69eea6f 100644
--- a/pom.xml
+++ b/pom.xml
@@ -109,7 +109,7 @@
<maven.compiler.target>1.8</maven.compiler.target>
<!-- dependency versions in alphanumeric order -->
- <asm.version>9.6</asm.version>
+ <asm.version>9.7</asm.version>
<jackson.version>2.16.1</jackson.version>
<log4j2.version>2.23.1</log4j2.version>
<ognl.version>3.3.5</ognl.version>
@@ -487,7 +487,7 @@
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>versions-maven-plugin</artifactId>
- <version>2.16.1</version>
+ <version>2.16.2</version>
<reportSets>
<reportSet>
<reports>
@@ -864,7 +864,7 @@
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-text</artifactId>
- <version>1.11.0</version>
+ <version>1.12.0</version>
</dependency>
<dependency>
<groupId>commons-el</groupId>
@@ -978,7 +978,7 @@
<dependency>
<groupId>org.assertj</groupId>
<artifactId>assertj-core</artifactId>
- <version>3.25.2</version>
+ <version>3.25.3</version>
<scope>test</scope>
</dependency>